Beneficial Ownership Information Access and Safeguards, 88732-88813 [2023-27973]

Download as PDF 88732 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations DEPARTMENT OF THE TREASURY Financial Crimes Enforcement Network 31 CFR Part 1010 RIN 1506–AB59 Beneficial Ownership Information Access and Safeguards Financial Crimes Enforcement Network (FinCEN), Treasury. ACTION: Final rule. AGENCY: FinCEN is promulgating regulations regarding access by authorized recipients to beneficial ownership information (BOI) that will be reported to FinCEN pursuant to section 6403 of the Corporate Transparency Act (CTA), enacted into law as part of the Anti-Money Laundering Act of 2020 (AML Act), which is itself part of the National Defense Authorization Act for Fiscal Year 2021 (NDAA). The regulations implement the strict protocols required by the CTA to protect sensitive personally identifiable information (PII) reported to FinCEN and establish the circumstances in which specified recipients have access to BOI, along with data protection protocols and oversight mechanisms applicable to each recipient category. The disclosure of BOI to authorized recipients in accordance with appropriate protocols and oversight will help law enforcement and national security agencies prevent and combat money laundering, terrorist financing, tax fraud, and other illicit activity, as well as protect national security. SUMMARY: These rules are effective February 20, 2024. DATES: The FinCEN Regulatory Support Section at 1–800–767–2825 or electronically at frc@fincen.gov. SUPPLEMENTARY INFORMATION: FOR FURTHER INFORMATION CONTACT: I. Introduction ddrumheller on DSK120RN23PROD with RULES3 This final rule implements the beneficial ownership information (BOI) access and safeguard provisions in the Corporate Transparency Act (CTA).1 The rule balances the statutory requirement to create a database of BOI 1 The CTA is Title LXIV of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Public Law 116–283 (Jan. 1, 2021) (the NDAA). Division F of the NDAA is the AntiMoney Laundering Act of 2020 (AML Act), which includes the CTA. Section 6403 of the CTA, among other things, amends the Bank Secrecy Act (BSA) by adding a new section 5336, Beneficial Ownership Information Reporting Requirements, to Subchapter II of Chapter 53 of Title 31, United States Code. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 that is highly useful to authorized BOI recipients, with the requirement to safeguard BOI from unauthorized use. This final rule reflects FinCEN’s understanding of the critical need for the highest standard of security and confidentiality protocols to maintain confidence in the U.S. Government’s ability to protect sensitive information while achieving the objective of the CTA noted above—establishing a database of BOI that will be highly useful in combatting illicit finance and the abuse of shell and front companies by criminals, corrupt officials, and other bad actors. Specifically, this final rule implements the provisions in the CTA, codified at 31 U.S.C. 5336(c), that authorize certain recipients to receive disclosures of identifying information associated with reporting companies, their beneficial owners, and their company applicants (together, BOI). The CTA requires reporting companies to report BOI to FinCEN pursuant to 31 U.S.C. 5336(b). This rule reflects FinCEN’s careful consideration of public comments, including those received in response to (1) an advance notice of proposed rulemaking (ANPRM) 2 on the implementation of the CTA, (2) an NPRM regarding BOI reporting requirements (Reporting NPRM),3 and (3) an NPRM regarding BOI access and safeguards (Access NPRM).4 As Congress explained in the CTA, ‘‘malign actors seek to conceal their ownership of corporations, limited liability companies, or other similar entities in the United States to facilitate illicit activity, including money laundering, the financing of terrorism, proliferation financing, serious tax fraud, human and drug trafficking, counterfeiting, piracy, securities fraud, financial fraud, and acts of foreign corruption, harming the national security interests of the United States and allies of the United States.’’ 5 Access by authorized recipients to BOI reported under the CTA would significantly aid efforts to protect U.S. national security and safeguard the U.S. financial system from such illicit use. It would impede illicit actors’ ability to use legal entities to conceal proceeds from criminal acts that undermine U.S. national security and foreign policy interests, such as corruption, human trafficking, drug and arms trafficking, and terrorist financing. BOI can also add critical data to financial analyses in activities the CTA 2 86 FR 17557 (Apr. 5, 2021). FR 69920 (Dec. 8, 2021). 4 87 FR 77404 (Dec. 16, 2022). 5 CTA, section 6402(3). 3 86 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 contemplates, including tax investigations. It can also provide essential information to the intelligence and national security professionals who work to prevent terrorists, proliferators, and those who seek to undermine our democratic institutions or threaten other core U.S. interests from raising, hiding, or moving money in the United States through anonymous shell or front companies.6 The United States currently does not have a centralized or complete store of information about who owns and operates legal entities within the United States. The beneficial ownership data available to law enforcement and national security agencies are generally limited to certain commercial databases and the information collected by financial institutions on legal entity accounts pursuant to their Customer Due Diligence (CDD) or broader Customer Identification Program (CIP) obligations, some of which has been included in Suspicious Activity Reports (SARs) or provided to law enforcement in response to judicial process.7 As set out in detail in the Notice of Proposed Rulemaking regarding BOI reporting requirements 8 and the BOI reporting final rule,9 U.S. law enforcement officials and the Financial Action Task Force (FATF),10 among others, have for years noted how the lack of timely access to accurate and adequate BOI by law enforcement and other authorized 6 A front company generates legitimate business proceeds to commingle with illicit earnings. See U.S. Department of the Treasury, National Money Laundering Risk Assessment (2018), p. 29, available at https://home.treasury.gov/system/files/136/ 2018NMLRA_12-18.pdf. 7 See, e.g., 31 CFR 1010.230. Even then, any BOI a financial institution collects is not systematically reported to any central repository. 8 Supra note 3, 86 FR at 69923–69924. 9 87 FR 59498, 59506 (Sept. 30, 2022). 10 The FATF, of which the United States is a founding member, is an international, intergovernmental task force whose purpose is the development and promotion of international standards and the effective implementation of legal, regulatory, and operational measures to combat money laundering, terrorist financing, the financing of weapons proliferation, and other related threats to the integrity of the international financial system. The FATF assesses over 200 jurisdictions against its minimum standards for beneficial ownership transparency. Among other things, it has established standards on transparency and beneficial ownership of legal persons, to deter and prevent the misuse of corporate vehicles. See FATF Recommendation 24, Transparency and Beneficial Ownership of Legal Persons, The FATF Recommendations: International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation (updated Oct. 2020), available at https://www.fatf-gafi.org/publications/ fatfrecommendations/documents/fatfrecommendations.html; FATF Guidance, Transparency and Beneficial Ownership, Part III (Oct. 2014), available at https://www.fatf-gafi.org/ media/fatf/documents/reports/Guidancetransparency-beneficial-ownership.pdf. E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 recipients remained a significant gap in the United States’ anti-money laundering/countering the financing of terrorism (AML/CFT) and countering the financing of proliferation (CFP) framework. Broadly, and critically, BOI can identify linkages between potential illicit actors and opaque business entities, including shell companies. Furthermore, comparing BOI reported pursuant to the CTA against data collected under the Bank Secrecy Act (BSA) and other relevant government data is expected to significantly further efforts to identify illicit actors and combat their financial activities. At the same time, however, FinCEN recognizes that BOI is sensitive information. This final rule reflects FinCEN’s commitment to creating a highly useful database for authorized BOI recipients while protecting this sensitive information from unauthorized disclosure. To this end, the final rule aims to ensure that: (1) only authorized recipients have access to BOI; (2) authorized recipients use that BOI only for purposes permitted by the CTA; and (3) authorized recipients re-disclose BOI only in ways that balance protection of the security and confidentiality of the BOI with furtherance of the CTA’s objective of making BOI available to a range of users for purposes specified in the CTA. The final rule also provides a robust framework to ensure that BOI reported to FinCEN, and received by authorized recipients, is subject to strict cybersecurity controls, confidentiality protections and restrictions, and robust audit and oversight measures. Coincident with the protocols described in this final rule, FinCEN continues to work to develop a secure, nonpublic database in which to store BOI, using rigorous information security methods and controls typically used in the Federal government to protect nonclassified yet sensitive information systems at the highest security level. Against this backdrop and consistent with the CTA, FinCEN will permit certain Federal, State,11 local, and Tribal officials, as well as foreign officials acting through a Federal agency, to obtain BOI for use in furtherance of statutorily authorized activities such as those related to national security, intelligence, and law enforcement. 11 FinCEN will interpret the term ‘‘State’’ consistent with the definition of that term in the final Beneficial Ownership Information Reporting Requirements rule at 87 FR 59498 (Sep. 30, 2022) (which defines the term ‘‘State’’ to mean ‘‘any state of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Commonwealth of the Northern Mariana Islands, American Samoa, Guam, the United States Virgin Islands, and any other commonwealth, territory, or possession of the United States.’’). VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 Financial institutions with customer due diligence requirements under applicable law will have access to BOI to facilitate compliance with those requirements, as will the Federal functional regulators or other appropriate regulatory agencies that supervise or assess those financial institutions’ compliance with such requirements. II. Background A. Access to Beneficial Ownership Information For more than two decades, the U.S. government has been raising awareness about the misuse of legal entities by criminal actors for illicit ends.12 Recently, Secretary of the Treasury Janet L. Yellen affirmed that: ‘‘The United States has a unique obligation to tackle corruption. Corrupt actors from around the world continually attempt to exploit the vulnerabilities in the U.S. framework—for countering money laundering, terrorist financing, and other forms of illicit finance. . . . Just like legitimate investors, corrupt actors move their money through the United States to take advantage of the world’s largest and most dynamic economy. They incorporate companies to benefit from our strong legal system, buy assets like real estate, and invest in our deep and liquid markets. . . . Unmasking shell corporations is the single most significant thing we can do to make our financial system inhospitable to corrupt actors. . . . The beneficial ownership database will deter dirty money from entering the U.S.—and give law enforcement and other partners the tools they need to follow the money when it does.’’ 13 The Department of the Treasury (Treasury) has previously observed in its 2020 National Strategy for Combating Terrorist and other Illicit Financing (the 2020 Illicit Financing Strategy) that ‘‘[m]isuse of legal entities to hide a criminal beneficial owner or illegal source of funds continues to be a common, if not the dominant, feature of illicit finance schemes, especially those involving money laundering, predicate offences, tax evasion, and proliferation financing. . . .’’ 14 The 2020 Illicit 12 See 87 FR 59501–59503 (Sept. 30, 2022). 13 U.S. Department of the Treasury (Treasury), ‘‘Remarks by Secretary Janet L. Yellen on AntiCorruption as a Cornerstone of a Fair, Accountable, and Democratic Economy at the Summit for Democracy,’’ (Mar. 28, 2023), available at https:// home.treasury.gov/news/press-releases/jy1371. 14 Treasury, National Strategy for Combating Terrorist and Other Illicit Financing (2020), p. 13, available at https://home.treasury.gov/system/files/ 136/National-Strategy-to-Counter-IllicitFinancev2.pdf. The 2022 National Strategy for Combating Terrorist and Other Illicit Financing noted that ‘‘[t]he passage of the CTA was a critical step forward in closing a long-standing gap and strengthening the U.S. AML/CFT regime’’ and that ‘‘[a]ddressing the gap in collection at the time of PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 88733 Financing Strategy further noted a Treasury finding that, between 2016 and 2019, legal entities were used in a substantial proportion of adjudicated Internal Revenue Service (IRS) cases to perpetrate tax evasion and fraud.15 In a separate report, the Drug Enforcement Administration highlighted that drug trafficking organizations frequently use shell and front companies to commingle illicit drug proceeds with legitimate front company revenue to launder the illicit drug proceeds.16 As Treasury stressed in its 2022 Illicit Financing Strategy, law enforcement’s lack of access to uniform BOI hinders its ability to swiftly investigate those entities created and used to hide ownership for illicit purposes.17 Consequently, authorized recipients’ access to BOI reported under the CTA will significantly aid efforts to protect U.S. national security; safeguard the U.S. financial system; and support U.S. foreign policy and other interests by providing a tool to counter corruption, human smuggling, drug and arms trafficking, terrorist financing, and other criminal acts. BOI can also add critical data to financial analyses in activities the CTA contemplates, including tax investigations. BOI can also provide essential information to the intelligence and national security professionals who work to prevent terrorists, proliferators, and those who seek to undermine our democratic institutions or threaten other core U.S. interests from raising, hiding, or moving money in the United States through anonymous shell or front companies. Entity formation and registration in the United States happen at the state and Tribal levels. Although state- and Tribal-level entity formation laws vary, most jurisdictions do not require the party forming an entity to identify its individual beneficial owners at or after the time of formation. Additionally, the vast majority of states require little to no contact information or other information about an entity’s officers or others who entity formation is the most important AML/CFT regulatory action for the U.S. government.’’ Treasury, National Strategy for Combating Terrorist and Other Illicit Financing (May 2022), p. 8, available at https://home.treasury.gov/system/files/ 136/2022-National-Strategy-for-CombatingTerrorist-and-Other-Illicit-Financing.pdf (‘‘2022 Illicit Financing Strategy’’). 15 Id. at 14. 16 Drug Enforcement Administration, 2020 Drug Enforcement Administration National Drug Threat Assessment (‘‘DEA 2020 NDTA’’) (2020), pp. 87–88, available at https://www.dea.gov/sites/default/files/ 2021-02/DIR-008-21%202020%20 National%20Drug%20Threat%20Assessment_ WEB.pdf. 17 See Treasury, 2022 Illicit Financing Strategy, supra note 3, p. 12. E:\FR\FM\22DER3.SGM 22DER3 88734 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 control it.18 Furthermore, although many financial institutions are required to collect certain beneficial ownership information pursuant to FinCEN’s 2016 Customer Due Diligence Rule (2016 CDD Rule),19 and broader Customer Identification Program (CIP) obligations,20 that information is not systematically reported to a central repository. Identifying individual beneficial owners of legal entities in the United States therefore is often a significant challenge for law enforcement,21 and it represents a significant weakness in the United States’ AML/CFT and CFP frameworks, as Treasury 22 and the FATF 23 have noted for some time. 18 See CTA, section 6402(2) (‘‘[M]ost or all States do not require information about the beneficial owners of corporations, limited liability companies, or other similar entities formed under the laws of the State’’); U.S. Government Accountability Office, Company Formations: Minimal Ownership Information Is Collected and Available (Apr. 2006), available at https://www.gao.gov/assets/gao-06376.pdf; see also, e.g., The National Association of Secretaries of State (NASS), NASS Summary of Information Collected by States (Jun. 2019), available at https://www.nass.org/sites/default/files/ company%20formation/nass-business-entity-infocollected-june2019.pdf. 19 Final Rule, Customer Due Diligence Requirements for Financial Institutions, 81 FR 29398–29402 (May 11, 2016); 31 CFR 1010.230. 20 See e.g., 31 CFR 1020.220. 21 In 2019, for example, Steven M. D’Antuono, Acting Deputy Assistant Director of the FBI’s Criminal Investigative Division testified before Congress that ‘‘[t]he process for the production of [beneficial ownership] records can be lengthy, anywhere from a few weeks to many years, and . . . can be extended drastically when it is necessary to obtain information from other countries . . . . [I]f an investigator obtains the ownership records, either from a domestic or foreign entity, the investigator may discover that the owner of the identified corporate entity is an additional corporate entity, necessitating the same process for the newly discovered corporate entity. Many professional launderers and others involved in illicit finance intentionally layer ownership and financial transactions in order to reduce transparency of transactions. As it stands, it is a facially effective way to delay an investigation.’’ D’Antuono further acknowledged that these challenges may be even greater for State, local, and Tribal law enforcement agencies that may not have the same resources as their Federal counterparts to undertake long and costly investigations to identify beneficial owners. D’Antuono noted that requiring the disclosure of BOI by legal entities and the creation of a central BOI repository available to law enforcement and regulators could address these challenges. Federal Bureau of Investigation (FBI), Testimony of Steven M. D’Antuono, Section Chief, Criminal Investigative Division, ‘‘Combatting Illicit Financing by Anonymous Shell Companies’’ (May 21, 2019), available at https://www.fbi.gov/news/ testimony/combating-illicit-financing-byanonymous-shell-companies. 22 Treasury, Treasury Announces Key Regulations and Legislation to Counter Money Laundering and Corruption, Combat Tax Evasion, May 5, 2016, available at https://home.treasury.gov/news/pressreleases/jl0451. 23 See FATF Recommendation 24, Transparency and Beneficial Ownership of Legal Persons, The FATF Recommendations: International Standards VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 Currently, obtaining BOI through grand jury subpoenas and other means can involve considerable effort. Grand jury subpoenas, for example, require an underlying grand jury investigation into a possible violation of law. Furthermore, the law enforcement officer or investigator must work with a prosecutor’s office, such as a U.S. Attorney’s Office, to open a grand jury investigation, obtain the grand jury subpoena, and issue it on behalf of the grand jury. The investigator also needs to determine who should receive the subpoena and coordinate service, which creates additional complications in cases involving complicated corporate structuring. Sometimes this work is all for naught because the investigation involves an entity formed or registered in a jurisdiction that does not require BOI for formation or registration. FinCEN’s existing regulatory tools help, but they provide only partial solutions. The 2016 CDD Rule, for example, requires that certain types of U.S. financial institutions identify and verify the beneficial owners of legal entity customers at the time of account opening.24 The information financial institutions must collect under the 2016 CDD Rule, however, is generally neither comprehensive nor reported to the U.S. government (nor to State, local, or Tribal governments), except when filed in suspicious activity reports (SARs) or in response to judicial process. Moreover, the 2016 CDD Rule applies only to legal entities that open accounts at certain U.S. financial institutions. Other FinCEN authorities—geographic targeting orders 25 and the so-called ‘‘311 measures’’ (i.e., special measures imposed on foreign jurisdictions, foreign financial institutions, or international transactions of primary money laundering concern) 26—offer temporary and targeted tools. Neither provides law enforcement the ability to reliably, efficiently, and consistently identify new entities for investigation or follow investigatory leads. This Final Rule will help to fill in these gaps while creating a framework to keep BOI secure and confidential. B. The CTA The CTA is part of the AML Act, which is a part of the 2021 NDAA. The CTA added a new section, 31 U.S.C. on Combating Money Laundering and the Financing of Terrorism and Proliferation (updated Oct. 2020), available at https://www.fatf-gafi.org/publications/ fatfrecommendations/documents/fatfrecommendations.html. 24 31 CFR 1010.230(b)(1). 25 31 U.S.C. 5326(a); 31 CFR 1010.370. 26 31 U.S.C. 5318A, as added by section 311 of the USA PATRIOT Act (Pub. L. 107–56). PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 5336, to the BSA to enhance beneficial ownership transparency while minimizing the burden on the regulated community.27 This new section requires certain types of domestic and foreign entities, called ‘‘reporting companies,’’ to submit BOI to FinCEN.28 Specifically, reporting companies must submit to FinCEN, for each beneficial owner and each individual who files an application to form a domestic entity or register a foreign entity to do business in the United States (the ‘‘company applicant’’), four pieces of information: the individual’s full legal name, date of birth, current residential or business street address, and either a unique identifying number from an acceptable identification document (e.g., a passport) or the individual’s ‘‘FinCEN identifier.’’ 29 The CTA establishes that BOI is ‘‘sensitive information.’’ 30 The statute treats it as such by limiting its access and use to specified parties for particular purposes.31 In particular, Congress authorized FinCEN to disclose BOI only to a statutorily defined group of governmental authorities and financial institutions, and only in defined circumstances. The CTA further provides that the Secretary of the Treasury (Secretary) must ‘‘maintain [BOI] in a secure, nonpublic database, using information security methods and techniques that are appropriate to protect nonclassified information systems at the highest security level.’’ 32 As discussed in detail in section II.E, FinCEN is currently building the secure information technology (IT) system into which reporting companies will submit, and from which authorized recipients will generally obtain, BOI. In addition to setting out requirements and restrictions related to BOI reporting and access, the CTA requires that FinCEN revise the 2016 CDD Rule within one year of the BOI reporting requirements taking effect. In particular, the CTA directs FinCEN to revise the 2016 CDD Rule to: (1) bring it into conformity with the AML Act as a whole, including the CTA; (2) account for financial institutions’ access to BOI 27 CTA, section 6403. U.S.C. 5336(b)(1), (2). The CTA generally exempts from the reporting requirements banks and other entities that are already subject to significant regulatory regimes meant to expose their beneficial owners, among other purposes. See id. at 5336(a)(11)(B). 29 Id. at 5336(b)(2). 30 CTA, section 6402(6). 31 Id. 32 CTA, section 6402(7)(A). While the statutory language seems to include a typographical error that refers to another provision (not related to BOI), it also seems clear that the object of protection in this case is BOI. 28 31 E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations reported to FinCEN ‘‘in order to confirm the beneficial ownership information provided directly to the financial institutions’’ for AML/CFT and customer due diligence purposes; and (3) reduce unnecessary or duplicative burdens on financial institutions and legal entity customers.33 In carrying out these provisions, the CTA further requires FinCEN to rescind paragraphs (b) through (j) of 31 CFR 1010.230.34 FinCEN began implementing the CTA by publishing an ANPRM on April 5, 2021.35 The ANPRM sought input on five open-ended categories of questions, including questions on clarifying key CTA definitions and on how FinCEN should implement CTA provisions governing FinCEN’s maintenance and disclosure of BOI subject to appropriate access protocols. In response to the ANPRM, FinCEN received and considered 220 comments from parties that included businesses, civil society organizations, trade associations, law firms, secretaries of state and other state officials, Indian Tribes, members of Congress, and private citizens. FinCEN next published the Reporting NPRM on December 8, 2021.36 The Reporting NPRM described Treasury’s efforts to address the lack of transparency in the ownership of certain legal entities, and proposed regulations specifying what BOI must be reported to FinCEN pursuant to CTA requirements, by whom, and when. These regulations also proposed processes for obtaining, updating, and using FinCEN identifiers. The Reporting NPRM included a 60-day comment period, which closed on February 7, 2022. FinCEN received over 240 comments on the Reporting NPRM. After considering those comments, FinCEN published a final rule implementing the CTA’s BOI reporting requirements on September 30, 2022 (Reporting Rule).37 The Reporting Rule takes effect on January 1, 2024, and is the first of three rulemakings required by the CTA. Under the Reporting Rule, reporting companies in existence before the effective date will have until January 1, 2025, to report.38 The Reporting Rule 33 CTA, section 6403(d)(1)(A)–(C). section 6403(d)(1)–(2). The CTA orders the rescission of paragraphs (b) through (j) directly (‘‘the Secretary of the Treasury shall rescind paragraphs (b) through (j)’’) and orders the retention of paragraph (a) by a negative rule of construction (‘‘nothing in this section may be construed to authorize the Secretary of the Treasury to repeal . . . [31 CFR] 1010.230(a)[.]’’). The statute also provides a list of considerations to take into account when revising the 2016 CDD Rule. See generally CTA, section 6403(d)(3). 35 86 FR 17557 (Apr. 5, 2021). 36 86 FR 69920 (Dec. 8, 2021). 37 87 FR 59498 (Sept. 30, 2022). 38 Reporting Rule, 31 CFR 1010.380(a)(1)(i)-(ii). ddrumheller on DSK120RN23PROD with RULES3 34 CTA, VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 also provided that reporting companies created or registered to do business on or after January 1, 2024 would need to submit BOI to FinCEN within 30 days of receiving notice of a company’s creation or registration.39 However, on November 30, 2023, FinCEN published a final rule to extend the timeframe for reporting companies created or registered on or after January 1, 2024, and before January 1, 2025, to submit their initial BOI reports to FinCEN. Under this amendment to the Reporting Rule, reporting companies created or registered on or after January 1, 2024, and before January 1, 2025, will have 90 days to submit their initial BOI reports, instead of 30 days. Reporting companies formed on or after January 1, 2025, will continue to be required to submit their initial BOI reports within 30 days. The Reporting Rule also reserved for further consideration certain provisions concerning the use of FinCEN identifiers for entities. FinCEN next published the Access NPRM regarding the CTA’s BOI access and safeguard provisions on December 16, 2022.40 The proposed regulations reflected information gleaned from over 30 outreach sessions with representatives from Federal agencies, state courts, state and local prosecutors’ offices, Tribal governments, financial institutions, financial self-regulatory organizations (SROs), and government offices that had established beneficial ownership databases, as well as from comments to the prior CTA-related publications. The Access NPRM also included proposed amendments to the reporting regulations that would finalize the remaining Reporting Rule provisions concerning the use of FinCEN identifiers for entities. The comment period for the Access NPRM closed on February 14, 2023. This final rule adopts, with modifications, the proposed regulations in the Access NPRM and is the second rulemaking required by the CTA. These final access and safeguard regulations (‘‘Access Rule’’) aim to ensure that: (1) only authorized recipients have access to BOI; (2) authorized recipients use that access only for purposes permitted by the CTA; and (3) authorized recipients only re-disclose BOI in ways that balance protecting its security and confidentiality with the CTA objective of making BOI available to a range of users for authorized purposes. The regulations also provide a robust framework to ensure that BOI reported to FinCEN, and received by authorized recipients, is subject to strict 39 Id. 40 87 PO 00000 at 1010.380(a)(iii). FR 77404 (Dec. 16, 2022). Frm 00005 Fmt 4701 Sfmt 4700 88735 cybersecurity controls, confidentiality protections and restrictions, and robust audit and oversight measures. FinCEN will implement the CTA requirement to revise the 2016 CDD Rule through a future rulemaking process. That process will provide the public with an opportunity to comment on the effect of the final provisions of the BOI reporting and access rules on financial institutions’ customer due diligence obligations. Finally, the CTA requires the Inspector General of the Department of the Treasury to provide public contact information to receive external comments or complaints regarding the BOI notification and collection process or regarding the accuracy, completeness, or timeliness of such information.41 Treasury’s Office of Inspector General (‘‘Treasury OIG’’) has established the following email inbox to receive such comments or complaints: CorporateTransparency@oig.treas.gov. C. The Access NPRM As noted above in section II.B, FinCEN published the Access NPRM on December 16, 2022. The NPRM had a 60-day comment period that closed on February 14, 2023. FinCEN received over 80 comments. The NPRM described who would be authorized to access BOI reported to FinCEN, how those parties could use the information, and how they would be required to safeguard it. The proposed regulations would amend 31 CFR 1010.950(a) to clarify that the disclosure of BOI would be governed by proposed 31 CFR 1010.955, rather than 31 CFR 1010.950(a), which governs disclosure of other BSA information. The CTA specifies disclosure rules applicable to BOI that are distinct from BSA provisions authorizing disclosure of other BSA information.42 The Access NPRM proposed to incorporate the CTA’s general prohibition on the disclosure of BOI by individual recipients to others unless authorized to do so under the statute or its implementing regulations, with certain clarifications regarding the applicability and duration of that prohibition. The proposed regulations would authorize the disclosure and use of BOI to facilitate the purposes of the CTA, with FinCEN further proposing to retain the authority to permit in writing the re-disclosure of BOI in other circumstances. The proposed regulations included provisions that would address a range of 41 See 42 See E:\FR\FM\22DER3.SGM 31 U.S.C. 5336(h)(4). 31 U.S.C. 5336(c)(2), (5). 22DER3 88736 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 administrative matters, e.g., circumstances under which FinCEN could decline to provide requested BOI or debar or suspend an authorized recipient, and would incorporate CTA provisions that impose civil and criminal penalties for knowingly disclosing or knowingly using BOI in ways that were not authorized by the CTA. The proposed rule also would reinforce the security and confidentiality requirements of the CTA by making clear the range of actions that could constitute unauthorized disclosure and use. Finally, the Access NPRM made a new proposal regarding the use of FinCEN identifiers for entities, which was initially addressed in the Reporting NPRM and then deferred in the Final Reporting Rule. Specifically, the proposed regulations would clarify that a reporting company would be permitted to report the FinCEN identifier of an intermediate entity (i.e., an entity through which an individual beneficial owner exercises substantial control or owns ownership interests in a reporting company) in lieu of a beneficial owner’s PII only when three criteria are met. Taken together, these requirements sought to avoid the use of FinCEN identifiers to obscure beneficial ownership in a reporting company when the entity’s ownership structure involves multiple beneficial owners and intermediate entities. FinCEN published a final rule to implement these provisions regarding the use of FinCEN identifiers for entities on November 8, 2023.43 The Access NPRM, however, primarily focused on the scope of and requirements for access to and protection of BOI reported to FinCEN. The following subsections outline how the proposed regulations would apply to five categories of authorized recipients for which the CTA prescribes specific requirements with respect to access to and use of BOI. i. Domestic Agencies The first category of BOI recipients authorized by the CTA consists of (1) Federal agencies engaged in national security, intelligence, or law enforcement activity if the requested BOI is for use in furtherance of such activity; 44 and (2) State, local, and Tribal law enforcement agencies if ‘‘a court of competent jurisdiction’’ authorizes the law enforcement agency to seek the information in a criminal or civil investigation.45 Federal agency 43 88 FR 76995 (Nov. 8, 2023). U.S.C. 5336(c)(2)(B)(i)(I). 45 31 U.S.C. 5336(c)(2)(B)(i)(II). 44 31 VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 access to BOI would be contingent on the type of activity an agency engages in. In contrast, State, local, and Tribal access would be contingent on two conditions; (1) whether the recipient is a law enforcement agency, i.e., the type of agency; and (2) whether a State, local, or Tribal law enforcement agency receives authorization from a court of competent jurisdiction to request BOI from FinCEN. The Access NPRM proposed definitions for ‘‘national security,’’ ‘‘intelligence,’’ and ‘‘law enforcement’’ activities in a manner consistent with the CTA. In particular, the Access NPRM proposed that ‘‘law enforcement’’ include both criminal and civil investigations and actions, including actions to impose civil penalties, civil forfeiture actions, and civil enforcement through administrative proceedings. For access by State, local and Tribal law enforcement, the Access NPRM proposed to define ‘‘court of competent jurisdiction’’ as any court with jurisdiction over the criminal or civil investigation for which the State, local, or Tribal law enforcement agency requested BOI. The Access NPRM further proposed that the requisite court authorization would have to be in the form of a court order, with the understanding that the term ‘‘order’’ could encompass many authorization types issued by a range of court officers (i.e., individuals empowered to exercise a court’s authority and issue authorizations on its behalf, excluding individual attorneys). The NPRM specifically sought feedback on the scope of this definition. The proposed regulations would also require all Federal agencies engaged in national security, intelligence, or law enforcement activity to provide a brief justification for each search for BOI in the FinCEN IT system and certify compliance with the applicable regulatory requirements. State, local, and Tribal law enforcement agencies would also have had to provide a brief justification for each search for BOI and submit copies of their court orders for FinCEN review. Upon meeting these requirements, both Federal agencies engaged in national security, intelligence, or law enforcement activity and State, local, and Tribal law enforcement agencies would have the ability to conduct searches for BOI in the beneficial ownership IT system (the ‘‘BO IT system’’) relevant to their investigation. The BO IT system would provide these users with both a reporting company’s BOI at the time of the request as well as any previously submitted BOI. PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 Furthermore, the Access NPRM proposed that Federal agencies engaged in a national security, intelligence, or law enforcement activity, as well as State, local, and Tribal law enforcement agencies, would be authorized to disclose BOI obtained directly from FinCEN to courts of competent jurisdiction or parties to a civil or criminal proceeding. This authorization would only apply to civil or criminal proceedings involving U.S. Federal, State, local, and Tribal laws. In the preamble to the Access NPRM, FinCEN explained that it envisioned agencies relying on this provision when, for example, a prosecutor would need to provide a criminal defendant with BOI in discovery or use it as evidence in a court proceeding or trial.46 The CTA prescribes a number of security and confidentiality requirements that the Secretary must impose on requesting Federal, State, local, and Tribal agencies and their heads. These include requirements for secure storage systems and access policies and procedures; personnel access controls; recordkeeping, reporting, and audit requirements; and written certifications. These requirements affirm the importance of the security and confidentiality protocols and the need for a high degree of accountability for the protection of BOI. The proposed regulations described how each requesting agency, before it could obtain BOI from FinCEN, would be required to enter into a memorandum of understanding (MOU) with FinCEN specifying the standards, procedures, and systems that the agency would be required to maintain to protect BOI, including security plans. FinCEN explained in the preamble to the Access NPRM that these requirements are extensive by necessity given the broad search functionality within the BO IT system that would be available to this category of authorized recipients. ii. Foreign Requesters The second category consists of foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities (‘‘foreign requesters’’), provided their requests come through an intermediary Federal agency, meet additional criteria, and are made either (1) under an international treaty, agreement, or convention; or (2) via a request made by law enforcement, judicial, or prosecutorial authorities in a trusted foreign country (when no international treaty, agreement, or convention is available).47 46 See 47 See E:\FR\FM\22DER3.SGM CTA, section 6402(5)(D). 31 U.S.C. 5336(c)(2)(B)(ii). 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations FinCEN generally did not propose to identify in the Access NPRM any specific Federal agencies that would serve as intermediaries with foreign governments.48 FinCEN instead indicated that it would work with Federal agencies to identify those that are well positioned to be intermediaries, based on several factors, including: the level of engagement with foreign law enforcement agencies, judges, prosecutors, central authorities, or competent authorities; responsibility under international treaties, agreements, or conventions; and capacity to process requests for BOI while managing risks of unauthorized disclosure. The Access NPRM proposed to permit intermediary Federal agencies to use BOI obtained from FinCEN at the behest of a foreign requester only to facilitate a response to that foreign requester. With respect to the requirement that a foreign request be made under an ‘‘international treaty, agreement, or convention,’’ FinCEN explained that it understood those terms to cover a legally binding agreement governed by international law. FinCEN did not propose to identify specific countries it would treat as ‘‘trusted’’ in situations when no international treaty, agreement, or convention applied. The Access NPRM explained that to define ‘‘trusted foreign country’’ would have risked arbitrarily excluding foreign requesters with whom sharing BOI might be appropriate in some cases but not others. FinCEN instead proposed to conduct case-by-case assessments in consultation with relevant U.S. government agencies to determine whether to disclose BOI to a foreign requester in a particular instance. In the Access NPRM, FinCEN explained that it did not expect foreign requesters to have direct access to the BO IT system, but rather that intermediary Federal agencies would perform BOI searches in the system on a foreign requester’s behalf. Before acting as intermediaries, Federal agencies would first have to fulfill several requirements, including: (1) ensuring that they have secure systems for BOI storage; (2) entering into MOUs with FinCEN outlining expectations and responsibilities; (3) incorporating the CTA foreign sharing requirements into evaluation criteria with which to review BOI requests from foreign requesters; (4) integrating the evaluation criteria into their existing information-sharing policies and procedures; (5) developing 48 Given its longstanding relationships and relevant experience as the financial intelligence unit of the United States, FinCEN proposed to directly receive, evaluate, and respond to requests for BOI from foreign financial intelligence units. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 additional security protocols and systems as required under the CTA and this rule; and (6) ensuring that their personnel have sufficient training on BOI security and use requirements and restrictions. Under the Access NPRM, an intermediary Federal agency would be authorized to submit foreign requests for BOI to FinCEN only after meeting these requirements. Such requests would need to include certain information, including: (1) the names of both the individual within the intermediary Federal agency making the request and the individual affiliated with the foreign requester on whose behalf the request was being made; and (2) either the international treaty, agreement, or convention under which the request was being made, or a statement that no such instrument governs along with an explanation of the information’s intended use. Intermediary Federal agencies would also need to certify that a request meets applicable eligibility criteria. After doing so, an intermediary Federal agency could then search for and retrieve requested BOI from the system and respond to the foreign requester in a manner consistent with either the international treaty, agreement, or convention, or the request from the trusted foreign country. Intermediary Federal agencies would be required to maintain records documenting specified elements of each search, both for the agency’s own internal auditing and for FinCEN audits as required under the CTA. Recognizing the importance that all authorized BOI recipients—including foreign requesters—take appropriate steps to keep BOI confidential and secure and to prevent misuse, FinCEN also proposed requiring foreign requesters to handle, disclose, and use BOI consistent with the requirements of the applicable international treaty, agreement, or convention under which it is requested. When no treaty, agreement, or convention applies, the Access NPRM proposed that the head of an intermediary Federal agency, acting on behalf of a foreign requester, or their designee, would need to submit to FinCEN a written explanation of the specific purpose for which the foreign requester is requesting BOI. The intermediary Federal agency in such cases would have also needed to provide FinCEN with a certification that the requested BOI would be: (1) used in furtherance of a law enforcement investigation or prosecution, or for a national security or intelligence activity that is authorized under the laws of the relevant foreign country; (2) only used for the particular purpose or activity for PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 88737 which it was requested; and (3) handled in accordance with specified security and confidentiality requirements. Under the proposed rule, the certification would reflect what the head of the intermediary Federal agency head or their designee understands to be the intended use for the BOI, rather than a guarantee from the intermediary Federal agency that the foreign requester would not use the information for unauthorized purposes. The Access NPRM further specified that FinCEN could request additional information from the requester to support FinCEN’s evaluation of whether to disclose BOI to a foreign requester when the request is not pursuant to an international treaty, agreement, or convention. iii. Financial Institutions With Customer Due Diligence Compliance Obligations Under Applicable Law The third authorized recipient category under the CTA is financial institutions that use BOI ‘‘to facilitate compliance with customer due diligence requirements under applicable law.’’ 49 FinCEN proposed to define the term ‘‘customer due diligence requirements under applicable law’’ to mean FinCEN’s customer due diligence regulations at 31 CFR 1010.230, which require covered financial institutions to identify and verify beneficial owners of legal entity customers. FinCEN considered other approaches, but concluded that focusing on its 2016 CDD Rule alone would make this access category easier to administer, reduce uncertainty about which financial institutions could access BOI under the proposed rule, and better protect the security and confidentiality of sensitive BOI by limiting the circumstances under which financial institutions could access the information. There also did not appear to be any State, local, or Tribal customer due diligence requirements comparable in substance to FinCEN’s 2016 CDD Rule.50 The CTA further requires that a reporting company’s consent is necessary in order for a financial institution to obtain BOI from FinCEN. FinCEN proposed to make financial institutions responsible for obtaining this consent. That proposal reflected FinCEN’s assessment that financial institutions are best positioned to obtain and manage consent through existing 49 31 U.S.C. 5336(c)(2)(B)(iii). the Access NPRM, FinCEN specifically asked commenters to identify any Federal, State, local, or Tribal law requirements comparable to the 2016 CDD Rule regarding financial institutions identifying and verifying beneficial owners of legal entity customers. FinCEN received no responses to that request. 50 In E:\FR\FM\22DER3.SGM 22DER3 88738 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 processes and by virtue of having direct relationship with reporting companies as customers. Although certain certifications would be required, the Access NPRM did not propose that financial institutions submit proof of a reporting company’s consent. FinCEN recognized that it would not have the capacity to review, verify, and store consent forms, and additional FinCEN involvement would create undue delays for the ability of financial institutions to onboard customers. FinCEN also explained that a financial institution’s compliance with these requirements would be assessed by Federal functional regulators in the ordinary course during examinations, or by financial SROs during their routine BSA examinations.51 FinCEN described in the Access NPRM its plan to establish for financial institutions a more circumscribed BO IT system interface than would be available to most Federal agencies and State, local, and Tribal law enforcement agencies. This would be based on the defined purposes for which financial institutions can use BOI under the CTA and the proposed requirement that they obtain reporting company consent before requesting the information from FinCEN. The interface would require financial institutions to submit identifying information specific to a particular reporting company (for example, the company name and tax identification number). In return, the financial institution would receive an electronic transcript with that reporting company’s BOI at the time of the request. The transcript would not include any previously submitted BOI for the reporting company. Although the CTA does not specifically address the safeguards that financial institutions must implement as a condition for requesting BOI, the CTA authorizes FinCEN to prescribe by regulation any other safeguards determined to be necessary or appropriate to protect the confidentiality of BOI.52 In exercising this authority, FinCEN proposed a principles-based approach by requiring that financial institutions develop and implement administrative, technical, and physical safeguards reasonably 51 The CTA requirements financial institutions must satisfy to qualify for BOI disclosure from FinCEN are part of the BSA, a statute enacted in pertinent part in Chapter X of the Code of Federal Regulations. FinCEN has delegated its authority to examine financial institutions for compliance with Chapter X to the Federal functional regulators. See 31 CFR 1010.810. Separately, the FBAs have their own authority to examine the financial institutions that they supervise for compliance with the BSA. See 12 U.S.C. 1786(q)(2), 1818(s)(2). 52 31 U.S.C. 5336(c)(3)(K). VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 designed to protect BOI as a precondition for receiving the information. The proposed regulations would establish that the security and information handling procedures necessary to comply with section 501 of the Gramm-Leach-Bliley Act (GrammLeach-Bliley) 53 and related regulations to protect nonpublic customer personal information, if applied to BOI under the control of the financial institution, would satisfy this requirement. Financial institutions not subject to regulations issued pursuant to section 501 of Gramm-Leach-Bliley would be held to these same substantive standards under the proposed rules. Subject to certain conditions, the Access NPRM proposed to authorize financial institutions to share BOI that they obtained from FinCEN for use in fulfilling customer due diligence obligations with: (1) their Federal functional regulators, (2) qualifying SROs, or (3) any other appropriate regulatory agency. FinCEN proposed this authorization for the sake of efficiency and to more easily provide regulators with a complete picture of how financial institutions are obtaining and using BOI for customer due diligence compliance, thereby supporting the aims and purposes of the CTA, as well as helping them detect compliance failures. iv. Regulatory Agencies The fourth category of authorized recipient under the proposed regulations is Federal functional regulators and other appropriate regulatory agencies that (1) are authorized to assess, supervise, enforce, or otherwise determine financial institution compliance with customer due diligence requirements under applicable law; (2) use BOI solely to conduct an assessment, supervision, or authorized investigation or activity under 31 U.S.C. 5336(c)(2)(C)(i); and (3) enter into an agreement with FinCEN describing appropriate protocols for obtaining BOI. The proposed regulations also incorporated the CTA’s limitation on the scope of access by these agencies. The CTA states that BOI that FinCEN discloses to financial institutions should ‘‘also be available to [their qualifying regulators].’’ 54 The Access NPRM therefore proposed to allow only qualifying regulators to obtain from FinCEN BOI that financial institutions that they supervise for customer due diligence compliance had already 53 Public Law 106–102, 113 Stat. 1338, 1436–37 (1999). 54 31 U.S.C. 5336(c)(2)(C) (emphasis added). PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 obtained under the CTA and its implementing regulations. Obtaining BOI from FinCEN would require Federal functional regulators and other appropriate regulatory agencies to certify to FinCEN when requesting BOI that the agency (1) is authorized by law to assess, supervise, enforce, or otherwise determine the relevant financial institution’s compliance with customer due diligence requirements under applicable law, and (2) would use the information solely for that activity. FinCEN made clear in the Access NPRM that it did not believe this customer due diligence-specific authorization was the exclusive means through which one of these regulators could obtain BOI. The access provision for Federal agencies engaged in national security, intelligence, or law enforcement activities focuses on activity categories, not agency types. To the extent that a Federal functional regulator, like the Securities and Exchange Commission (SEC), engages in civil law enforcement activities, agency officers, employees, contractors, and agents responsible for those activities could obtain BOI under the access provision for Federal law enforcement activity. The same principle applies to other agencies with both supervisory responsibility and authority to engage in other covered activity, including, potentially, State, local, and Tribal law enforcement agencies. In the Access NPRM, FinCEN clarified that it would adopt its existing regulatory definition of ‘‘Federal functional regulators’’ to minimize the risk of confusion.55 FinCEN did not propose to define ‘‘other appropriate regulatory agencies,’’ because it assessed that the requirement that an agency be authorized by law to supervise financial institutions for customer due diligence compliance sufficiently circumscribed the category. In the Access NPRM, FinCEN considered whether SROs registered with or designated by a Federal functional regulator pursuant to Federal statute 56 (‘‘qualifying SROs’’) should qualify as ‘‘other appropriate regulatory agencies.’’ These organizations—like the Financial Industry Regulatory Authority (FINRA) or the National Futures Association (NFA)—are not traditionally 55 Under this definition, the six Federal functional regulators that supervise financial institutions with customer due diligence obligations are the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the SEC, and the Commodity Futures Trading Commission (CFTC). See 31 CFR 1010.100(r). 56 See, e.g., 7 U.S.C. 21; 15 U.S.C. 78o–3. E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations understood to be agencies of the U.S. government,57 but they do exercise selfregulatory authority within the framework of Federal law, and work under the supervision of Federal functional regulators to assess, supervise, and enforce financial institution compliance with, among other things, customer due diligence requirements.58 These qualifying SROs also are subject to extensive oversight by Federal agencies.59 FinCEN believed that qualifying SROs fulfill a critical role in overseeing participants in the financial services sector which justified their limited and derivative access to BOI: Without this level of access, qualifying SROs would not be able to effectively evaluate a financial institution’s customer due diligence compliance. The CTA provides FinCEN broad discretion to specify the conditions under which authorized recipients of BOI may redisclose that information to others. Consequently, the Access NPRM proposed to permit both financial institutions and Federal functional regulators to re-disclose to qualifying SROs any BOI they obtained from FinCEN for use in complying with customer due diligence requirements under applicable law. A qualifying SRO would (1) need to satisfy the same three conditions applicable to Federal functional regulators and other appropriate regulatory agencies, and (2) be permitted to use the information for the limited purpose of examining compliance with applicable customer due diligence obligations. The Access NPRM further proposed that Federal functional regulators would also be permitted to disclose BOI to DOJ for purposes of making a referral to DOJ or for use in litigation related to the activity for which the requesting agency requested the information. ddrumheller on DSK120RN23PROD with RULES3 v. Department of the Treasury Access The CTA includes separate, Treasuryspecific provisions for accessing BOI, 57 See, e.g., In re William H. Murphy & Co., SEC Release No. 34–90759, 2020 WL 7496228, *17 (Dec. 21, 2020) (explaining that FINRA ‘‘is not a part of the government or otherwise a [S]tate actor’’ to which constitutional requirements apply). 58 See, e.g., FINRA Rule 3310(f); NFA Compliance Rule 2–9(c)(5). 59 See, e.g., Scottsdale Cap. Advisors Corp. v. FINRA, 844 F.3d 414, 418 (4th Cir. 2016) (‘‘Before any FINRA rule goes into effect, the SEC must approve the rule and specifically determine that it is consistent with the purposes of the Exchange Act. The SEC may also amend any existing rule to ensure it comports with the purposes and requirements of the Exchange Act.’’ (citations omitted); Birkelbach v. SEC, 751 F.3d 472, 475 (7th Cir. 2014) (‘‘A [FINRA] member can appeal the disposition of a FINRA disciplinary proceeding to the SEC, which performs a de novo review of the record and issues a decision of its own.’’). VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 tying the access to a Treasury officer’s or employee’s official duties requiring BOI inspection or disclosure,60 including for tax administration purposes.61 Proposed 31 CFR 1010.955(b)(5) tracked these authorizations, and provided that Treasury officers and employees may receive BOI where their official duties require such access, or for tax administration, consistent with procedures and safeguards established by the Director of FinCEN. The proposed regulations also clarified the term ‘‘tax administration purposes’’ by adding a reference to the definition of ‘‘tax administration’’ in the Internal Revenue Code.62 The Access NPRM explained that FinCEN envisioned Treasury components having broad search functionality comparable to that of Federal agencies engaged in national security, intelligence, or law enforcement activity. This would include using BOI for enforcement actions, intelligence and analytical purposes, sanctions-related investigations, and identifying property blocked pursuant to sanctions, as well as for activities unique to Treasury, such as for tax administration and administration of the BOI framework, including audits, enforcement, and oversight. As with other Federal agencies requesting BOI for their own use, Treasury would also be permitted to disclose BOI for purposes of making a referral to DOJ or for use in litigation related to the activity for which Treasury officers, employees, contractors, or agents requested the information. The Access NPRM further explained that FinCEN expected to work with other Treasury components to establish internal policies and procedures governing Treasury access to BOI. FinCEN noted that it anticipated that the security and confidentiality protocols in those policies and procedures would include elements of the protocols described in proposed 31 CFR 1010.955(d)(1) as applicable to Treasury activities and organization. Furthermore, officers and employees identified as having duties potentially requiring access to BOI would receive training on, among other topics, determining when their duties require access to BOI, what they can do with the information, and how to handle and safeguard it. Their activities would also be subject to audit. 60 See 31 U.S.C. 5336(c)(5)(A). 31 U.S.C. 5336(c)(5)(B). 62 26 U.S.C. 6103(b)(4). 61 See PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 88739 D. CTA Implementation Efforts i. Beneficial Ownership IT System The CTA directs the Secretary to maintain BOI ‘‘in a secure, nonpublic database, using information security methods and techniques that are appropriate to protect nonclassified information security systems at the highest security level . . . .’’ 63 FinCEN is implementing this requirement by developing a secure BO IT system to receive, store, and maintain BOI. Consistent with the CTA’s requirement 64 and FinCEN’s recognition that BOI is sensitive information warranting stringent security, the system will be cloud-based and will meet the highest Federal Information Security Management Act (FISMA) 65 level (FISMA High).66 A FISMA High rating indicates that losing the confidentiality, integrity, or availability of information within a system would have a severe or catastrophic adverse effect on the organization maintaining the system, including on organizational assets or individuals.67 The rating carries with it a requirement to implement certain baseline controls to protect the relevant information.68 System functionality will vary by recipient category consistent with statutory requirements, limitations on BOI disclosure, and FinCEN’s objective of minimizing access to the data as much as practicable to minimize the risk of unauthorized disclosure. The target date for the system to begin accepting BOI reports is January 1, 2024, the same day on which the Reporting Rule takes effect. ii. Additional CTA Implementation Efforts In addition to continuing development of the BO IT system, FinCEN is working across several other CTA implementation efforts. First, it is working intensively to develop guidance and other educational materials to ensure that small businesses have the information they need to comply and that reporting beneficial ownership information is as streamlined and straightforward as possible. On March 24, 2023, for example, FinCEN published its first set 63 CTA, section 6402(7). U.S.C. 5336(c)(8). 65 44 U.S.C. 3541 et seq. 66 See U.S. Department of Commerce, Federal Information Processing Standards Publication: Standards for Security Categorization of Federal Information and Information Systems (‘‘FIPS Pub 199’’) (Feb. 2004), available at https://nvlpubs.nist. gov/nistpubs/fips/nist.fips.199.pdf. 67 Id. at 3. 68 Id. 64 31 E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 88740 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations of guidance materials to aid the public, and in particular the small business community, in understanding the BOI reporting requirements taking effect on January 1, 2024.69 That guidance, available on FinCEN’s website, includes Frequently Asked Questions (FAQs), guidance on BOI filing dates, and informational videos.70 FinCEN published a Small Entity Compliance Guide on September 18, 2023, as well as additional guidance to address more complex topics around BOI reporting. FinCEN is also developing the infrastructure to respond to queries, conduct audit and oversight, and provide partner agencies and financial institutions with access to BOI. FinCEN is particularly focused on providing helpful customer service to reporting companies in the first year and beyond as they file their BOI. FinCEN currently fields approximately 13,000 inquiries a year through its Regulatory Support Section, and approximately 70,000 external technical inquiries a year through the IT Systems Helpdesk. FinCEN has estimated that there will be approximately 32 million reporting companies in Year 1 of the reporting requirement and approximately 5 million new reporting companies each year thereafter.71 Given the expected increase in incoming inquiries, FinCEN is working to stand up a dedicated beneficial ownership contact center to respond to inquiries about the beneficial ownership reporting requirements, and to provide assistance to users encountering technical issues with the BO IT system. FinCEN expects the contact center to begin operations prior to January 1, 2024. FinCEN is also working to establish internal policies and procedures governing Treasury officer and employee access to BOI, as well as to draft and negotiate MOUs for access to BOI and related materials. In keeping with protocols described in this final rule, Federal, State, local and Tribal agencies outside of Treasury will be required to enter into MOUs with FinCEN specifying the standards, procedures, and systems they will be required to maintain to protect BOI. Agency MOUs will, among other things, memorialize and implement requirements regarding reports and certifications, periodic training of 69 FinCEN, FinCEN Issues Initial Beneficial Ownership Information Reporting Guidance (Mar. 24, 2023), available at https://www.fincen.gov/ news/news-releases/fincen-issues-initial-beneficialownership-information-reporting-guidance. 70 FinCEN, Beneficial Ownership Information Reporting, available at https://www.fincen.gov/boi. 71 87 FR 59498, 59549 (Sept. 30, 2022). VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 individual recipients of BOI, personnel access restrictions, re-disclosure limitations, and access to audit and oversight mechanisms. MOUs will also include security plans covering topics related to personnel security (e.g., eligibility limitations, screening standards, and certification and notification requirements); physical security (i.e., system connections and use, conditions of access, and data maintenance); computer security (i.e., use and access policies, standards related to passwords, transmission, storage, and encryption); and inspections and compliance. Agencies will be able to rely on existing databases and related IT infrastructure to satisfy the requirement to ‘‘establish and maintain’’ secure systems in which to store BOI where those systems have appropriate security and confidentiality protocols, and FinCEN will engage with recipient agencies on these protocols during the MOU development process. iii. Administration of Access to BOI For any given user agency, the administrative steps described in the preceding section will need to be completed before authorized users obtain access to the BO IT system. These steps will require resources to complete. Every Federal, State, local, and tribal user agency will need to enter into an MOU with FinCEN for access to the BO IT system and put in place the policies and procedures required under the final Access Rule and the MOU. FinCEN will also need to establish BO IT system individual user accounts for all personnel who are authorized to access the system at agencies and financial institutions. To smoothly manage the draw on resources that this process will demand, FinCEN will take a phased approach to providing access to the BO IT system. The first stage will be a pilot program for a handful of key Federal agency users starting in 2024, as required MOUs and policies and procedures are completed. The second stage will extend access to Treasury Department offices and certain Federal agencies engaged in law enforcement and national security activities that already have Bank Secrecy Act MOUs (e.g., FBI, IRS–CI, HSI, DEA, Federal banking agencies (FBAs)). Subsequent stages will extend access to additional Federal agencies engaged in law enforcement, national security, and intelligence activities, as well as key State, local, and Tribal law enforcement partners; to additional State, local, and Tribal law enforcement partners; in connection with foreign government requests; and PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 finally, to financial institutions and their supervisors. FinCEN believes that starting with a small pilot program of users in 2024 will help test the system and ensure that any issues can be addressed before expanding access to other users. Making access more broadly available in the four subsequent stages outlined above will help ensure the orderly onboarding of authorized users and will space out the timing of the annual audits of agency users that FinCEN is required to conduct under the CTA. Additionally, there is a good reason for FinCEN’s sequencing of access, making financial institutions and their supervisors the last category of users that will receive access to the BO IT system: FinCEN expects that the timing of their access will roughly coincide with the upcoming revision of FinCEN’s 2016 CDD Rule. This will allow financial institutions to enjoy certain administrative efficiencies by bundling system and compliance changes. FinCEN anticipates providing additional information on the timing and details regarding this phased implementation approach in early 2024. E. Comments Received In response to the NPRM, FinCEN received over 80 comments. Submissions came from a broad array of individuals and organizations, including members of Congress, the financial industry and related trade associations, groups representing small business interests, corporate transparency advocacy groups, law enforcement representatives, regulatory associations, legal associations, and other interested groups and individuals. In general, many commenters expressed support for the proposed regulations. These commenters agreed that the proposed regulations were a significant step forward in improving the ability of law enforcement and national security agencies to identify illicit actors hiding behind anonymous shell and front companies. One of the commenters stated that the proposed regulations would confer benefits to both the United States and its overseas partners and bring the United States in line with emerging global practices relating to beneficial ownership information reporting. These commenters viewed the proposed regulations as being consistent with the statutory text. They supported the approach taken to provide access to BOI to authorized recipients and were encouraged by the proposed limitations and security provisions to protect the BOI and prevent unauthorized disclosure. These commenters were E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations particularly supportive of the proposed regulations with respect to U.S. Federal agencies’ access to the BOI database. Supportive commenters agreed that U.S. Federal agencies accessing the database for law enforcement, intelligence, and national security purposes should have broad access, and that foreign requesters should be able to request BOI for similar purposes. Other commenters expressed general opposition to the proposed regulations, arguing that the proposed regulations deviate from the CTA and congressional intent. These commenters argued that the proposed regulations, if finalized without significant changes, would impose unnecessary requirements, limitations, and burdens with respect to certain types of access. Commenters also argued that the proposed regulations would be too costly and burdensome for small businesses. In particular, commenters expressed concern over the access provisions relating to State, local, and Tribal law enforcement authorities and financial institutions. Some commenters stated that certain requirements for law enforcement access to BOI, such as the requirement to submit ‘‘a copy of a court order’’ and ‘‘written justification’’ in proposed 31 CFR 1010.955(d)(1)(ii)(B)(2), would create undue barriers for State, local and Tribal law enforcement and contradict the statutory text. Other commenters argued that the proposed restrictions on access by financial institutions and their regulators would significantly limit the utility of the database. These commenters argued that proposed regulations interpreted ‘‘customer due diligence requirements under applicable law’’ in 31 U.S.C. 5336(c)(2)(B)(iii) too narrowly and objected to the requirement that individuals with access to BOI be located in the United States (31 CFR 1010.955(c)(2)(ii)). These commenters suggested that FinCEN adopt a broader approach to financial institutions’ access to BOI and asked for clarification on a number of related provisions, including, for example, expectations around customer consent, database usage, and discrepancy reporting. One commenter suggested that FinCEN withdraw the proposed regulations and engage with the financial services industry and small businesses to develop a new proposal to better achieve the objectives of the CTA and the AML Act. Many commenters, regardless of their overarching views, suggested specific modifications to the proposed regulations to enhance clarity, refine policy expectations, ensure technical accuracy, and improve implementation more broadly. Commenters sought VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 clarification on specific definitions, use cases, technical requirements and processes, and database functionality, among other things. Several commenters advocated for providing certain additional categories of users access to BOI, while others shared views on the sensitivity of BOI. Several commenters emphasized their view that BOI needed to be verified and suggested ways to improve the quality of the database. Commenters also shared views on future revisions to the 2016 CDD Rule, highlighting the ways in which they anticipated the proposed regulations with respect to access would interact with the 2016 CDD Rule. Among other things, these commenters expressed concerns about potential inconsistencies between BOI in the database and the customer information that financial institutions maintain pursuant to customer due diligence obligations. Many of these commenters urged FinCEN to address these concerns before 2016 CDD Rule revisions are finalized; some suggested that these concerns be addressed as part of the final Access Rule. Several commenters expressed frustration over the sequencing of the CTA rulemakings, stating, for example, that it is difficult to provide meaningful comments on the proposed regulations given uncertainties about revisions to the 2016 CDD Rule. Commenters shared views on the proposed regulations on FinCEN identifiers for reporting companies. While some commenters were supportive of FinCEN’s approach, others found the proposal complex and confusing. Whether or not generally supportive, commenters suggested specific modifications to the proposal and asked for clarification on the availability of the information underlying FinCEN identifiers. One commenter expressed generalized concern about the availability of FinCEN identifiers and their potential misuse. FinCEN also received comments on topics not directly related to the proposed regulations. Some of these comments focused on elements of the Reporting Rule, e.g., information to be reported, company applicants, enforcement mechanism, and the proposed BOI report form. Others identified typographical errors, offered specific recommendations with respect to MSBs and mutual funds, and urged FinCEN to take steps to prevent the creation of fraudulent FinCEN websites. One commenter suggested that FinCEN should be designated as part of the intelligence community, while another suggested that Congress should repeal PO 00000 Frm 00011 Fmt 4701 Sfmt 4700 88741 the USA PATRIOT Act. Finally, one commenter highlighted that some individuals may feel discouraged from submitting comments on proposed regulations if their views do not align with those of their employer. FinCEN carefully reviewed and considered each comment submitted. Many specific proposals will be discussed in more detail in section III below. FinCEN’s analysis and approach has been guided by the statutory text, including the statutory obligations to disclose BOI to authorized users for specified purposes while following strict security and confidentiality protocols and minimizing burdens on stakeholders. In implementing this final rule, FinCEN took into account the many comments and suggestions intended to clarify and refine the scope of the rule and to reduce burdens on authorized users to the greatest extent practicable. FinCEN further notes that implementation of the final rule will require additional engagement with stakeholders to ensure a clear understanding of the rule’s requirements, including through additional guidance, FAQs, and help lines. FinCEN intends to work within Treasury and with interagency partners to inform these specific efforts and the broader implementation of this final rule. III. Discussion of Final Rule This final rule builds on the Access NPRM and is the next step after the Reporting Rule in FinCEN’s implementation of the CTA. The final rule aims to ensure that: (1) only authorized recipients have access to BOI; (2) authorized recipients use that access only for purposes permitted by the CTA; and (3) authorized recipients only re-disclose BOI in ways that balance protecting its security and confidentiality with the CTA objective of making BOI available to users for a range of authorized purposes. The regulations also provide a robust framework to ensure that BOI reported to FinCEN, and received by authorized recipients, is subject to strict cybersecurity controls, confidentiality protections and restrictions, and robust audit and oversight measures. FinCEN is adopting the proposed rule largely as proposed, but with certain modifications that are responsive to comments received and intended to reduce barriers to the effective use of BOI, while maintaining appropriate protections for the information. Among other things, the final rule broadens the purposes for which financial institutions may use BOI, and E:\FR\FM\22DER3.SGM 22DER3 88742 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations streamlines the requirements for State, local, and Tribal law enforcement access to BOI. FinCEN believes that these changes will help to ensure that the database is highly useful to relevant stakeholders who are authorized to access BOI. FinCEN has made certain other clarifying and technical revisions throughout the rule. We discuss specific comments, modifications, revisions, and the shape of the final rule section by section here. We discuss the elements of the final rule under seven headings: (A) availability of information—general; (B) prohibition on disclosure; (C) disclosure of information by FinCEN; (D) use of information; (E) security and confidentiality requirements; (F) administration of requests for information reported pursuant to 31 CFR 1010.380; and (G) violations. In addition, this section discusses general implementation efforts as they apply to the development of the IT system. ddrumheller on DSK120RN23PROD with RULES3 A. Availability of Information—General Proposed Rule. FinCEN proposed to amend 31 CFR 1010.950(a) to clarify that the disclosure of BOI would not be governed by § 1010.950(a) but instead by proposed 31 CFR 1010.955. Comments Received. FinCEN did not receive comments on this proposal. Final Rule. The final rule adopts the amendments to 31 CFR 1010.950(a) as proposed. The amendments clarify that the disclosure of BOI is governed by a new provision, 31 CFR 1010.955, rather than 31 CFR 1010.950(a). Section 1010.950(a) governs disclosure of other BSA information by Treasury and states that ‘‘[t]he Secretary may within his discretion disclose information reported under this chapter for any reason consistent with the purposes of the Bank Secrecy Act, including those set forth in paragraphs (b) through (d) of this section.’’ In contrast, the CTA authorizes FinCEN to disclose BOI only in limited and specified circumstances.72 As these CTA provisions are separate and distinct from provisions authorizing disclosure of other BSA information, distinct regulatory treatment is warranted.73 B. Prohibition on Disclosure Proposed Rule. Proposed 31 CFR 1010.955(a) would implement the broad prohibition in the CTA on the disclosure of information reported to FinCEN pursuant to 31 CFR 1010.380, except as authorized under the proposed rule. Specifically, the CTA provides that, except as authorized by 72 See 31 U.S.C. 5336(c)(2), (5). e.g., 31 U.S.C. 5319. 73 See, VerDate Sep<11>2014 19:01 Dec 21, 2023 31 U.S.C. 5336(c) and the protocols promulgated thereunder, BOI reported to FinCEN by reporting companies is confidential and shall not be disclosed by (1) an officer or employee of the United States, (2) an officer or employee of any State, local, or Tribal agency, or (3) an officer or employee of any financial institution or regulatory agency receiving information under this subsection of the CTA.74 The proposed rule adopted this broad prohibition on disclosure but extended it in two ways. First, it extended the prohibition to any of the officers or employees described in (1) through (3) above regardless of whether they continue to serve in the position through which they were authorized to receive BOI. Second, it extended the prohibition on disclosure to any individual who receives BOI as a contractor or agent of the United States; as a contractor or agent of a State, local, or Tribal agency; or as a member of the board of directors, contractor, or agent of a financial institution. Comments Received. One commenter supported the proposed extension of the prohibition on disclosure of BOI to contractors or agents of the United States and State, local or Tribal law enforcement agencies, and to contractors, agents, and directors of financial institutions. The commenter noted that this extension furthers the purpose of the CTA and would close potential loopholes around prohibited disclosures of BOI. Several commenters requested greater clarity on the prohibition on disclosure or further extension of the prohibition to additional individuals. One commenter opposed extending the prohibition to agents, contractors, and, in the case of financial institutions, directors, arguing that the existing prohibition in the statute was already overly protective of BOI. One commenter did not believe that the proposed rule adequately clarifies that the prohibition on disclosure covers individuals who receive BOI even after they leave the position in which they were authorized to receive the BOI. This commenter suggested that the rule should include language that explicitly addresses this scenario. This commenter also asked that the prohibition on disclosure explicitly extend to an officer, employee, contactor, or agent of foreign law enforcement agencies, foreign law enforcement agencies, foreign judges, foreign prosecutors, or other foreign authorities. Another commenter suggested adding a provision to prohibit disclosure by attorneys or parties who may receive BOI in the context of a civil 74 See Jkt 262001 PO 00000 31 U.S.C. 5336(c)(2)(A). Frm 00012 Fmt 4701 Sfmt 4700 or criminal proceeding. Another commenter suggested extending access requirements (which would include the prohibition on disclosure of BOI) to any individual under contract or under the remit of an entity authorized to access BOI (non-employee agents), such as consultants, auditors, and third-party service providers. Final Rule. The final rule adopts 31 CFR 1010.955(a) as proposed. FinCEN believes that the proposed rule, including the extension of the disclosure prohibition to certain specified individuals, is necessary to fully carry out the CTA’s intent to protect sensitive BOI and prevent unauthorized disclosure of this information. FinCEN proposed these extensions pursuant to 31 U.S.C. 5336(c)(3)(K), which provides that ‘‘the Secretary of the Treasury shall establish by regulation protocols described in [31 U.S.C. 5336(2)(A)] that . . . provide such other safeguards which the Secretary determines (and which the Secretary prescribes in regulations) to be necessary or appropriate to protect the confidentiality of the beneficial ownership information.’’ Further, after considering the comments to this provision, FinCEN has concluded that this provision is sufficiently clear, in terms of the prohibition on disclosure applying to those individuals who leave a position in which they were previously authorized to receive BOI. The proposed rule stated that, except as authorized, BOI is confidential and ‘‘shall not be disclosed by any individual who receives such information as’’ an officer, employee, contractor, agent, or director. This prohibition means that individuals who receive BOI when acting in these specified roles cannot disclose BOI (except as authorized in the rule) regardless of whether they continue in or leave these roles. FinCEN has also determined not to add language extending the prohibition on disclosure to an officer, employee, contactor, or agent of foreign law enforcement agencies, foreign law enforcement agencies, foreign judges, foreign prosecutors, or other foreign authorities. FinCEN believes there are existing mechanisms in place under the CTA that would appropriately protect BOI in these circumstances. For example, in the context of foreign access to BOI through a request made under an international treaty, agreement, or convention, the handling and use of BOI would be governed by the disclosure and use provisions of the relevant international treaty, agreement, or E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 convention.75 As for trusted foreign countries, the CTA explicitly limits the use of BOI ‘‘for any purpose other than the authorized investigation or national security or intelligence activity’’ 76 and proposed 31 CFR 1010.955(c)(2)(ix) (now renumbered as 31 CFR 1010.955(c)(2)(x)) provided that ‘‘any information disclosed by FinCEN under paragraph (b) of this section shall not be further disclosed to any other person for any purpose without the prior written consent of FinCEN, or as authorized by applicable protocols or guidance that FinCEN may issue.’’ In the event of improper disclosure of BOI by a trusted foreign country, FinCEN would consider all available remedies including FinCEN’s authority to reject a request for BOI or suspend a requesting party’s access to such information.77 FinCEN has also decided not to specifically extend the prohibition on disclosure to parties in a civil and criminal proceeding because it views this scenario as being covered by the regulations, specifically by the provision prohibiting redisclosure without the prior consent of FinCEN.78 FinCEN will consider, however, whether to issue guidance or FAQs to further address issues relating to public disclosure of BOI in civil or criminal proceedings. With respect to the commenter suggesting that FinCEN add language to specify that individuals under contract or under the remit of an entity authorized to access BOI (including consultants, auditors, and third-party service providers) are covered by the prohibition on disclosure, FinCEN believes that proposed 31 CFR 1010.955(a) sufficiently covers these individuals as contractors or agents. C. Disclosure of Information by FinCEN As discussed in the proposed rule, the CTA authorizes FinCEN to disclose BOI to five categories of recipients. The first category consists of recipients in Federal, State, local and Tribal government agencies.79 Within this category, FinCEN may disclose BOI to Federal agencies engaged in national security, intelligence, or law enforcement activity if the requested BOI is for use in furtherance of such activity.80 FinCEN may also disclose BOI to State, local, and Tribal law enforcement agencies if ‘‘a court of competent jurisdiction’’ has authorized 75 See 31 U.S.C. 5336(c)(2)(B)(ii)(I)(aa). U.S.C. 5336(c)(2)(B)(ii)(II)(bb). 77 See proposed 31 CFR 1010.955(e)(3). 78 31 CFR 1010.955(c)(2)(ix). 79 31 U.S.C. 5336(c)(2)(B) and 31 U.S.C. 5336(c)(5). 80 31 U.S.C. 5336(c)(2)(B)(i)(I). the law enforcement agency to seek the information in a criminal or civil investigation.81 The second category consists of foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities (‘‘foreign requesters’’), provided their requests come through an intermediary Federal agency, meet certain additional criteria, and are made either (1) under an international treaty, agreement, or convention, or (2) via a request made by law enforcement, judicial, or prosecutorial authorities in a trusted foreign country (when no international treaty, agreement, or convention is available).82 The third authorized recipient category are financial institutions using BOI to facilitate compliance with customer due diligence requirements under applicable law, provided the financial institution requesting the BOI has the relevant reporting company’s consent for such disclosure.83 The fourth category is Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing financial institutions for compliance with customer due diligence requirements.84 These agencies may access the BOI information that financial institutions they supervise received from FinCEN. The fifth and final category of authorized BOI recipients is the Treasury itself, for which the CTA provides access to BOI tied to an officer or employee’s official duties requiring BOI inspection or disclosure, including for tax administration.85 i. Disclosure to Federal Agencies for Use in Furtherance of National Security, Intelligence, or Law Enforcement Activity a. Definition of National Security Activity Proposed Rule. Proposed 31 CFR 1010.955(b)(1)(i) specified that national security activity includes activity pertaining to the national defense or foreign relations of the United States, as well as activity to protect against threats to the safety and security of the United States. Comments Received. Commenters generally provided broad support for the definition of national security activity in proposed 31 CFR 1010.955(b)(1)(i), stating that the activity-based approach 76 31 VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 81 31 U.S.C. 5336(c)(2)(B)(i)(II). U.S.C. 5336(c)(2)(B)(ii). 83 31 U.S.C. 5336(c)(2)(B)(iii). 84 31 U.S.C. 5336(c)(2)(B)(iv). 85 31 U.S.C. 5336(c)(5). 82 31 PO 00000 Frm 00013 Fmt 4701 Sfmt 4700 88743 is reasonable, clear, and adequately justified. Some commenters expressed the view that the definition should not be further delimited or narrowed, as this may impede the intent of the CTA. One recommended that FinCEN clarify that the proposed definition is not meant to limit Congress’s language identifying specific national security threats in the CTA’s Sense-of-Congress provision.86 Another commenter suggested adding a reference in the preamble to the illicit finance strategy, as defined in the 2021 Memorandum on Establishing the Fight Against Corruption as a Core United States National Security Interest. One commenter urged FinCEN to include the words ‘‘threats to’’ before ‘‘national defense or foreign relations,’’ and two commenters suggested substituting the word ‘‘means’’ for ‘‘includes’’ to clarify that the definition is finite. In particular, one of those two commenters noted that replacing ‘‘includes’’ with ‘‘means’’ would be consistent with the statute cited in support of the proposed regulation, 8 U.S.C. 1189(d)(2), which provides that national security ‘‘means’’ the national defense, foreign relations, or economic interests of the United States. Final Rule. The final rule largely adopts the proposed rule, but substitutes ‘‘means’’ for ‘‘includes’’ in definition in the final rule. FinCEN agrees that changing ‘‘includes’’ to ‘‘means’’ will provide additional clarity while still retaining the approach described by the proposed rule that draws, in large part, from 8 U.S.C. 1189(d)(2). Section 1189(d)(2) defines ‘‘national security’’ for purposes of designating foreign terrorist organizations (FTOs) that threaten U.S. national security. As stated in the proposed rule, FinCEN believes this definition is appropriate for several reasons. First, the FTO statute covers a broad range of national security threats to the United States, including those with an economic dimension. That scope is consonant with the CTA’s goal to combat national security threats that are financial in nature, such as money laundering, terrorist financing, counterfeiting, fraud, and foreign corruption.87 Second, the FTO statute arises in a related context insofar as it involves efforts to hinder illicit actors’ economic activities. FinCEN does not intend this definition to exclude any national security threats that Congress identified in the CTA. FinCEN also notes that it will determine whether an agency’s activities are ‘‘national security activities’’ that qualify the agency for 86 See 87 See E:\FR\FM\22DER3.SGM CTA, section 6402(3). CTA, section 6402(3)–(6). 22DER3 88744 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 access to BOI during the process to establish a MOU governing access between the agency and FinCEN. Some undertakings, such as vetting potential recipients of foreign assistance and procurement contract awards, might constitute ‘‘national security activities’’ depending on the particular facts and circumstances, and therefore may be evaluated as part of that process. FinCEN declines to incorporate into the final rule reference to specific strategies to counter corruption or other types of specific national security threats. Acts of foreign corruption are specifically mentioned in the CTA as acts that harm the national security interests of the United States, and as discussed above, are already contemplated by the final rule. Referencing specific strategy documents is therefore unnecessary and could cause confusion. b. Definition of Intelligence Activity Proposed Rule. Proposed 31 CFR 1010.955(b)(1)(ii) defines intelligence activity to include ‘‘all activities conducted by elements of the United States Intelligence Community that are authorized pursuant to Executive Order 12333 (‘‘E.O. 12333’’), as amended, or any succeeding executive order.’’ Comments Received. A number of commenters supported the proposed rule’s definition of ‘‘intelligence activity,’’ and noted the approach taken by FinCEN is reasonable. Some commenters expressed that the definition should not be further delimited or narrowed, as this may impede the intent of the CTA. Three commenters suggested that the use of the word ‘‘includes’’ was too broad, and it should be replaced with ‘‘means’’ to clarify that the definition is finite. One commenter argued that ‘‘includes’’ implies that the proposed rule might allow sharing BOI under the intelligence activity provisions of 31 U.S.C. 5336, outside of the authorization provided by E.O. 12333. This commenter also argued that the definition of ‘‘intelligence activity’’ in proposed 31 CFR 1010.955(b)(1)(ii) conflicts with proposed 31 CFR 1010.955(b)(3)(i), which refers to disclosures of BOI by FinCEN to an intermediary Federal agency for transmission to a foreign agency for assistance in intelligence activity authorized under the laws of a foreign country. The commenter suggested that FinCEN should revise § 1010.955(b)(1)(ii) to read ‘‘(ii) intelligence activity, when used in this section in reference to an activity of the United States, means all activities that elements of the United States intelligence community are authorized to conduct pursuant to E.O. 12333, as VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 amended, or any successor [E]xecutive order.’’ A different commenter recommended that FinCEN make clear that E.O. 12333’s limitation on the use of United States person information by the Intelligence Community would not constrain use of BOI, if the use was otherwise permitted by the CTA. One commenter, while concurring with the proposed rule as sensible and workable, suggested it should include a reference to the 2021 U.S. Strategy on Countering Corruption and its calls for increasing intelligence activity on corrupt actors and bolstering information sharing between the Intelligence Community and law enforcement. Final Rule. The final rule adopts the proposed rule with two clarifying edits. First, FinCEN adopts the recommendation to substitute ‘‘means’’ for ‘‘includes’’ within the definition, in order to clarify that ‘‘intelligence activity’’ covers only those activities conducted by elements of the United States Intelligence Community that are authorized pursuant to E.O. 12333, as amended, or any succeeding executive order. Second, FinCEN agrees that the definition of ‘‘intelligence activity’’ in proposed 31 CFR 1010.955(b)(1)(ii) was incompatible with the authorization for sharing of BOI with foreign requesters in proposed 31 CFR 1010.955(b)(3)(i), as it proposed to define intelligence activities throughout the rule exclusively by reference to U.S. legal authorities. The final rule corrects this mistake by inserting new 31 CFR 1010.955(b)(3)(iv), a definition of the term ‘‘intelligence activity authorized under the laws of a foreign country’’ that clearly relates such activity to foreign legal authorities that establish what constitute legally acceptable intelligence activities under the laws of another country, as E.O. 12333 does for U.S. law.88 FinCEN does not believe that additional clarifications are necessary regarding the scope of access to BOI by Federal agencies engaged in intelligence activity, to the extent the activity relates to United States persons. E.O. 12333 sets out the scope of authorized activity and, among other things, provides that agencies shall, consistent with the provisions of the Order, prepare and provide intelligence in a manner that ‘‘allows the full and free exchange of information, consistent with applicable law and presidential guidance.’’ Internal procedures established pursuant to the 88 FinCEN has addressed an analogous drafting problem in proposed 31 CFR 1010.955(b)(1)(i) with reference to the term ‘‘national security activity’’ by defining the term ‘‘national security activity authorized under the laws of a foreign country’’ in new 31 CFR 1010.955(b)(3)(iii). PO 00000 Frm 00014 Fmt 4701 Sfmt 4700 Order further govern the handling of information relating to U.S. persons. Finally, FinCEN declines to incorporate into the final rule reference to specific strategies to counter corruption or other national security threats, while noting that acts of foreign corruption are specifically mentioned in the CTA as acts that harm the national security interests of the United States. c. Definition of Law Enforcement Activity Proposed Rule. Proposed 31 CFR 1010.955(b)(1)(iii) defined ‘‘law enforcement activity’’ to include ‘‘investigative and enforcement activities relating to civil or criminal violations of law.’’ The proposed rule specified that such activity does not include routine supervision or examination of a financial institution by a Federal regulatory agency with authority described in 31 CFR 1010.955(b)(4)(ii)(A). The inclusion of both investigation and enforcement as ‘‘law enforcement activity’’ was based on FinCEN’s view that it is consistent with the CTA to authorize Federal agencies to access BOI at all stages of the law enforcement process. Comments Received. Commenters generally agreed with the definition in 31 CFR 1010.955(b)(1)(iii), stating that the proposed rule is reasonable and workable. One commenter emphasized the need for law enforcement to have access to BOI during all stages of criminal or civil investigations. Two commenters suggested that the use of the word ‘‘includes’’ was too broad, and it should be replaced with ‘‘means’’ to clarify that the definition is finite. Some commenters expressed that the definition should not be further delimited or narrowed, as this may impede the intent of the CTA. One commenter concurred with the exclusion of routine supervision and examination by Federal regulator agencies, as these activities are covered by a separate section of the CTA, and the proposed rule also recognizes that Federal functional regulators engage in law enforcement activities that will enable them to request BOI. However, two commenters took an opposite view, arguing that the proposed rule should be modified either at 31 CFR 1010.955(b)(1) or 31 CFR 1010.955(b)(1)(iii) to explicitly include disclosure to Federal regulatory agencies for law enforcement purposes as a disclosure governed by 1010.955(b)(1). Another commenter supported the broad definition of law enforcement activity but sought an explicit extension of the definition to State, local, and Tribal authorities, as E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations well as the inclusion of specific exemplar criminal violations related to taxes, wages, theft, forgery, insurance fraud, and human trafficking. Final Rule. The final rule adopts the proposed rule with the exception of one clarifying edit. Specifically, FinCEN adopts the recommendation to substitute ‘‘means’’ for ‘‘includes’’ within the definition to further clarify the definition, while retaining the approach from the proposed rule. FinCEN also notes that it will determine whether an agency’s activities are ‘‘law enforcement activities’’ qualifying it for access to BOI during the process to establish a MOU between the agency and FinCEN governing such access. FinCEN declines to incorporate into the final rule reference to specific criminal violations, as this is redundant considering the existing language regarding civil or criminal violations of law. Regarding the role of Federal regulatory agencies, FinCEN does not believe that a change to the proposed language is warranted. As stated in the proposed rule, the access provision for Federal agencies engaged in national security, intelligence, or law enforcement activities focuses on activity categories, not agency types. To the extent a Federal functional regulator engages in civil law enforcement activities, those activities would be covered by the law enforcement access provision. ii. Disclosure to State, local, and Tribal Law Enforcement Agencies for Use in Criminal or Civil Investigations ddrumheller on DSK120RN23PROD with RULES3 a. A Court of Competent Jurisdiction Proposed Rule. The CTA permits FinCEN to disclose BOI upon receipt of a request, through appropriate protocols, ‘‘from a State, local, or Tribal law enforcement agency, if a court of competent jurisdiction, including any officer of such a court, has authorized the law enforcement agency to seek the information in a criminal or civil investigation.’’ 89 Proposed 31 CFR 1010.955(b)(2) implements this provision and would allow FinCEN to disclose BOI to a State, local, or Tribal law enforcement agency that requests this information if a court of competent jurisdiction has authorized the agency’s request for the BOI for use in a criminal or civil investigation. Proposed 31 CFR 1010.955(b)(2)(i) further provided that a court of competent jurisdiction is ‘‘any court’’ with jurisdiction over the criminal or civil investigation for which 89 31 U.S.C. 5336(c)(2)(B)(i)(II). VerDate Sep<11>2014 19:01 Dec 21, 2023 a State, local, or Tribal agency requests BOI. Comments Received. Commenters were generally supportive of the definition of the phrase ‘‘court of competent jurisdiction’’ in proposed 31 CFR 1010.955(b)(2)(i). These commenters noted that the proposed definition is flexible enough to encompass a wide variety of courts and will facilitate the ability of State, local, or Tribal law enforcement agencies to seek court authorization for the purpose of requesting BOI from FinCEN. Several commenters requested that FinCEN explicitly include administrative courts and adjudicatory bodies such as boards and commissions. One commenter noted that state and local governments allow civil law enforcement proceedings to occur in hearings before adjudicators that are independent of law enforcement, such as administrative law judges. Some commenters also recommended that ‘‘court of competent jurisdiction’’ should explicitly account for jurisdiction over an investigation or a ‘‘case’’ because BOI may be relevant to both. Final Rule. The final rule adopts 31 CFR 1010.955(b)(2)(i) as proposed. FinCEN agrees with the commenters who thought the level of clarity provided by this provision is sufficient to encompass the various types of courts and adjudicatory bodies that exist in State, local, and Tribal jurisdictions, including those which some commenters suggested that FinCEN explicitly reference. The reference in this provision to ‘‘any court’’ that has jurisdiction over an investigation provides broad and, in FinCEN’s view, sufficiently clear applicability. As such, FinCEN believes it is unnecessary to list specific types of adjudicatory bodies that would qualify as a court of competent jurisdiction. Further, in response to the comments that requested that FinCEN clarify that a court of competent jurisdiction includes an adjudicative body with jurisdiction over both investigations and ‘‘cases’’ (understood as ongoing civil or criminal court proceedings), FinCEN has followed the formulation in the CTA, which uses the term ‘‘criminal or civil investigation.’’ 90 However, FinCEN does not believe that this clause excludes State, local, or Tribal agencies from seeking a request for BOI as part of an ongoing ‘‘case,’’ whether that be a civil proceeding or a criminal prosecution following an initial investigation. 90 See Jkt 262001 PO 00000 31 U.S.C. 5336(c)(2)(B)(i)(II). Frm 00015 Fmt 4701 Sfmt 4700 88745 b. State, Local, or Tribal Law Enforcement Agencies Proposed Rule. Proposed 31 CFR 1010.955(b)(2)(ii) defined a ‘‘State, local, or Tribal law enforcement agency’’ as ‘‘an agency of a State, local, or Tribal government that is authorized by law to engage in the investigation or enforcement of civil or criminal violations of law.’’ The proposed rule defined this term in a manner similar to the proposed definition of ‘‘law enforcement activity’’ for Federal agencies to ensure consistency regardless of whether law enforcement activity occurs at the Federal, State, local, or Tribal, level. Comments Received. Several commenters argued that FinCEN should clarify in the final rule that State, local, and Tribal law enforcement agencies include various types of administrative and regulatory bodies covering a range of subject areas such as labor and employment, contracting, tax, unemployment insurance, and workers’ compensation, among others. One commenter recommended that FinCEN amend 31 CFR 1010.955(b)(2)(ii) to state that a State, local or Tribal law enforcement agency is one that is authorized by law to investigate or enforce civil, criminal, ‘‘or administrative’’ violations of law. Some commenters noted that many State, local, and Tribal regulatory agencies also have law enforcement functions insofar as they have the authority to both issue regulations and enforce compliance with regulations. One of these commenters believed that proposed 31 CFR 1010.955(b)(2)(ii) already covers these regulatory agencies. Finally, one commenter suggested that FinCEN clarify that local enforcement agencies include non-Federal agencies within the government of the District of Columbia. Final Rule. FinCEN is adopting 31 CFR 1010.955(b)(2)(ii) as proposed. FinCEN believes that this provision is adequately clear and sufficiently flexible to encompass the many varieties of State, local, and Tribal law enforcement agencies that engage in the investigation or enforcement of civil or criminal violations of law, including regulatory violations. As a result, it is not necessary, in FinCEN’s view, to specifically list examples of State, local, and Tribal law enforcement agencies, as some commenters requested. Furthermore, in response to the commenter’s request that the final rule explicitly include non-Federal agencies within the District of Columbia, FinCEN believes this is unnecessary because the E:\FR\FM\22DER3.SGM 22DER3 88746 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 definition of ‘‘State’’ in the CTA includes the District of Columbia.91 c. Court Authorization and Written Certification Proposed Rule. The CTA provides that FinCEN may disclose BOI to a State, local, or Tribal law enforcement agency ‘‘if a court of competent jurisdiction, including any officer of such a court, has authorized the law enforcement agency to seek the information in a criminal or civil investigation.’’ 92 Proposed 31 CFR 1010.955(b)(2) would implement this provision of the CTA by allowing FinCEN to disclose BOI to a State, local, or Tribal law enforcement agency that requests this information if a court of competent jurisdiction authorizes the agency’s request for the BOI for use in a criminal or civil investigation. FinCEN did not propose to identify every kind of court authorization that would satisfy the CTA, and it did not propose to specify which officers of a court may provide authorization. That is because FinCEN recognized that State, local, and Tribal practices are likely to be varied with respect to how law enforcement agencies may be authorized by a court to seek information in connection with an investigation or prosecution. In addition, the proposed rule included safeguards designed to protect the confidentiality of BOI and ensure it is not misused. These requirements were also meant to ensure that FinCEN could properly audit requests for BOI from State, local, and Tribal law enforcement agencies, consistent with the CTA’s audit requirements.93 As a result, proposed 31 CFR 1010.955(d)(1)(ii)(B)(2) required that when a State, local, or Tribal law enforcement agency requests BOI from FinCEN, the head of such an agency or their designee would have to submit to FinCEN, ‘‘in the form and manner as FinCEN shall prescribe:’’ (i) a copy of a court order from a court of competent jurisdiction authorizing the agency to seek the BOI in a criminal or civil investigation, and (ii) a written justification explaining why the request for BOI is relevant to the civil or criminal investigation. The proposed rule further explained that after FinCEN reviewed the relevant authorization for sufficiency and approved the request, an agency could then conduct searches using multiple search fields consistent in scope with the court authorization and subject to audit by FinCEN.94 Thus, 91 31 U.S.C. 5336(a)(12); see also supra note 5. 31 U.S.C. 5336(c)(2)(B)(i)(II). 93 See 31 U.S.C. 5336(c)(3)(J). 94 87 FR at 77409–10. 92 See VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 the court order and written justification requirements in the proposed rule were meant to serve multiple purposes—i.e., to ensure that a court of competent jurisdiction has authorized an agency’s request for the BOI, protect the security of confidential BOI, and enable FinCEN to conduct required audits of searches by State, local, or Tribal law enforcement agencies. These requirements were proposed alongside other security and confidentiality requirements applicable to all domestic government requesters of BOI. For example, the proposed rule explained that Federal agency users of FinCEN’s BOI database would be required to submit brief justifications to FinCEN for their searches, explaining how their searches further a particular qualifying activity, and these justifications would be subject to oversight and audit by FinCEN. Additionally, the proposed rule required a Federal, State, local, or Tribal agency requesting BOI to minimize to the greatest practicable extent the scope of BOI it seeks, consistent with the agency’s purpose in requesting BOI. Comments Received. Commenters generally opposed the requirements in proposed 31 CFR 1010.955(d)(1)(ii)(B)(2)(i) that the head of a State, local, or Tribal law enforcement agency, or their designee, must obtain and submit a copy of a court order to FinCEN authorizing the agency to seek BOI in a criminal or civil investigation. Commenters opposed the court order requirements for two broad reasons: they argued that, first, these requirements conflict with the plain language of the CTA as well as with congressional intent; and second, these requirements would create burdens on State, local, and Tribal agencies that would impede their ability to access BOI in a timely manner, which would be contrary to the goals of the CTA. In general, commenters encouraged FinCEN to take a more flexible approach in specifying the manner in which a court authorizes a request for BOI, which court personnel can provide that authorization, and at what stage in an investigation or proceeding agencies may seek the BOI from FinCEN. In sum, these commenters argued that the final rule should adopt the broader concept of court authorization from the CTA. Commenters also generally opposed for largely the same reasons the requirement in proposed 31 CFR 1010.955(d)(1)(ii)(B)(2)(i) that the agency head must also submit a written justification to FinCEN explaining the relevance of the BOI for the investigation. Specifically, some commenters noted that the CTA does PO 00000 Frm 00016 Fmt 4701 Sfmt 4700 not contain such a requirement, expressed concerns that this requirement would unduly delay requests by agencies for BOI, and highlighted the challenges involved in FinCEN reviewing each justification provided by an agency that requests BOI. In the first category of objections to the court order requirement, several commenters argued that the proposed rule conflicts with the plain language of the CTA which does not require a court order for State, local, or Tribal law enforcement agencies seeking access to BOI. Instead, these commenters pointed out that the CTA uses the general concept of court authorization, which could also include other kinds of authorization. Commenters also cited the legislative history of the CTA in arguing that Congress intended to create a less formal and more flexible process. These commenters noted that Congress had considered and rejected a narrower concept than court authorization when debating the CTA’s provision concerning State, local, and Tribal law enforcement agency access to BOI. In the second category of objections to the proposed court order requirement, commenters argued that a court order requirement would place unnecessary burdens on State, local, and Tribal law enforcement agencies as well as the courts involved because of the need to take additional efforts to obtain a court order. These burdens would be exacerbated because these agencies often face greater resource constraints compared to their Federal counterparts. The result would be delays in investigations. One commenter noted that the requirement could give some courts the impression that formal pleadings, evidence-based standards, or a hearing is necessary to authorize a request for BOI. Furthermore, commenters argued that a court order requirement would effectively restrict agencies to working only with a narrow category of court officers, most likely a judge, rather than ‘‘any officer of such court’’ as the CTA permits. These commenters also argued that, as a result, the court order requirement conflicts with the CTA. One commenter recommended that the final rule should clearly state that a court officer includes any individual who exercises court authority, including a judge, magistrate, clerk, bailiff, sheriff, prosecutor, clerk assistant, or other personnel that the court designates to authorize a request for BOI. A few commenters argued that since an attorney is commonly considered a ‘‘court officer,’’ and many jurisdictions allow attorneys to issue subpoenas, E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations attorneys should be able to authorize a request for BOI. However, one commenter disagreed with this view, arguing that only court personnel should be allowed to authorize an agency’s request for BOI. In addition, one commenter requested that FinCEN provide guidance to court officials who are involved in authorizing an agency’s request for BOI, setting forth the proper procedures for reviewing these requests as well as potentially providing an authorization form for agencies and courts to use. Commenters also recommended that FinCEN provide flexibility in how the court order was reported to FinCEN. Several commenters also highlighted the need for flexibility regarding when in the course of a civil or criminal investigation courts may authorize a State, local, or Tribal law enforcement agency to seek BOI. For example, some commenters requested that FinCEN clarify in the final rule that a grand jury subpoena qualifies as court authorization under the CTA. Some commenters also argued that the final rule should provide more clarity regarding how prosecutors can draft grand jury subpoenas to ensure that they would satisfy the court authorization requirement. Commenters also requested that the final rule clarify that courts should be permitted to authorize BOI requests throughout the full life cycle of an investigation, including after the initiation of a civil or criminal proceeding. As for the written justification requirement in the proposed rule, commenters argued that it could limit the ability of State, local, and Tribal law enforcement agencies to access BOI, and commenters noted that there is no such requirement in the text of the CTA. Several commenters argued that the written justification requirement would create a double review process in which these agencies would first have to obtain approval from a court for their request for BOI, and then they would need to gain a second level of approval from FinCEN. According to these commenters, FinCEN would compare the written justification to the court order, and based on its review, could reject the court’s decision to authorize an agency’s request for BOI. Some commenters argued that such case-bycase review of justifications by FinCEN would overwhelm FinCEN’s resources and cause significant delays in the ability of State, local, and Tribal law enforcement agencies to access BOI.95 95 Commenters made several other arguments against the written justification requirement. For example, another commenter argued that it would VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 The result, according to several commenters, is that the written justification requirement would undermine the CTA’s policy goal that the database be ‘‘highly useful’’ to law enforcement.96 Finally, some commenters focused on alternative approaches to State, local, and Tribal law enforcement access to BOI. One commenter argued that the final rule should require that State, local, and Tribal law enforcement agencies obtain a grand jury subpoena in order to request BOI, and this commenter also supported the written justification requirement. One commenter raised concerns about whether courts could adequately protect the privacy of BOI and argued that a separate government agency should be responsible for managing BOI access requests on behalf of State, local, and Tribal agencies. Further, one commenter noted that the CTA itself had imposed stricter requirements on State, local, and Tribal agencies than it imposed upon their Federal counterparts since the CTA imposed a court authorization requirement on the former agencies. This commenter believed that statutory changes would be necessary to remove the court authorization requirement in order to make it simpler for State, local, and Tribal agencies to access the BOI database. Final Rule. The final rule adopts the requirements for State, local, and Tribal law enforcement agencies’ access to BOI in proposed 31 CFR 1010.955(b)(2) without change. However, FinCEN was persuaded by comments that were critical of the requirements in proposed 31 CFR 1010.955(d)(1)(ii)(B)(2) that State, local, and Tribal law enforcement agencies submit a copy of a court order and written justification for FinCEN review prior to searching for BOI. Accordingly, FinCEN has made several changes to that provision in the final rule. These revisions are intended to streamline State, local, and Tribal law enforcement agency access to BOI and reduce burdens on these agencies and courts as well as on FinCEN, while at the same time maintaining robust confidentiality and security requirements for these agencies and be inappropriate for FinCEN to require ‘‘justification’’ from State, local, or Tribal law enforcement agencies because the CTA only required ‘‘certifications’’ from Federal agency heads; that FinCEN does not have the required subject matter expertise to evaluate justifications; and that the term ‘‘justification’’ implied a level of persuasiveness that would be required in the written statements that State, local, or Tribal law enforcement agencies provide when they request BOI. 96 See CTA, section 6402(8)(C). PO 00000 Frm 00017 Fmt 4701 Sfmt 4700 88747 FinCEN oversight and audit of these requests. First, § 1010.955(d)(1)(ii)(B)(2)(i) will no longer require that these agencies obtain a specific form of court authorization, such as a court order. Instead, the final rule requires only that State, local, and Tribal law enforcement agencies obtain ‘‘court authorization’’ to seek BOI from FinCEN as part of a civil or criminal investigation. As the preamble to the proposed rule noted, FinCEN requested comment on the various types of relevant court authorization that exist at the State, local, and Tribal level, and requested that commenters explain what role courts or court officers play in authorizing evidence-gathering activities, what existing practices involve court authorization, and the extent to which new court processes could be developed and integrated into existing practices to satisfy the CTA’s authorization requirement. FinCEN also requested comment on the need for access to BOI at different stages of an investigation, as well as the privacy interests that may be implicated by such access. In requesting comment on these topics, FinCEN sought greater clarity on the various mechanisms in which courts might satisfy the CTA standard of ‘‘court authorization.’’ The comments that FinCEN received provided greater clarity on how State, local, and Tribal law enforcement agencies could satisfy the CTA’s court authorization requirement while also meeting FinCEN’s obligations under the CTA to protect the confidentiality of BOI and prevent potential misuse, including by being able to audit requests by agencies for BOI. FinCEN agrees that requiring State, local, and Tribal law enforcement agencies to obtain a court order may create unnecessary burdens. FinCEN further agrees that the statutory language concerning court authorization would maintain sufficient flexibility and facilitate access to BOI by State, local, and Tribal law enforcement agencies while still protecting against unauthorized use or disclosure. FinCEN intends the final rule to provide enough flexibility so that a variety of court officers—such as a judge, clerk of the court, or magistrate—could provide authorization at appropriate stages of the investigation process. FinCEN may issue guidance or FAQs on this subject in the future if needed, including, for example, on how the court authorization requirement would apply to grand jury proceedings. Such guidance may also further address questions about court personnel, stages of the investigation, court procedures E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 88748 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations for reviewing requests for BOI, and other topics concerning court authorization in the context of specific factual circumstances. However, FinCEN agrees with those commenters who argued that being an attorney, by itself, is not sufficient to empower an individual to grant the required court authorization under the CTA. As discussed in the proposed rule, FinCEN does not believe the CTA, which includes numerous provisions limiting who may access BOI, permits any individual with a license to practice law to authorize the disclosure of BOI, even if they are sometimes referred to as ‘‘officers of the court’’ in other contexts. FinCEN further does not agree with the commenter that suggested that a separate government agency, apart from a court of competent jurisdiction, should handle BOI requests from State, local, or Tribal law enforcement agencies. The CTA is clear that these agencies must seek court authorization in order to request BOI from FinCEN, and FinCEN believes that the security and confidentiality requirements reflected in the final rule will be sufficient to protect against unauthorized use or disclosure. Second, rather than submit a copy of the authorization (such as a copy of a court order) to FinCEN, § 1010.955(d)(1)(ii)(B)(2) now only requires that State, local, and Tribal law enforcement agencies (1) certify that they have received authorization to seek BOI from a court of competent jurisdiction and that the BOI is relevant to a civil or criminal investigation, and (2) provide a description of the information the court has authorized the agency to seek.97 FinCEN is persuaded by comments stating that the requirement in the proposed rule would have set more stringent requirements for State, local, and Tribal law enforcement agencies than would apply to their Federal counterparts. FinCEN is further persuaded by comments that FinCEN should instead allow these agencies to certify that they have obtained appropriate authorization from a court of competent jurisdiction. FinCEN does not intend to look behind these certifications to assess the sufficiency of a court’s authorization at the time a request is submitted. Instead, the final rule clearly reflects FinCEN’s role in auditing requesting agencies’ BOI requests, which requires a process to ensure that a request for BOI by a State, local, or Tribal law enforcement agency remains within the terms of the court authorization. FinCEN believes that the 97 FinCEN will specify the precise method of certification at a later date. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 certification requirement, along with the requirement to provide a description of the information the court has authorized the agency to seek, will provide FinCEN with a sufficiently robust means to effectively conduct oversight and audit of such access. Third, in response to commenters’ concerns, the final rule eliminates the written justification requirement in proposed 31 CFR 1010.955(d)(1)(ii)(B)(2)(ii). Moreover, after considering commenters’ concerns about potential delays associated with a case-by-case review of written justifications from these agencies in connection with BOI requests, and taking into account available resources, FinCEN has determined that, as a policy matter, it will not conduct individual reviews of each request for BOI by State, local, or Tribal law enforcement agencies when they are submitted. Rather, consistent with requirements of the CTA, FinCEN will conduct robust audit and oversight of State, local, and Tribal law enforcement agency searches for BOI to ensure that BOI is requested for authorized purposes by authorized recipients. Finally, by adopting the broad notion of court authorization that the CTA uses, FinCEN is also choosing not to further specify in the rule the particular stages of an investigation during which courts could authorize a request for BOI by State, local, or Tribal agencies. iii. Disclosure for Use in Furtherance of Foreign National Security, Intelligence, or Law Enforcement Activity a. General Proposed Rule. Proposed 31 CFR 1010.955(b)(3) authorized FinCEN to disclose BOI to foreign requesters when certain criteria were satisfied. The criteria were that the foreign request for BOI must (1) come to FinCEN through an intermediary Federal agency; (2) be for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, authorized under the laws of the foreign country; and (3) either be made under an international treaty, agreement, or convention, or, when no such instrument was available, be an official request by a law enforcement, judicial, or prosecutorial authority of a trusted foreign country. Comments Received. A few commenters supported both foreign requester access to BOI and the threshold requirements for that access. Another commenter stated that the proposed rule should specify timelines for processing and responding to foreign requests. One commenter stated that PO 00000 Frm 00018 Fmt 4701 Sfmt 4700 BOI should not be shared with foreign requesters at all. Final Rule. FinCEN adopts the proposed rule without changes. The final rule is consistent with the letter, spirit, and purposes of the CTA by permitting foreign requesters to obtain BOI for, and use it in, the full range of activities contemplated by 31 U.S.C. 5336(c)(2)(B)(ii) (i.e., law enforcement, national security, and intelligence activities). The rule also resolves ambiguities arising from inconsistent statutory language. Specifically, one part of the CTA’s foreign access provision appears to require a request to arise from a foreign ‘‘investigation or prosecution,’’ 98 while another appears to allow a foreign requester to use BOI to further any ‘‘authorized investigation or national security or intelligence activity.’’ 99 The final rule resolves this discrepancy by clarifying that authorized national security and intelligence activities, as well as law enforcement investigations or prosecutions, could be a basis for a BOI request. FinCEN declines to specify timelines for processing and responding to foreign requests. At this juncture, FinCEN does not have sufficient data to support a prediction about the average amount of time it will take to issue a response to a foreign request. Average response times for requests from foreign countries when no international treaty, agreement, or convention applies are particularly hard to predict. These may often require highly fact-intensive assessments of both the requester and the request, require broad analysis of U.S. interests and priorities, and involve consultation with other relevant U.S. government agencies. Such assessments could take a matter of days or significantly longer. While sharing under international treaties, conventions, or agreements might follow more predictable timelines, unforeseeable procedural, legal, or inter-governmental impediments hurdles could create delays. FinCEN commits to processing requests as quickly as practicable with available resources rather than establish deadlines based on limited data. b. Intermediary Federal Agency Proposed Rule. Proposed 31 CFR 1010.955(b)(3) authorized FinCEN to disclose BOI to foreign requesters when certain criteria were satisfied. One criterion identified by the CTA and the proposed regulation was that requests for BOI must come to FinCEN through an intermediary Federal agency. 98 31 99 31 E:\FR\FM\22DER3.SGM U.S.C. 5336(c)(2)(B)(ii)(I). U.S.C. 5336(c)(2)(B)(ii)(II)(bb). 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations The CTA did not identify particular intermediary Federal agencies, and FinCEN did not propose to identify any by regulation. FinCEN instead stated its intention to work with Federal agencies to identify agencies suited to serving as intermediaries between FinCEN and foreign requesters. For example, one indicator of potential suitability identified by FinCEN in the Access NPRM was a Federal agency having regular engagement and familiarity with foreign law enforcement agencies, judges, prosecutors, central authorities, or competent authorities on matters related to law enforcement, national security, or intelligence activity. Other factors would include whether a prospective intermediary Federal agency has established policies, procedures, and communication channels for sharing information with those foreign parties, and whether the prospective intermediary Federal agency represents the U.S. government in relevant international treaties, agreements, or conventions; other factors include the expected number of requests that the agency could receive, and the ability of the agency to efficiently process requests while managing risks of unauthorized disclosure. In the Access NPRM, FinCEN stated that it would work with potential intermediary Federal agencies to: (1) ensure that they have secure systems for BOI storage; (2) enter into MOUs outlining expectations and responsibilities; (3) translate the CTA foreign sharing requirements into evaluation criteria against which intermediary Federal agencies could review requests from foreign requesters; (4) integrate the evaluation criteria into the intermediary Federal agencies’ existing information-sharing policies and procedures; (5) develop additional security protocols and systems as required under the CTA and its implementing regulations; and (6) ensure that intermediary Federal agency personnel have sufficient training on applicable requirements under the CTA and its implementing regulations. Under the proposal, FinCEN would exercise oversight and audit functions to ensure that intermediary Federal agencies adhere to requirements and take appropriate measures to mitigate the risk of foreign requesters abusing the information. Given its longstanding relationships and relevant experience as the financial intelligence unit (FIU) of the United States, FinCEN proposed to directly receive, evaluate, and respond to requests for BOI from foreign FIUs. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 Comments Received. One commenter expressed surprise that the proposed rule did not include examples of intermediary Federal agencies, while another commenter supported the potential for any Federal agency to become an intermediary Federal agency. There were varying perspectives on the proposal that FinCEN should act as an intermediary Federal agency for BOI requests from foreign FIUs. One commenter stated that foreign requesters might funnel all requests for BOI through their FIUs if FinCEN served as an intermediary Federal agency for foreign FIU requests, which would significantly increase FinCEN’s workload. That commenter also said that exchanges through FIUs were not admissible in court. In contrast, one commenter indicated that FinCEN’s role should be broadened to include receiving, reviewing, and evaluating all foreign requests, not just those from foreign FIUs. Another commenter asked FinCEN to clarify that, when reviewing and responding to requests for BOI from foreign FIUs, FinCEN would adhere to the proposed requirements applicable to other intermediary Federal agencies. Final Rule. FinCEN adopts the proposed rule without any changes. FinCEN is still in the early stages of working to identify intermediary Federal agencies, and therefore is not in a position to list those agencies in a regulation. FinCEN can anticipate several Federal agencies that likely could serve as intermediary Federal agencies given that (1) the rule contemplates FinCEN taking indirect requests for BOI from foreign requesters; (2) requests will be for assistance in law enforcement investigations or prosecutions, or for a national security or intelligence activity, authorized under the laws of the relevant foreign country; and (3) many requests for BOI will come under international treaties, agreements, and conventions. Federal agencies that are likely to meet these criteria include the U.S. Departments of State and Justice, the Federal Bureau of Investigation, U.S. Customs and Border Protection, the IRS, and member agencies of the Intelligence Community. This list only provides examples of Federal agencies whose activities seem to align with the functions of an intermediary Federal agency and is not intended to create expectations regarding possible intermediary Federal agencies. FinCEN itself will very likely act as the intermediary Federal agency for requests for BOI from foreign FIUs. As the FIU for the United States, FinCEN already has policies and procedures for, and extensive experience in, sharing PO 00000 Frm 00019 Fmt 4701 Sfmt 4700 88749 information related to national security, intelligence, and law enforcement activities with foreign FIUs through the Egmont Group. Accordingly, FinCEN could leverage existing processes and relationships to fulfill the requirements of the CTA and its implementing regulations. FinCEN does not expect that foreign requesters will funnel all requests for BOI through their FIUs and overwhelm FinCEN. The rule permits foreign FIUs to request BOI in two scenarios. The first scenario is when two conditions apply: (1) the request is for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, authorized under the laws of the foreign country, and (2) a governing international treaty, agreement, or convention identifies the foreign FIU as the central or competent authority in the matter or otherwise dictates that the foreign FIU should request BOI from FinCEN. The second scenario in which a foreign FIU may request BOI is when there is no international treaty, agreement, or convention available. In this scenario, the foreign FIU may request BOI from FinCEN when (1) the request is for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, authorized under the laws of the foreign country, and (2) the FIU qualifies as a law enforcement (i.e., authorized by law to engage in the investigation or enforcement of civil or criminal violations of law), judicial, or prosecutorial authority of a trusted foreign country. Both scenarios involve multiple requirements that a foreign FIU must satisfy to request BOI from FinCEN and are unlikely to result in a large number of potential requests from foreign FIUs. On the question of BOI admissibility, FinCEN does not agree with the claim by one commenter that information exchanges through FIUs necessarily render the disclosed information inadmissible in courts around the world with enough frequency to warrant concern. Furthermore, if information exchanges between FIUs do render information inadmissible in some foreign courts, the CTA and this final rule provide means other than FIU exchanges by which foreign requesters may obtain BOI, namely through foreign judges, prosecutors, law enforcement agencies, and other central and competent authorities.100 FinCEN is confident that foreign requesters that require admissible BOI, that are 100 See 31 U.S.C. 5336(c)(2)(B)(ii); 31 CFR 1010.955(b)(3). E:\FR\FM\22DER3.SGM 22DER3 88750 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 authorized to receive BOI under the terms set forth in the CTA and this final rule, and that satisfy all applicable criteria for BOI disclosure will be able to obtain the information they need in an admissible form through an intermediary Federal agency. Nonetheless, FinCEN believes it should act as an intermediary Federal agency for BOI requests from foreign FIUs. Receiving, reviewing, and responding to requests for BOI from all foreign requesters would not be feasible, given FinCEN’s resource limitations. c. Foreign Central or Competent Authority Proposed Rule. Proposed 31 CFR 1010.955(b)(3) authorized FinCEN to disclose BOI to foreign requesters when certain criteria were satisfied. The CTA did not define central or competent authorities, and so FinCEN proposed to make clear that ‘‘[a] relevant ‘foreign central authority or foreign competent authority’ would be the agency identified in an international treaty, agreement, or convention under which a foreign request is made’’ (emphasis added.) This decision was based on FinCEN’s understanding that ‘‘foreign central authority’’ and ‘‘foreign competent authority’’ are terms of art typically defined within the context of a particular agreement. FinCEN’s goal was to remove any ambiguity around the terms without unduly excluding appropriate foreign requesters from access to BOI. Comments Received. One commenter pointed to the FATF and the Egmont Group as potential means of identifying foreign central and competent authorities. Specifically, the commenter stated that, because the United States is a member of both organizations, either body’s method of designating foreign central or competent authorities (with appropriate safeguards) should allow an agency designated through that method to qualify as a foreign central or competent authority for the purposes of the CTA. Another commenter stated that requiring foreign central and competent authorities to be identified as such in a governing international treaty, agreement, or convention was overly restrictive. The commenter’s concern stems from the word ‘‘in.’’ To support its position, the commenter points to the Hague Convention for Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters and the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters. The commenter states that both agreements provide for the use of a central authority for the receipt of VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 requests for service or evidence by requiring a contracting state to designate a central authority and organize the central authority in accordance with its own law. Requiring designation of that central authority upfront in the treaty itself, the commenter claims, would remove some level of flexibility, and would require cumbersome treaty amendment processes were a party to change the specified central authority. As an alternative, this same commenter suggested looking to the service provisions of the Foreign Sovereign Immunities Act, and in particular 28 U.S.C. 1608, to allow for largely undefined ‘‘special arrangements’’ to govern BOI disclosure through agencies other than central authorities. The commenter again pointed to the difficulty of changing treaties to reflect new central authorities, and viewed ‘‘special arrangements’’ as possibly providing ‘‘an approach to better manage the foreign access provisions of the CTA on a case-by-case basis.’’ Final Rule. FinCEN adopts the proposed rule, but with a clarification about its meaning. In the course of drafting the Access NPRM, FinCEN conducted extensive outreach to the Department of State, the Department of Justice, and other Federal agencies that participate in international affairs on behalf of the United States. As a result, Treasury understands that ‘‘central authority’’ and ‘‘competent authority’’ are referents that may be reliant on international treaties, agreements, and conventions for context and meaning. If an institution derives its status as a central and competent authority pursuant to an international treaty, agreement, or convention, then by definition requiring foreign central and competent authorities to be identified as such under governing international treaties, agreements, or conventions is not overly restrictive. In contrast, FATF and the Egmont Group are not international bodies established by treaty, agreement, or convention, nor do they issue, implement, or administer any of the international treaties, agreements, or conventions that make an institution a central or competent authority. That said, information from both bodies could be useful in determining whether foreign countries are ‘‘trusted’’ in situations when no international treaty, agreement, or convention is available. When such an agreement is available, a commenter makes a reasonable point that the instrument might not specifically identify particular central or competent authorities, but might instead direct contracting states to identify them PO 00000 Frm 00020 Fmt 4701 Sfmt 4700 through other means. The Hague conventions, which the commenter points to as examples, are instructive. As the commenter notes, both conventions require contracting states to identify central authorities to administer convention obligations, but do not themselves identify specific institutions of any particular governments as central authorities. That work is left to implementing statutes and regulations in contracting states. FinCEN understands that this is a common arrangement in international agreements. Consequently, for purposes of 31 CFR 1010.955(b)(3), a foreign central or competent authority may be identified as such either directly by a governing treaty, agreement, or convention, or by the statutes, regulations, or other legal means by which the relevant foreign requester country has implemented the agreement. With this clarification, FinCEN sees no need to resort to ‘‘special arrangements’’ under 28 U.S.C. 1608 of the Foreign Sovereign Immunities Act to disclose BOI to foreign requesters. The CTA is clear about which foreign requesters may obtain BOI from FinCEN, as well as the criteria they must satisfy and the general process they must follow to obtain it. The resulting framework reflects the requirements of the CTA but remains flexible enough to accomplish the stated aims and purposes of the CTA without need for supplemental measures. d. Trusted Foreign Country Proposed Rule. Proposed 31 CFR 1010.955(b)(3)(ii)(B) authorized FinCEN to disclose BOI in response to official requests by law enforcement, judicial, or prosecutorial authorities of ‘‘trusted’’ foreign countries when other criteria are satisfied. The other criteria were that the request for BOI must (1) come to FinCEN through an intermediary Federal agency; and (2) be for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, authorized under the laws of the foreign country. In keeping with the CTA, the ‘‘trusted foreign country’’ requirement would come into play when there is no international treaty, agreement, or convention available under which the relevant foreign country could make the request. The CTA does not provide criteria for determining whether a particular foreign country is ‘‘trusted,’’ leaving FinCEN with flexibility to make the determination. FinCEN considered identifying particular countries or groups of countries as ‘‘trusted’’ for the E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations purposes of receiving BOI, but determined that such a restrictive approach could arbitrarily exclude foreign requesters with whom sharing BOI might be appropriate in some cases but not others. FinCEN proposed in the Access NPRM to instead consult with relevant U.S. government agencies on a case-by-case basis to determine whether to disclose BOI to foreign requesters when no international treaty, agreement, or convention applies. In making these determinations, FinCEN and the consulting agencies would consider U.S. priorities and interests, as well as the ability of a foreign requester to maintain the security and confidentiality of requested BOI. Comments Received. Commenters generally wanted to know either which foreign countries would be ‘‘trusted’’ or the criteria by which FinCEN would identify trusted foreign countries. One commenter wanted a searchable list of trusted foreign countries. Multiple commenters suggested that FinCEN publicly define its trust criteria, with some arguing that a non-transparent case-by-case determination process could yield unjustifiably disparate treatment. One commenter suggested either defining ‘‘trusted’’ or dropping the term entirely and relying solely on treaties, agreements, and conventions. Another commenter noted a FinCEN definition would promote consistency of access. A few commenters argued that FinCEN should not have sole discretion to determine which countries are trusted, as such decisions have implications for national security and foreign relations. One commenter supported FinCEN’s decision not to develop a prior list of trusted foreign countries because such a list would inevitably change over time. That same commenter further argued, however, that FinCEN should define the ‘‘relevant U.S. government agencies’’ with which it would consult to make trust determinations as including the Departments of State and Justice, and should announce that, at a minimum, FinCEN will treat members of NATO, the EU, and the G7 group of nations as trusted foreign countries absent special circumstances. Another commenter stated that FinCEN had taken a sensible approach regarding the trusted foreign country requirements, but might consider giving advance notice to countries that would explicitly not be trusted. Final Rule. FinCEN adopts the proposed rule with limited clarifications. FinCEN agrees with the commenter that the rule would benefit from identifying particular agencies VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 with which FinCEN is likely to consult when no international treaty, agreement, or convention applies to a foreign request for BOI and FinCEN needs to determine whether the country at issue is ‘‘trusted.’’ FinCEN is therefore specifying in the rule that, in determining whether a request is from a ‘‘trusted foreign country,’’ FinCEN will make such determination with the concurrence of the Department of State, and in consultation with the Department of Justice or other agencies as necessary and appropriate. Specifying that FinCEN will seek the Department of State’s concurrence on these determinations reflects the Department of State’s central role in conducting U.S. foreign policy and foreign relations. FinCEN has also explicitly identified the Department of Justice to reflect the major role that the Department Justice plays in U.S. relations with other countries in law enforcement, national security, and intelligence activities, and the commensurate likelihood that FinCEN will regularly consult it when making trust determinations. However, identifying these two agencies within the regulation does not mean that FinCEN will only consult them when making trust determinations, or that FinCEN is delegating its authority to make those determinations. Indeed, FinCEN will consult with agencies other than the Departments of State and Justice when appropriate, e.g., when those agencies have relevant equities, expertise, or relationships with foreign governments. While FinCEN is choosing to clarify the interagency coordination element of its trust determination process, it is not defining ‘‘trusted’’ or enumerating criteria it will use to assess requests for BOI when no international treaty, agreement, or convention applies. There are likely too many situations in which providing other countries with BOI might be in the best interest of the United States to reduce that complexity to a single definition or list. That same variability also weighs against preemptively identifying certain countries as either wholly trusted or not. Particular facts and circumstances are relevant to the determination and may result in different outcomes where the same foreign requester is involved. These are dynamic situations to which FinCEN must be able to respond flexibly, in consultation with relevant Federal agencies. At this time, FinCEN believes that it is important to retain appropriate discretion in making determinations regarding ‘‘trusted’’ foreign countries in particular PO 00000 Frm 00021 Fmt 4701 Sfmt 4700 88751 circumstances, and declines to adopt restrictive definitions or criteria that could be detrimental to broader U.S. interests. e. Training Proposed Rule. Proposed 31 CFR 1010.955(d)(3)(i) required foreign requesters to handle, disclose, and use BOI consistent with the requirements of the applicable treaty, agreement, or convention under which it was requested. 31 CFR 1010.955(d)(3)(ii), meanwhile, applied to situations in which there was no applicable treaty, agreement, or convention, and would have imposed on foreign BOI requesters certain general requirements that the CTA imposes on all requesting agencies.101 FinCEN believed these measures were necessary to protect the security and confidentiality of BOI provided to foreign requesters.102 Proposed requirements applicable to foreign requesters when no treaty, agreement, or convention applies included having security standards and procedures, maintaining a secure storage system that complies with the security standards that the foreign requester applies to the most sensitive unclassified information it handles, minimizing the amount of information requested, and restricting personnel access to BOI to persons ‘‘[w]ho have undergone training on the appropriate handling and safeguarding [BOI].’’ Foreign requesters that request and receive BOI under an applicable international treaty, agreement, or convention would not have these requirements under the proposed rule, given that such requesters would be governed by standards and procedures prescribed by the applicable international treaty, agreement, or convention. Comments Received. Several commenters indicated that FinCEN should revise the requirement that foreign requesters limit access to BOI to persons ‘‘[w]ho have undergone training on the appropriate handling and safeguarding of [BOI].’’ One commenter expressed the view that the training requirement was stricter than the one proposed for domestic agencies, under which personnel with access to BOI either had to receive training on its handling and safeguarding or received the information from someone who had undergone such training. Another commenter suggested that FinCEN adopt this domestic agency standard for 101 In the Access NPRM, FinCEN misnumbered this provision as a duplicate 31 CFR 1010.955(d)(3)(i). 102 See 31 U.S.C. 5336(c)(3)(A), (K). E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 88752 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations foreign requesters. Other commenters variously stated that training in this context is superfluous given the other requirements applicable to foreign requesters, that training requirements would exceed reciprocal standards imposed by foreign partners when U.S. government agencies obtained beneficial ownership information from foreign BOI databases, and that FinCEN should define with greater precision the requirements for foreign requester training. Final Rule. FinCEN adopts the proposed rule with changes. First, FinCEN fixed the typographical error in 31 CFR 1010.955(d)(3)(ii) to reflect the provision’s correct numbering. Second, FinCEN has removed the proposed rule’s requirement that an individual from an intermediary Federal agency submit personal details when making each request on behalf of a foreign requester. That is because the individual will submit identifying information to FinCEN at the time they create an account to access FinCEN’s BO IT system, which will be necessary to make requests on behalf of foreign governments. FinCEN will provide guidance to intermediary Federal agencies at a later time on how users of the BO IT system will set up these accounts. The third change to the proposed provision pertains to certification requirements in situations involving ‘‘trusted’’ foreign countries. FinCEN originally proposed to require each intermediary Federal agency requesting BOI on behalf of a foreign requester under proposed 31 CFR 1010.955(b)(3)(ii)(B) to submit to FinCEN ‘‘[a] written explanation of the specific purpose for which the foreign person is seeking information . . . along with an accompanying certification that the information is for use in furtherance of a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the relevant foreign country; will be used only for the particular purpose or activity for which it is requested; and will be handled consistent with [applicable security and confidentiality requirements].’’ FinCEN is modifying the certification requirement to avoid unintentionally imposing on intermediary Federal agencies a requirement to certify to a foreign requester’s future behavior with respect to the BOI obtained, which the agency could not know with certainty. Under the final rule, such agencies must still certify to FinCEN that the information is for use in furtherance of a law enforcement investigation or prosecution, or for a national security or VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 intelligence activity, that is authorized under the laws of the relevant foreign country. However, the remainder of the original certification has been modified to require only that the intermediary Federal agency certify that the foreign requester has been informed that BOI disclosed to it may only be used for the particular purpose or activity for which it was requested and must be handled consistent with applicable requirements. This modified certification better reflects what an intermediary Federal agency can know and practically control. FinCEN’s expectation that foreign requesters will handle BOI in accordance with applicable requirements and protect it to the best of their ability remains unchanged, as does FinCEN’s willingness to withhold BOI from requesters that fail to meet that expectation. FinCEN declines to make additional revisions suggested by comments. The requirement that foreign requesters apply appropriate standards and procedures to protect BOI and limit BOI dissemination to trained individuals is reasonable under the circumstances and unlikely to place undue burden on foreign requesters. It is critical that all authorized BOI recipients–including foreign requesters–take steps to keep BOI confidential and secure and to prevent its misuse given the sensitivity of the personal information to be reported to the BO IT system. The application of BOI security standards and procedures, including the training requirement, effectuates these underlying objectives, including by requiring individual foreign recipients to have knowledge of those requirements. FinCEN also declines to prescribe specific requirements on the structure and content of any training. FinCEN recognizes that standards and procedures will vary by foreign requester to reflect organizational and resource differences. At root, every individual with access to BOI should understand the purposes for which BOI can be used, the persons with whom they can share BOI with and for what purpose, and the manner in which they must secure it. The differences between the application of BOI security standards and procedures for domestic and foreign requesters reflect legal and practical considerations. First, the CTA specifically prescribes certain standards for domestic agencies that have access to BOI, but not for foreign requesters. Second, the Access NPRM proposed standards and procedures that are tailored to particular circumstances and challenges involving foreign requesters, PO 00000 Frm 00022 Fmt 4701 Sfmt 4700 and are arguably less burdensome that those required of domestic agencies. For example, FinCEN decided not to propose an MOU requirement for foreign requesters because (1) foreign requesters will not have direct access to the BO IT system, and (2) FinCEN anticipates a significantly lower volume of foreign requests in general relative to other stakeholders. In contrast, the MOUs with domestic agencies are appropriate to mitigate the risks inherent in the expected volume and frequency of searches in the BO IT system. FinCEN anticipates that these MOUs will, among other things, memorialize and implement requirements regarding reports and certifications, periodic training of individual recipients of BOI, personnel access restrictions, re-disclosure limitations, and access to audit and oversight mechanisms. The MOUs will also include security plans covering topics related to personnel security (e.g., eligibility limitations, screening standards, certifications and notification requirements); physical security (system connections and use, conditions of access, data maintenance); computer security (use and access policies, standards related to passwords, transmission, storage, and encryption); and inspections and compliance. Foreign BOI requesters will only receive BOI through intermediary Federal agencies that will themselves be subject to the detailed MOUs described above. Those intermediary Federal agencies will in turn work with foreign requesters either in accordance with applicable international treaties, conventions, or agreements or under standards and protocols that ‘‘trusted’’ foreign countries would be required to develop and implement. FinCEN also decided against the imposition of audit requirements on foreign requesters because of practical considerations. First, for the sharing of BOI governed by international treaties, agreements, or conventions, the relevant treaty, agreement, or convention would govern whether audits would be permissible. If no treaty, agreement, or convention applied, practical challenges would limit FinCEN’s ability to conduct audits of a foreign requester’s BOI systems and practices. In order to conduct such an audit, FinCEN would need to negotiate appropriate audit mechanisms, likely on a reciprocal basis, given that foreign governments will likely be reluctant to allow FinCEN extensive access to comprehensively audit their secure IT systems and records. FinCEN would also likely need to commit substantial staff and personnel to conduct either remote or E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 in-person audits in foreign countries. While FinCEN could refrain from sharing BOI with foreign requesters that refuse to be subject to audits, it would likely degrade international cooperation on law enforcement and national security efforts and constrain the United States’ ability to combat cross-border illicit finance and criminal activity, including fentanyl trafficking, fraud, and sanctions evasion, among other crimes. f. Re-Disclosure of BOI in the Context of Foreign Requests Proposed Rule. The Access NPRM proposed rules that effectuated the foreign government access provisions in a series of steps that, first, would have authorized FinCEN to disclose BOI to intermediary Federal agencies; would have then authorized those agencies to redisclose BOI to the foreign requester; and would have authorized the foreign requester to use the BOI, including through re-disclosure, consistent with the applicable treaty. Specifically, proposed 31 CFR 1010.955(b)(3) authorized FinCEN to disclose BOI to intermediary Federal agencies for transmission to the foreign requester where (1) an intermediary Federal agency provides FinCEN with the foreign request; (2) the requested BOI is for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, authorized under the laws of the foreign country; and (3) the request is made under an international treaty, agreement, or convention, or, when no such instrument is available, is an official request by a law enforcement, judicial, or prosecutorial authority of a trusted foreign country. Proposed 31 CFR 1010.955(c)(2)(v) would further authorize the intermediary Federal agency to disclose the BOI to the foreign requester, consistent with the CTA’s foreign government provisions. Lastly, proposed 31 CFR 1010.955(c)(2)(viii) allowed a foreign requester that receives BOI pursuant to a request made under an international treaty, agreement, or convention to redisclose and use that BOI in accordance with the requirements of the relevant agreement. This approach accords with the CTA’s preference for disclosing BOI to foreign requesters under international agreements and allowing the agreements to govern how the information is used, as indicated in the introductory paragraph in 31 U.S.C. 5336(c)(2)(B)(ii). For foreign requests that are not governed by an international treaty, agreement, or convention, FinCEN proposed reviewing re-disclosure VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 requests from foreign requesters either on a case-by-case basis or pursuant to alternative arrangements with intermediary Federal agencies where those intermediary Federal agencies have ongoing relationships with the particular foreign requester. This would occur under former 31 CFR 1010.955(c)(2)(ix), now 31 CFR 1010.955(c)(2)(x), discussed in section III.D.ii. Comments Received. Commenters noted several concerns regarding the redisclosure of BOI by intermediary Federal agencies to foreign requesters. One commenter indicated that the proposed rule conflicted with section 2.3 of E.O. 12333 of December 4, 1981, as amended, by authorizing U.S. intelligence agencies to share information about U.S. persons with other countries’ intelligence agencies without regard to the Executive Order’s restrictions on collecting, retaining, and disseminating U.S. person information.103 Another commenter criticized the proposed rule as unduly vague about the foreign recipient of BOI, the scope of application of the proposed 31 CFR 1010.955(c)(2)(viii), and whether re-disclosure would be consistent with the CTA where no international treaty, agreement, or convention is available. A third commenter observed that FinCEN could broaden § 1010.955(c)(2)(v) to allow intermediary Federal agencies to share BOI with ‘‘relevant countries’’ without first obtaining FinCEN’s permission, while a fourth warned FinCEN to ensure that foreign countries do not use their tax authorities to obtain BOI for non-tax related reasons under the pretense of tax administration. Final Rule. FinCEN views the proposed rules to be sufficiently clear and adopts the provisions as proposed, though the related provision at new 31 CFR 1010.955(c)(2)(x) is revised as discussed in section III.D.ii. Proposed 31 CFR 1010.955(c)(2)(v) makes clear that an intermediary Federal agency may disclose BOI only ‘‘to the foreign person on whose behalf the Federal agency made the request’’ to FinCEN (emphasis added). The provision is sufficiently specific as to the foreign recipient that receives BOI. The rule also is not in conflict with E.O. 12333, section 2.3 and, in particular, the requirement that elements of the Intelligence Community disseminate information concerning U.S. persons only in accordance with certain established procedures. FinCEN expects that intermediary Federal agency 103 E.O. 12333, 46 FR 59941 (Dec. 4, 1981) (‘‘United States Intelligence Activities’’). PO 00000 Frm 00023 Fmt 4701 Sfmt 4700 88753 requests, and transmission of BOI to foreign requesters will be in accordance with any legal requirements, and internal protocols, applicable to the intermediary Federal agency. For instance, the guidelines of the Office of the Director of National Intelligence require that, for dissemination of information regarding U.S. persons to foreign governments, those entities must agree to restrictions on the use and dissemination of that information as necessary.104 Furthermore, consistent with the rule, an agency’s internal protocols might place certain process requirements on the agency in making the request to FinCEN for BOI or on the re-disclosure of the information to the foreign requester. Former 31 CFR 1010.955(c)(2)(viii)— now renumbered as 31 CFR 1010.955(c)(2)(ix)—permits foreign requesters to re-disclose BOI consistent with the terms of the applicable international treaty, agreement, or convention, but does not authorize disclosure in any other contexts. Relying on the general authority in 31 CFR 1010.955(c)(2)(x) for FinCEN to authorize by prior written authorization, protocols, or guidance redisclosures in furtherance of an authorized purpose or activity, FinCEN will review redisclosure requests from foreign requesters that did not request BOI pursuant to an international treaty, agreement, or convention. FinCEN also declines to permit intermediary Federal agencies to redisclose BOI to a defined list of countries, without either a governing international treaty, agreement, or convention or separate FinCEN authorization. The scenario the proposal seems to contemplate involves an intermediary Federal agency requesting BOI from FinCEN on behalf of one foreign requester, storing the information in the intermediary Federal agency’s own database, and then later re-disclosing that same BOI to a different foreign requester that wants the information and satisfies the eligibility criteria that would qualify it to have the intermediary Federal agency request the information from FinCEN on its behalf. In this case, however, the intermediary Federal agency would not need to retrieve the BOI from FinCEN’s BO IT system or involve FinCEN at all because it would already have the relevant BOI in its own system. 104 See Office of the Direct of National Intelligence, Attorney General (AG) Guidelines, Approved December 23, 2020, available at https:// www.intel.gov/assets/documents/ 702%20Documents/declassified/AGGs/ ODNI%20guidelines%20as%20approved %20by%20AG%2012.23.20_OCR.pdf. E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 88754 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations FinCEN views this proposal as infeasible for a number of reasons. First, a reporting company might update its reported BOI in the interim between the times when two foreign requesters want the information. The intermediary Federal agency’s stored BOI would not reflect those updates and would be out of date and potentially useless or confounding in an investigation or prosecution if passed to a foreign requester. Having foreign requesters receive outdated BOI would undercut the CTA’s objective of providing useful information to authorized BOI recipients. The second consideration weighing against the proposal has to do with auditing. FinCEN has extensive audit requirements with respect to Federal agencies that receive BOI under the CTA. While an intermediary Federal agency will not need FinCEN’s explicit and case-specific ‘‘permission’’ to retrieve BOI from the BO IT system on a foreign requester’s behalf, the intermediary will need to submit to FinCEN certain information about itself, the request, and the requester. FinCEN will in turn rely on this information to satisfy those audit requirements. The act of an intermediary Federal agency retrieving BOI from the BO IT system will also serve as information upon which FinCEN will rely as a proxy record indicating that a corresponding disclosure to a foreign requester occurred. Were FinCEN to authorize intermediary Federal agencies to store and disseminate FinCEN-derived BOI from their own databases instead of responding to foreign requests for BOI with information retrieved from FinCEN’s BO IT system on a one-for-one basis, all of that information would be lost, more difficult to collect, or more subject to tampering. All of these considerations lead FinCEN to reject this proposal. Finally, FinCEN takes seriously concerns about foreign requesters and other authorized BOI recipients requesting BOI for one purpose and using it for other purposes the CTA does not permit. This includes concerns about pretextual requests made under the guise of activities related to the enforcement of tax laws, a relatively narrow aspect of ‘‘tax administration,’’ as defined in 26 U.S.C. 6103(b)(4), for which the CTA authorizes BOI disclosure to foreign requesters.105 105 The CTA does not authorize FinCEN to provide BOI to foreign requestors for any and all tax administration purposes. Some foreign tax-related activities, however, including enforcement of tax laws, may qualify as law enforcement, national security, or intelligence activities under the CTA, VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 These concerns are why FinCEN is requiring intermediary Federal agencies to certify that requests for BOI from foreign requesters satisfy applicable CTA requirements, including the requirement that requests be for use in furtherance of a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the relevant foreign country. That said, a foreign requester that originally obtained BOI for use in furtherance of an authorized law enforcement investigation or prosecution (including those related to tax laws), or for an authorized national security or intelligence activity, would not necessarily be prohibited from also using that BOI for other purposes when the BOI was obtained pursuant to a treaty, agreement, or convention. As explained previously, if a foreign requester obtains BOI pursuant to a treaty, agreement, or convention for use in an activity authorized by the CTA, then the requester is authorized to subsequently use or re-disclose the information in any way permitted by that treaty, agreement, or convention. This allowance reflects the general deference to treaties, agreements, and conventions exhibited by the CTA’s foreign sharing provision. In all cases, FinCEN will work with intermediary Federal agencies to ensure that foreign requesters understand and agree to abide by the restrictions and requirements associated with BOI, as well as the potential consequences for failing to honor those commitments. iv. Disclosure To Facilitate Compliance With Customer Due Diligence Requirements The Access NPRM proposed to authorize disclosure of BOI to facilitate compliance with ‘‘customer due diligence requirements under applicable law’’ 106 to: (1) ‘‘financial institutions’’ subject to such customer due diligence requirements, and (2) ‘‘Federal functional regulator[s] or other appropriate regulatory agenc[ies] . . . authorized by law to assess, supervise, enforce, or otherwise determine the compliance’’ of financial institutions with such requirements.107 FinCEN therefore discusses the proposed terms of financial institution and regulator access to BOI separately. 31 U.S.C. 5336(c)(2)(B)(ii), permitting BOI to be disclosed under appropriate circumstances. 106 31 U.S.C. 5336(c)(2)(B)(iii); proposed 31 CFR 1010.955(b)(4). 107 Id.; 31 U.S.C. 5336(c)(2)(B)(iii), (C)(i). PO 00000 Frm 00024 Fmt 4701 Sfmt 4700 a. Financial Institutions The Access NPRM proposed provisions specifying which financial institutions 108 could access BOI, the uses to which they could put BOI, and the prerequisites for their access and terms of use. The NPRM’s treatment of financial institution access was the focus of many comments. Numerous comments focused both on FinCEN’s proposal to limit the financial institutions authorized to obtain BOI to those with responsibilities under FinCEN’s 2016 CDD Rule and on FinCEN’s proposal to limit those financial institutions’ use of BOI to facilitating compliance with 31 CFR 1010.230 of the 2016 CDD Rule. Both of those subjects are discussed here. Other issues raised by commenters on financial institution access and use of BOI were tied to larger systemic concerns and less closely associated with financial institutions per se, including the consent requirement, confidentiality and security protocols, and redisclosure of BOI. These more systemic comments are addressed elsewhere in this document. Proposed Rule. The CTA authorizes FinCEN to disclose BOI upon receipt of a request ‘‘made by a financial institution subject to customer due diligence requirements, with the consent of the reporting company, to facilitate the compliance of the financial institution with customer due diligence requirements under applicable law.’’ 109 The CTA neither defines ‘‘financial institution subject to customer due diligence requirements’’ nor ‘‘customer due diligence requirements under applicable law.’’ Proposed 31 CFR 1010.955(b)(4)(i) described both the types of financial institutions entitled to request BOI and the purposes for which those financial institutions could use that BOI. Under the rule, FinCEN would disclose BOI to financial institutions ‘‘subject to customer due diligence requirements under applicable law,’’ and that BOI could be used ‘‘in facilitating . . . compliance’’ with those customer due diligence requirements. Section 1010.955(b)(4)(i) further defined the phrase ‘‘customer due diligence requirements under applicable law’’ to mean the requirement imposed on ‘‘covered financial institutions’’ under 31 CFR 1010.230 to identify and 108 FinCEN regulations generally define ‘‘financial institution,’’ including for the purposes of this rule, at 31 CFR 1010.100(t). This general definition is distinct from that of ‘‘covered financial institution,’’ as used in the 2016 CDD Rule and this preamble. Under the 2016 CDD Rule (specifically, 31 CFR 1010.230(f)), ‘‘covered financial institution’’ has the meaning set forth in 31 CFR 1010.605(e)(1). 109 31 U.S.C. 5336(c)(2)(B)(iii). E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 verify beneficial owners of their ‘‘legal entity customers,’’ primarily at account opening.110 These ‘‘covered financial institutions’’ are limited to: banks (including credit unions); brokers or dealers in securities registered, or required to be registered, with the SEC; futures commission merchants and introducing brokers in commodities registered, or required to be registered, with the CFTC; and mutual funds.111 In contrast, other types of financial institutions, such as money services businesses (MSBs) and insurance companies, would not be able to access BOI from FinCEN in light of the 2016 CDD Rule definition. Additionally, under the proposed rule, these financial institutions would be able to use BOI only to comply with 31 CFR 1010.230, but not for other purposes. This approach was designed to enhance security and confidentiality, and facilitate audit and oversight, of the BOI database by describing a defined set of financial institutions and limiting opportunities for unauthorized use or intentional or inadvertent breaches. FinCEN also considered a broader approach that would permit financial institutions with CIP obligations 112 to access the database. A broader approach would have permitted more financial institutions to use BOI for a wider range of compliance activities, such as compliance with CIP regulations. FinCEN specifically requested comments on the interpretation of the phrase ‘‘customer due diligence requirements under applicable law,’’ including whether FinCEN should adopt a broader definition, how to best provide regulatory clarity, and how to maintain the security and confidentiality of BOI if a broader definition were adopted.113 110 31 CFR 1010.230(b). Under the 2016 CDD Rule, ‘‘legal entity customer means a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account,’’ with certain exceptions. Id. 1010.230(e). This definition of ‘‘legal entity customer’’ overlaps with, but is distinct from, the definition of ‘‘reporting company’’ in 31 CFR 1010.380(c) of the Reporting Rule. 111 31 CFR 1010.230(f) (cross-referencing the definition of ‘‘covered financial institutions’’ in 31 CFR 1010.605(e)(1)). 112 See 31 CFR 1020.220, 1023.220, 1024.220, 1026.220. 113 The preamble to the proposed rule noted that FinCEN also had considered defining ‘‘customer due diligence requirements under applicable law’’ to include State, local, and Tribal customer due diligence requirements similar in substance to the 2016 CDD Rule. However, FinCEN chose not to do so, noting that it was unaware of any such requirements. FinCEN invited comments about any State, local, or Tribal laws or regulations that VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 Comments Received. FinCEN received many comments that were critical of FinCEN’s proposed approach. First, commenters asserted that FinCEN’s interpretation ran counter to the plain text of the CTA. Several commenters pointed to the CTA provision directing the Secretary to promulgate regulations that ‘‘facilitate the compliance of [] financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law.’’ 114 In order to implement this provision, one commenter noted that FinCEN should allow financial institutions to access BOI for more uses than compliance with 31 CFR 1010.230, and pointed to contrasting references in the CTA to 31 CFR 1010.230 and ‘‘customer due diligence requirements under applicable law’’ as indicative of Congressional intent.115 Another commenter stated that FinCEN erred when it pointed to the Sense of Congress as evidence that Congress understood ‘‘customer due diligence requirements under applicable law’’ did not include ‘‘anti-money laundering, [and] countering the financing of terrorism.’’ 116 Second, commenters argued that the proposed rule’s approach would be burdensome for financial institutions and undermine the usefulness of the BOI database. In particular, commenters claimed that the proposed approach conflicted with the core CTA objectives that the BOI database be ‘‘highly useful’’ to financial institutions,117 and that burdens on financial institutions should be minimized.118 In this respect, one commenter listed the variety of AML/ CFT compliance and sanctions-related tasks for which banks relied on the BOI obtained from legal entity customers under the 2016 CDD Rule, including, for example, compliance with CIP requirements, customer risk ratings, require financial institutions to identify and verify the beneficial owners of legal entity customers. One commenter noted that some states, such as New York, require financial institutions operating in the state to implement AML programs that include general customer identification and customer due diligence requirements. However, this commenter did not cite to any requirements to identify and verify beneficial owners of legal entities, as FinCEN’s 2016 CDD Rule requires. 114 31 U.S.C. 5336(b)(1)(F)(iv)(II). 115 CTA, section 6403(d)(1) (directing the Secretary of the Treasury to revise the 2016 CDD Rule). 116 CTA, section 6402(6)(B). 117 See 31 U.S.C. 5336(b)(1)(F)(iv). 118 See CTA, section 6403(d)(1)(C) (directing that the 2016 CDD Rule be revised to ‘‘reduce any burdens on financial institutions and legal entity customers that are, in light of the enactment of this division and the amendments made by this division, unnecessary or duplicative’’). PO 00000 Frm 00025 Fmt 4701 Sfmt 4700 88755 transaction monitoring, sanctions screening, identifying politically exposed persons, and filing SARs or sanctions-related reports.119 The commenter reiterated that the proposed rule would not provide financial institutions with any additional AML/ CFT compliance value if financial institutions could use FinCEN-collected BOI only as described in the proposed rule; in fact, the commenter confirmed that financial institutions would be unlikely to use the database at all. Other commenters pointed to likely implementation burdens and duplicative requirements, such as the likely need to create a firewall and systems to separate FinCEN-obtained BOI from BOI obtained under the 2016 CDD Rule, given the different purposes for which those two types of BOI could be used. This, in turn, would also impose duplicative requirements on reporting companies, given their need to provide BOI to both FinCEN and to financial institutions. Third, commenters maintained that the proposed approach conflicts with the broader AML/CFT regulatory framework, including supervisory expectations and FinCEN guidance on the role of customer due diligence in a financial institution’s AML program. Several commenters stated squarely that the phrase ‘‘customer due diligence requirements under applicable law’’ clearly encompassed AML/CFT requirements beyond the identification and verification requirements of the 2016 CDD Rule. For example, commenters noted that the 2016 CDD Rule itself interprets ‘‘customer due diligence’’ broadly to encompass ongoing monitoring for reporting suspicious transactions,120 and amends AML program rules to require financial institutions to implement risk-based 119 The commenter noted, and FinCEN agrees, that the 2016 CDD Rule itself imposed no specific limits on how financial institutions could use the BOI collected under that rule, including for AML/ CFT compliance purposes. 120 See 2016 CDD Rule, 81 FR at 29398 (‘‘FinCEN believes that there are four core elements of customer due diligence, and that they should be explicit requirements in the anti-money laundering (AML) program for all covered financial institutions, in order to ensure clarity and consistency across sectors: (1) Customer identification and verification; (2) beneficial ownership identification and verification; (3) understanding the nature and purpose of customer relationships to develop a customer risk profile; and (4) ongoing monitoring for reporting suspicious transactions and, on a risk-basis, maintaining and updating customer information.’’). E:\FR\FM\22DER3.SGM 22DER3 88756 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 procedures for doing so.121 122 Other commenters invoked supervisory expectations around the use of BOI, noting that the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual123 states that banks should specify in their policies, procedures, and processes how BOI will be used to meet other regulatory obligations, such as identifying suspicious activity and identifying parties sanctioned by Treasury’s Office of Foreign Asset Control (OFAC).124 Commenters also provided specific suggestions to broaden the scope of use of BOI, for example, including CIP requirements under 31 CFR 1010.220 and the ongoing customer due diligence requirements under 31 CFR 1010.210 to facilitate the compliance with AML/CFT and customer due diligence requirements under applicable law.125 Finally, some commenters claimed that the proposed approach would make it challenging for financial institutions to comply with other legal or regulatory requirements, such as sanctions screening, and urged FinCEN to broaden the permitted uses of BOI. Fourth, commenters also expressed concerns about the policy reasons for choosing a narrower interpretation of ‘‘customer due diligence requirements under applicable law,’’ for example, easing administration of the BOI database and protecting BOI security and confidentiality. One commenter stated that ease of administration is not a sufficient justification to limit the ways financial institutions can use BOI to combat illicit finance. Several commenters noted that both the CTA, and laws requiring banks to protect the vast amounts of PII for which they are responsible, such as Gramm-LeachBliley, provide multiple safeguards to ensure the confidentiality and security of BOI, including substantial protocols 121 See 2016 CDD Rule, 81 FR at 29457–29458, codified, as amended, at 31 CFR 1020.210(a)(2)(v), 1023.21(b)(5), 1024.210(b)(5), 1026.210(b)(5). 122 One commenter also noted that banks have built their compliance systems to be consistent with the preamble to the 2016 CDD Rule. The commenter indicated that limiting the purposes for which BOI obtained from the database can be used thus would hurt such compliance efforts. 123 FFIEC BSA/AML Examination Manual, available at https://bsaaml.ffiec.gov/manual. 124 Relatedly, another commenter urged FinCEN to consider allowing broad BOI access for purely practical reasons, taking into account the value that BOI provides for financial institutions in meeting their regulatory obligations beyond the 2016 CDD Rule, such as fraud detection, customer identification and verification, and OFAC sanctions screening. 125 In contrast, another commenter asked that FinCEN itemize exactly how financial institutions can use BOI, rather than cross-referencing 31 CFR 1010.230 or any other regulatory provision. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 that financial institutions must follow to access the BOI database. Fifth, while a few commenters expressed support for the limitation on the types of financial institutions with access to BOI, many commenters argued that certain types of financial institutions not subject to the 2016 CDD Rule—in particular, MSBs—would benefit from access to the BOI and that FinCEN’s definition of ‘‘customer due diligence requirements under applicable law’’ thus should be changed to allow these other financial institutions to access FinCEN-collected BOI.126 One commenter noted that MSBs—which are required to implement AML compliance programs with ‘‘policies, procedures, and internal controls reasonably designed’’ to ensure compliance with the BSA127—may be required by those programs to identify and verify the beneficial owners of legal entity customers and authorized agents during onboarding. In this context, the commenter identified FinCEN’s 2016 guidance to MSBs concerning agent monitoring that required MSB principals to identify the owners of an MSB’s agents as a reason for interpreting the term ‘‘customer due diligence requirements under applicable law’’ to include such MSB requirements.128 Lastly, one commenter urged FinCEN to allow any financial institution that has AML program obligations to have access to the BOI database, subject to appropriate security requirements and other access protocols, in order to enhance overall transparency in the U.S. financial system and to effectively fight illicit finance. Final Rule. In light of the comments received, FinCEN has revised its proposed approach towards the financial institutions that will have access to the BOI database and the purposes for which that BOI may be used. The revised regulation now specifies that the clause ‘‘customer due diligence requirements under applicable law’’ includes ‘‘any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, 126 Additionally, two commenters agreed with FinCEN’s proposed definition of ‘‘customer due diligence under applicable law’’ but claimed that this did not lead to the limitations that FinCEN proposed to place on the use of BOI by financial institutions. These commenters asserted that FinCEN’s proposed definition was consistent with a broader authorization for financial institutions to use BOI for any purpose consistent with a financial institution’s anti-financial crimes program, including (but not limited to) AML, sanctions, antibribery, and anti-corruption procedures. 127 See 31 CFR 1022.210(d)(1)(i). 128 FIN–2016–G001, Guidance on Existing AML Program Rule Compliance Obligations for MSB Principals with Respect to Agent Monitoring (Mar. 11, 2016). PO 00000 Frm 00026 Fmt 4701 Sfmt 4700 or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer.’’ Accordingly, the final regulations would permit a broader range of financial institutions to access BOI from the FinCEN database for a broader range of purposes than described in the proposed rule should FinCEN choose to afford such access. As discussed below in this section, however, FinCEN, in the exercise of its discretion, intends to permit only financial institutions with obligations under the 2016 CDD Rule to have access to the BOI database at this time. Under this approach, a financial institution can use BOI obtained from FinCEN to help discharge its AML/CFT obligations under the BSA, including its AML program, customer identification, SAR filing, and enhanced due diligence requirements. It can also use BOI to satisfy other requirements, so long as those requirements are designed to counter money laundering or the financing of terrorism or safeguard U.S. national security, and so long as it is reasonably necessary to obtain or verify BOI of legal entity customers to satisfy those requirements. For example, a financial institution may use BOI obtained from FinCEN (with the consent of the reporting company) to facilitate compliance with sanctions imposed by OFAC on individuals and legal entities under the International Emergency Economic Powers Act129 and other legal authorities, such as the Foreign Narcotics Kingpin Designation Act130 and the Global Magnitsky Human Rights Accountability Act.131 These sanctions can have national security and antimoney laundering purposes. Financial institutions regularly use BOI to comply with these sanctions, often through OFAC sanctions screening, including in ascertaining whether sanctions are applicable to persons by virtue of the socalled ‘‘50-percent’’ rule.132 At the same time, there are bounds to the uses of BOI by financial institutions under the final rule. As a threshold matter, the use of BOI should be directly 129 50 U.S.C. 1701–1706. U.S.C. 1901–1908. 131 22 U.S.C. 10101–10103. 132 The ‘‘50 percent rule’’ subjects to U.S. sanctions any entity that is 50 percent owned by a blocked person is itself blocked, and U.S. persons, including domestic financial institutions, are prohibited from transacting business with such an entity. See, e.g., OFAC, Addition of General Licenses for the Official Business of the United States Government and Certain International Organizations and Entities and Updates to the 50 Percent Rule Interpretive in OFAC Sanctions Regulations, 87 FR 78470 (Dec. 21, 2022). 130 21 E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations related to a financial institution’s compliance with a legal obligation that is designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States. For example, the final rule does not permit financial institutions to use BOI from FinCEN in assessing whether to extend credit to a legal entity, or in establishing the price of that credit, when credit decisions are unrelated to AML/CFT or national security purposes. Moreover, FinCEN does not consider general business or commercial uses of BOI, such as client development, to be consistent with AML/CFT or national security purposes. The broader approach taken in the final rule is motivated by both legal and policy considerations. First, FinCEN is persuaded that both the statutory framework and congressional intent are properly read to encompass uses broader than compliance with the 2016 CDD Rule. The CTA provision governing the 2016 CDD Rule revisions directs that the revised rule needs to take into account financial institution access to BOI ‘‘to facilitate the compliance of those financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law.’’ 133 The Sense of Congress similarly states that BOI should be available to ‘‘facilitate the compliance of the financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law.’’ 134 This terminology is broader than a reference to the 2016 CDD Rule. Moreover, commenters correctly point out that the CTA’s specific references to the 2016 CDD Rule contrast with those more general references to customer due diligence requirements elsewhere in the CTA.135 Second, as noted by many commenters, the revised approach will further the overarching purposes of the CTA to combat illicit activity by enabling financial institutions to use BOI for AML/CFT and national security purposes. The revised approach will allow a financial institution to integrate and leverage BOI obtained from FinCEN with other information that the financial institution uses for their full range of customer due diligence activities. It will also reduce the burdens on financial institutions in handling and using BOI, and correspondingly, increase its practical value. 133 CTA, section 6402(d)(1)(B). section 6402(6). 135 CTA, section 6403(d)(1). The final rule also authorizes FinCEN to disclose BOI to a broader range of financial institutions consistent with the revised approach taken with respect to the meaning of ‘‘customer due diligence requirements under applicable law.’’ Accordingly, MSBs and other financial institutions with AML program requirements, such as casinos, along with ‘‘covered financial institutions’’ as defined in the 2016 CDD Rule, would be eligible under the final rule to access the database subject to appropriate security and confidentiality protocols. The final rule, however, accords FinCEN with discretion regarding the scope and timing of access by financial institutions. The CTA does not direct FinCEN to provide access to financial institutions, but rather states that FinCEN ‘‘may disclose’’ BOI to qualifying financial institutions, consistent with the CTA’s security, confidentiality, and provisions regarding the usefulness of the database.136 The final rule, 31 CFR 1010.955(b)(4)(i), likewise preserves this discretion accorded to FinCEN. In the exercise of this discretion, FinCEN intends to provide access as an initial matter to financial institutions that are covered financial institutions under the 2016 CDD Rule. The initial focus on covered financial institutions under the 2016 CDD Rule will allow FinCEN to work towards timely access for those institutions with comprehensive security and confidentiality protocols and compliance and supervisory frameworks regarding the use of that information, while working to further evaluate whether it is appropriate and feasible to expand access to other financial institutions, such as MSBs or casinos, after an initial implementation period. Against the backdrop of the comments received on this provision, FinCEN notes that two core considerations motivate access: the importance of BOI access for effective AML/CFT compliance and the need for security and confidentiality in the handing and use of such BOI. There are estimated to be over 300,000 financial institutions regulated under the BSA that are diverse in size, business types, complexity, and supervisory and regulatory frameworks, in particular, with differences in security and confidentiality requirements. Covered financial institutions under the 2016 CDD Rule are subject to the Gramm-Leach-Bliley security requirements and a national supervisory framework with respect to implementation of those requirements. In contrast, other financial institutions 134 CTA, VerDate Sep<11>2014 19:01 Dec 21, 2023 that are not subject to the 2016 CDD Rule, such as casinos, MSBs, and dealers in precious metals, precious stones, or jewels, are subject to more fragmented security standards that require additional time to evaluate and determine the extent to which standards and oversight mechanisms are required. Along with the development of new, and additional, standards, FinCEN will need to identify and implement additional outreach, help desk training, audit, oversight and other resources to ensure that this larger group of financial institutions complies with the security, confidentiality, and use requirements under the final rule. Lastly, FinCEN will continue to evaluate the usefulness of BOI access to particular industry sectors based on a range of factors, e.g., which financial institutions with AML program requirements have legal entity customers,137 the size of this customer base, and the related illicit finance risks, as it considers further expanding access to additional financial institutions. b. Regulatory Agencies 1. Scope of Regulatory Agency Access to BOI Proposed Rule. The CTA authorizes Federal functional regulators and ‘‘other appropriate regulatory agencies’’ to access ‘‘the information’’ previously made available to financial institutions subject to customer due diligence requirements under applicable law.138 Consistent with this provision, proposed 31 CFR 1010.955(b)(4)(ii) would allow FinCEN to disclose BOI that has been previously provided to a financial institution to a ‘‘Federal functional regulator or other appropriate regulatory agency’’ if the regulator requests it, is authorized by law to assess, supervise, enforce, or otherwise determine the compliance of such financial institution with ‘‘customer due diligence requirements under applicable law’’ (proposed § 1010.955(b)(4)(ii)(A)); will use the BOI solely for that purpose (proposed § 1010.955(b)(4)(ii)(B)); and has entered into an agreement with FinCEN to properly safeguard BOI (proposed § 1010.955(b)(4)(ii)(C)). As discussed in the preceding section (III.C.iv.a), in view of the proposed rule’s approach towards the phrase ‘‘customer due diligence requirements under applicable law,’’ Federal functional regulators and other regulatory agencies would have been authorized to access BOI only to assess, supervise, enforce, or otherwise 137 As 136 31 Jkt 262001 PO 00000 U.S.C. 5336(c)(2)(B). Frm 00027 Fmt 4701 Sfmt 4700 88757 138 31 E:\FR\FM\22DER3.SGM defined at 31 CFR 1010.230(e). U.S.C. 5336(c)(2)(C). 22DER3 88758 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 determine a financial institution’s compliance with 31 CFR 1010.230. Comments Received. Two commenters raised concerns that the limitations on access for regulators were overly restrictive. The comments argued that the proposed rule did not adequately justify why supervisory access should be limited for the sole purpose of determining financial institution compliance with the requirements of 31 CFR 1010.230, and that regulators should have access to the database to assess a financial institution’s compliance with customer due diligence obligations over which regulators broadly have regulatory authority.139 In contrast, one commenter noted skepticism as to whether Federal or state regulators even needed to access the BOI database if financial institutions would not be subject to a requirement to use the database. Absent such a requirement, the commenter noted that financial institutions would likely obtain beneficial ownership information directly from their customers under the 2016 CDD Rule. The commenter further stated that financial institutions should not be responsible for resolving any discrepancies between the BOI reported to FinCEN and the BOI that financial institutions received from their customers. Final Rule. FinCEN retains proposed 31 CFR 1010.955(b)(4)(ii) in the final rule, but the scope of this provision has changed. In light of the revised approach to the phrase ‘‘customer due diligence requirements under applicable law’’ in 31 CFR 1010.955(b)(4)(i), § 1010.955(b)(4)(ii)(A) now provides access to BOI obtained from FinCEN to those regulatory agencies that ‘‘assess, supervise, enforce, or otherwise determine’’ compliance of financial institutions with AML/CFT- or national security-related legal requirements for which BOI access is reasonably necessary. Relatedly, final rule § 1010.955(b)(4)(ii)(B)—which also remains identical to the proposed rule— prescribes that regulatory agencies can now use that BOI obtained from FinCEN to conduct ‘‘the assessment, supervision, or authorized investigation’’ in connection with a financial institution’s use of BOI obtained from FinCEN to comply with 139 This commenter supported FinCEN’s separate statement in the NPRM, 87 FR at 77411, that regulators engaged in national security or law enforcement activities would be able to access BOI under proposed 31 CFR 1010.955(b)(1) in addition to proposed 31 CFR 1010.955(b)(4)(ii), subject to specific conditions and limitations. The commenter viewed this position as partly correcting the limitation of regulatory access to supervising compliance with § 1010.230. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 legal requirements to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States. FinCEN does not expect the number of regulatory agencies with access to BOI under this provision to change significantly under the final rule’s approach, but believes that the supervisory scope will be better matched to effectively supervise financial institutions for AML program implementation. Supervisory agencies that seek to retrieve BOI under § 1010.955(b)(4)(ii)(A) and (B) will continue to be required to enter into an agreement with FinCEN for such access under final rule § 1010.955(b)(4)(ii)(C). FinCEN adopts this provision without change, consistent with the CTA itself.140 FinCEN regards the comment which stated that regulatory access to the BOI database under these provisions will have no value if financial institution use of BOI obtained from FinCEN is not mandatory as incorrect in its understanding. First, the CTA expressly requires FinCEN to provide Federal functional regulators or other appropriate regulatory agencies with access to BOI provided to a financial institution.141 It is true that if financial institutions in fact do not access BOI, regulatory access will be commensurately limited. But less access does not mean no utility: at the very least, regulatory agencies will be able to use their access to gauge the intensity of financial institution use of BOI, and therefore regulatory agency access will aid their understanding of financial institution activity. Likewise, as a policy matter, if financial institutions were to access BOI, supervisory agencies should have access to the same BOI for supervisory purposes to better understand the use and handling of BOI obtained from by financial institutions. FinCEN notes, however, that neither the CTA nor the final rule requires financial institutions to access the BOI database. Under the final rule, the decision whether to access the database is left to the discretion of financial institutions, with the understanding that financial institutions that choose to access the BOI database will make use of such access subject to the use limitations and security and confidentiality requirements of the final rule itself. Accordingly, FinCEN notes that the final rule neither creates nor establishes supervisory expectations with respect to whether and the extent to which financial institutions access the BOI database, or report 140 31 141 31 PO 00000 U.S.C. 5336(c)(2)(C)(iii). U.S.C 5336(c)(2)(C). Frm 00028 Fmt 4701 Sfmt 4700 discrepancies between the BOI obtained from the database and BOI the financial institution may collect through other channels, including, for example, directly from its customers under the 2016 CDD Rule. In summary, the final rule does not create a new regulatory requirement for financial institutions to access BOI from the BO IT System or a supervisory expectation that they do so. The final rule also does not make any changes to the requirements of the 2016 CDD Rule. As such, the Access Rule does not necessitate changes to BSA/ AML compliance programs designed to comply with the (unchanged) 2016 CDD Rule, and other existing BSA requirements, such as customer identification program requirements,142 and suspicious activity reporting.143 However, any access to and use of BOI obtained from the BO IT System must comply with the requirements of the CTA and the Access Rule. FinCEN will address whether, and if so how, financial institutions should access BOI for CDD Rule compliance purposes in its revision of the 2016 CDD Rule. 2. Meaning of ‘‘Other Appropriate Regulatory Agencies’’ Proposed Rule. Proposed 31 CFR 1010.955(b)(4)(ii) would permit FinCEN to disclose BOI to either a ‘‘Federal functional regulator’’ or an ‘‘other appropriate regulatory agency . . . [that] assessed, supervised, enforced, or otherwise determined the compliance of such financial institution with customer due diligence requirements under applicable law.’’ While ‘‘Federal functional regulator’’ is a defined term,144 the proposed rule did not define ‘‘other appropriate regulatory agency.’’ 145 The preamble, however, provided illustrative examples, and invited comment. For example, the preamble noted that ‘‘other appropriate regulatory agencies’’ could ‘‘include State banking regulators,’’ 146 but that it was ‘‘unclear’’ whether SROs registered with or designated by a Federal functional regulator (i.e., qualifying SROs) should be considered ‘‘other appropriate regulatory agencies’’. Comments Received. Several comments requested that FinCEN define ‘‘other appropriate regulatory agency’’ to 142 31 CFR 1010.220. CFR 1010.320. 144 31 CFR 1010.100(r). Under this definition, the Federal functional regulators are the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision, the NCUA, the SEC, and the CFTC. 145 87 FR at 77416. 146 Id. 143 31 E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations include specified entities. Three commenters suggested that state regulatory agencies be expressly included. These commenters variously recommended that the term ‘‘State bank supervisor,’’ as used in the AML Act,147 state credit union regulators, and other state supervisory authorities should be expressly incorporated into the meaning of ‘‘other appropriate regulatory agency’’ in order to ensure consistent database access for state regulators supervising customer due diligence compliance and to avoid confusion. Another commenter argued that some SROs, including FINRA, should be considered to be ‘‘other appropriate regulatory agencies,’’ given that those SROs have broad AML/ CFT oversight and that limiting SRO access to BOI would undermine the CTA’s objectives. Final Rule. The final rule does not provide the specificity in the regulatory definition of ‘‘other appropriate regulatory agencies’’ requested by commenters given that the rule provides sufficient clarity regarding the agencies that are entitled to BOI access under § 1010.955(b)(4)(ii).148 FinCEN notes that ‘‘State bank supervisors,’’ as defined in the AML Act, as well as state credit union regulators and other state supervisory authorities that meet the criteria of the final rule may have access to the BOI database. Moreover, the term ‘‘other appropriate regulatory agency’’ does not include SROs because the term ‘‘agency’’ is generally understood to mean a governmental entity, rather than a private organization regardless of whether it performs governmental functions.149 150 FinCEN recognizes that SROs perform critical oversight functions with respect to AML/CFT compliance. The final rule retains the ability for qualifying SROs to receive BOI redisclosed to them from a financial institution or Federal functional regulator under § 1010.955(c)(2)(iii) and (iv). 3. Redisclosure of BOI to SROs Proposed Rule. Proposed § 1010.955(c)(2)(iii) and (iv) 151 would ddrumheller on DSK120RN23PROD with RULES3 147 See AML Act, section 6003(8), 6304 (crossreferencing 12 U.S.C. 1813); 12 U.S.C. 1813(r)(1) (‘‘The term ‘State bank supervisor’ means any officer, agency, or other entity of any State which has primary regulatory authority over State banks or State savings associations in such State.’’). 148 31 U.S.C. 5336(c)(2)(C). 149 See, e.g., 5 U.S.C. 551(1) (‘‘ ‘agency’ means each authority of the Government of the United States . . .’’). 150 See, e.g., In re William H. Murphy & Co., SEC Release No. 34–90759, 2020 WL 7496228, *17 (Dec. 21, 2020) (explaining that FINRA ‘‘is not a part of the government or otherwise a [S]tate actor’’ to which constitutional requirements apply). 151 These provisions are discussed in greater depth in section III.D.ii. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 allow financial institutions and Federal functional regulators to re-disclose BOI obtained from the BOI database to a qualifying SRO provided that it meets the requirements of proposed § 1010.955(b)(4)(ii). Under this provision, the qualifying SRO would have had to be authorized by law to determine compliance with customer due diligence requirements under appliable law; it would have been able to use BOI obtained from FinCEN only to determine such compliance; and it would have had to enter into an agreement with FinCEN to safeguard the information. The proposed rule noted that qualifying SROs play an important role, working under oversight of Federal functional regulators, in assessing, supervising, and enforcing compliance with customer due diligence requirements under applicable law, among other requirements.152 Comments Received. One commenter agreed that it is sufficient for qualifying SROs to receive BOI obtained from FinCEN through the re-disclosure provisions given the limited purposes for which that BOI could be used by regulators. However, the commenter noted that those limitations were too narrow and could interfere with other SRO oversight responsibilities, including investigations of fraud and other illicit activity.153 Another commenter suggested that any SRO with market regulation functions, regardless of whether registered with or designated by a Federal functional regulator— beyond the two qualifying SROs (FINRA and NFA) specifically named in the NPRM—be permitted to receive BOI obtained from the BO IT system by financial institutions.154 Final Rule. FinCEN is adopting § 1010.955(c)(2)(iii) and (iv) as proposed.155 In light of the revised 152 87 FR at 77416. SRO also expressed concern that the proposed rule could be interpreted to prohibit financial institutions from collecting BOI or similar information from any source other than the BOI database. FinCEN does not believe that this is a reasonable reading of the regulatory text and thus does not believe the text needs revision. Regardless, to avoid any confusion, FinCEN clarifies that this rule does not restrict SROs’ ability to acquire BOI from other sources. 154 This commenter cited the CME Group as one example of an SRO that should have such access. CME Group, however, is an SRO that has been designated by a Federal functional regulator (CFTC) pursuant to Federal statute, i.e., a qualifying SRO. See, e.g., CFTC, Final Rule, Financial Surveillance Examination Program Requirements for SelfRegulatory Organizations, 84 FR 12882, 12884 n. 22 (Apr. 3, 2019). Thus, these provisions would not prohibit financial institutions or Federal functional regulators from redisclosing BOI to the CME Group if the provisions’ other requirements were met. 155 Comments regarding re-disclosure under § 1010.955(c)(2) more broadly are discussed in 153 The PO 00000 Frm 00029 Fmt 4701 Sfmt 4700 88759 approach to the scope of ‘‘customer due diligence requirements under applicable law,’’ however, qualifying SROs would be able to use BOI redisclosed to them to conduct ‘‘the assessment, supervision, or authorized investigation’’ in connection with a financial institution’s use of BOI obtained from FinCEN to comply with legal requirements to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States. Even if the CTA could be read to permit qualifying SROs to use BOI for purposes beyond these under the re-disclosure provision, however, such an approach would be inconsistent with the use limitations imposed on Federal functional regulators and other appropriate regulatory agencies and the CTA’s emphasis on safeguarding BOI. FinCEN also is not extending the redisclosure provisions to SROs that have not registered with or been designated by a Federal functional regulator. Qualifying SROs exercise unique regulatory authority within the framework of Federal law and under the oversight of Federal functional regulators to assess, supervise, and enforce financial institution compliance with customer due diligence and other requirements.156 157 In light of their unique role, and the oversight provided by the Federal functional regulators, in particular, with respect to security and confidentiality requirements, FinCEN determined that qualifying SROs are appropriate authorized recipients for BOI re-disclosures under FinCEN’s discretionary authority. In contrast, nonqualifying SROs do not play the same unique role within the Federal regulatory framework and are not subject to the same extensive government oversight as qualifying SROs. v. Department of the Treasury Access a. Disclosure to Officers or Employees of the Department of the Treasury Proposed Rule. Proposed 31 CFR 1010.955(b)(5)(i) permits officers or section III.D.ii FinCEN has made several changes to proposed § 1010.955(c)(2) in response to these comments, but these changes do not include any alterations to § 1010.955(c)(2)(iii) or (iv). 156 See, e.g., FINRA Rule 3310(f); NFA Compliance Rule 2–9(c)(5). 157 See, e.g., Scottsdale Cap. Advisors Corp., 844 F.3d at 418 (‘‘Before any FINRA rule goes into effect, the SEC must approve the rule and specifically determine that it is consistent with the purposes of the Exchange Act. The SEC may also amend any existing rule to ensure it comports with the purposes and requirements of the Exchange Act.’’ (citations omitted); Birkelbach, 751 F.3d at 475 (‘‘A [FINRA] member can appeal the disposition of a FINRA disciplinary proceeding to the SEC, which performs a de novo review of the record and issues a decision of its own.’’). E:\FR\FM\22DER3.SGM 22DER3 88760 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 employees of the U.S. Department of the Treasury to access BOI when official duties require such inspection or disclosure, subject to internal procedures and safeguards. Comments Received. Multiple comments supported the proposed access for Treasury officers and employees. Commenters suggested a few clarifications, e.g., listing the official duties that justify access such as Treasury’s role in auditing and reporting on BOI. Other comments suggested that FinCEN should apprise the public of, or clarify, the internal Treasury procedures to ensure the confidentiality and security of BOI. Some commenters proposed that BOI be treated as ‘‘return information’’ subject to the same protections as tax information under 26 U.S.C. 6103, particularly when it is obtained by IRS. One commenter stated that there should be coordinating regulations issued to ensure that BOI disclosed to Treasury’s officers and employees, including those at the IRS, is ‘‘protected to at least the same degree’’ as BOI that is disclosed to other agencies and that these regulations should be coordinated with 26 U.S.C. 6103.158 Final Rule. FinCEN adopts the proposed rule. FinCEN declines to add to the rule a list of official duties that would require access to BOI because those duties may change over time, and because, consistent with the CTA, Treasury access to BOI will be governed by internal procedures and safeguards. As noted in the proposed rule, however, FinCEN expects that Treasury officers and employees will access and use BOI for a range of appropriate purposes, including: tax administration, enforcement actions, intelligence and analytical purposes, use in sanctions -related investigations, and identifying property blocked pursuant to sanctions, as well as for administration of the BOI framework, such as for audits, enforcement, and oversight. This will include access to BOI necessary to complete the reports required by section 6502 of the AML Act and audit and 158 The commenter also requested clarification on the sharing of BOI by Treasury with state or foreign requesters for tax administration purposes, as well as how FinCEN would ensure that any BOI shared is adequately protected. FinCEN notes that statelevel and foreign requesters will obtain BOI pursuant to other provisions of 31 CFR 1010.955(b)—specifically, 31 CFR 1010.955(b)(2) and (b)(3). In contrast, 31 CFR 1010.955(b)(5) is specific to access by officers or employees of the Department of the Treasury; 1010.955(b)(5) does not itself authorize these Treasury officers or employees to share BOI with state or foreign requestors for tax administration purposes. 31 CFR 1010.955(d) provides security and confidentiality requirements for BOI shared with state or foreign requestors pursuant to (b)(2) and (b)(3). VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 oversight activities, including access by the Treasury OIG. FinCEN will work with other Treasury components to establish internal policies and procedures governing Treasury officer and employee access to BOI. These policies and procedures will ensure that FinCEN discloses BOI only to Treasury officers or employees with official duties requiring BOI access, or for tax administration. Furthermore, FinCEN does not believe that BOI reported to it is ‘‘return information’’ subject to the disclosure limitations on tax-related information under the Internal Revenue Code (26 U.S.C. 6103). Since BOI is information reported to FinCEN to fulfill a reporting requirement under Title 31 of the United States Code, it does not fall within the definition of ‘‘return information’’ at 26 U.S.C. 6103(b)(2), which is defined to include information received by the Secretary in connection with determining ‘‘a person’s liability (or the amount thereof) . . . under this title’’—i.e., Title 26 containing the Internal Revenue Code. The CTA instead provides particular security and confidentiality requirements to govern the protection and disclosure of BOI, which this final rule implements. In accordance with the detailed security and confidentiality requirements in the CTA, the final rule expressly imposes robust requirements on ‘‘requesting agencies’’ outside of the Treasury Department. Similarly, Treasury access to BOI will be governed by internal procedures and safeguards consistent with the CTA. FinCEN anticipates that these internal procedures and safeguards will be comparable to, and include elements of, the security and confidentiality requirements in 31 CFR 1010.955(d)(1) taking into account Treasury’s unique role in administering the BO IT system and framework. Officers and employees identified as having duties potentially requiring access to BOI would receive training on, among other topics, determining when their duties require access to BOI, what they can do with the information, and how to handle and safeguard it. Their activities would also be subject to audit. b. Disclosure for Tax Administration Purposes Proposed Rule. Proposed 31 CFR 1010.955(b)(5)(ii) permits disclosure of BOI to officers or employees of the Department of the Treasury for tax administration as defined in 26 U.S.C. 6103(b)(4), subject to internal procedures and safeguards. Comments Received. Several commenters suggested that use of BOI PO 00000 Frm 00030 Fmt 4701 Sfmt 4700 for tax administration purposes should be further clarified. Comments asked for greater specificity on tax administration uses, and one commenter requested clarification on the ‘‘analytical’’ use of BOI referenced in the NPRM, as applied to tax administration. Another commenter stated that use by Treasury should be limited to the purposes of the CTA. Final Rule. FinCEN adopts the proposed rule. As explained in the NPRM, FinCEN interprets the term ‘‘tax administration,’’ as employed in the CTA, to have the meaning provided for in 26 U.S.C. 6103(b)(4). Accordingly, in the context of tax administration, use of BOI in an ‘‘analytical’’ capacity would be delimited by this definition. Further, as explained in the NPRM, FinCEN believes that adopting the 26 U.S.C. 6103(b)(4) definition of tax administration is appropriate because Treasury officers and employees who administer tax laws are already familiar with it and have a clear understanding of the activity it covers. FinCEN also believes the definition is broad enough to avoid inadvertently excluding a tax administration-related activity that would be undermined by lack of access to BOI. In response to the proposal that FinCEN limit access to matters within the scope of the CTA, FinCEN declines to make this proposed amendment and notes that the CTA specifically provides that officers and employees of the Treasury may obtain access to beneficial ownership information for ‘‘tax administration purposes’’ generally. vi. Other Disclosures and Related Issues Proposed Rule. Consistent with the CTA, proposed 31 CFR 1010.955(b) limits disclosure of BOI by FinCEN, and corresponding access to BOI, to certain categories of recipients. The NPRM included a question for comment about whether there are additional circumstances not reflected in this proposed rule when the CTA would authorize FinCEN to disclose BOI. Comments Received. Commenters suggested additional categories of authorized recipients and additional recipients within categories already proposed in the NPRM. Within government channels, commenters proposed that FinCEN should make BOI available to public authorities involved in public procurement at both the Federal and state level and to those with audit authority over BOI—the Government Accountability Office (GAO) and Treasury OIG. Commenters also stated that additional financial institutions should have access to BOI, including money services businesses (MSBs). Another commenter, however, E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations asked for confirmation that financial institutions with access to BOI will be limited to ‘‘covered financial institutions’’ as defined in 31 CFR 1010.230(f). Several commenters stated that real estate professionals, such as land title agencies and real estate settlement agents, should be permitted to access BOI. These commenters stated such access would facilitate compliance with laws regarding foreign ownership of agricultural land and FinCEN’s real estate geographic targeting orders (GTOs), among other common business practices. Commenters also stated that entities that assist financial institutions with customer due diligence and beneficial ownership data analysis, such as regulatory technology (RegTech) firms and beneficial ownership data service providers, should be able to access and request BOI from FinCEN on behalf of a financial institution. One commenter noted that such entities are ‘‘contractors’’ or ‘‘agents’’ of financial institutions. Another commenter noted that access should be broadened to include non-governmental organizations, journalists, and eventually the public, to align with global standards. Several commenters asked whether and how BOI would be authenticated before disclosure for purposes of a proceeding governed by rules of evidence. Two commenters focused their concern on authentication in foreign courts, focusing on a statement in the preamble to the NPRM regarding the authentication of BOI in international sharing arrangements. That statement indicated that ‘‘[w]here a request for BOI includes a request that the information be authenticated for use in a legal proceeding in the foreign country making the request, FinCEN may establish a process for providing such authentication via MOU with the relevant intermediary Federal agency.’’ These commenters conveyed that FinCEN should issue a blanket rule authorizing all Federal agencies that transmit BOI to authenticate such records, rather than doing so through ad hoc agreements. One of the same commenters asked that the rule be clarified to allow Federal, State, local, and Tribal agencies to themselves authenticate BOI obtained from FinCEN, rather than requiring FinCEN to authenticate the records in each case. The commenter was concerned that if FinCEN must certify the authenticity of these records in every case, then it could create an administrative chokepoint that could impede civil and criminal actions. Final Rule. FinCEN declines to make further changes to the categories of VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 recipients to which BOI may be disclosed. The proposed rule aligns with the CTA in limiting disclosure to the categories of recipients FinCEN has already identified. The CTA does not provide for FinCEN to disclose BOI to non-governmental organizations, journalists, or the public. FinCEN notes, however, that the CTA and the final rule permit disclosure to some of the specific recipients commenters suggested within those categories. Regarding additional disclosures for government users, FinCEN reiterates that authorities with audit requirements such as the GAO and Treasury OIG will have the ability to complete these statutorily mandated activities. FinCEN anticipates working with the GAO to ensure access to BOI as required by the CTA,159 and as permitted by 31 U.S.C. 716(a).160 Treasury OIG will have access to BOI under the specific CTA and final rule provision for employees and officers of the Department of the Treasury.161 Regarding access for procurementrelated purposes, FinCEN expects that it will be able to disclose BOI to government agencies for such purposes when the procurement or the review of the procurement is an activity for which FinCEN is otherwise authorized to disclose BOI, e.g., a national security, law enforcement, or intelligence activity. Discussion about which types of financial institutions will have access to BOI is included in section III.C.iv.a. With respect to the question of whether FinCEN may disclose BOI to RegTech firms, beneficial ownership data service providers, due diligence vendors, or other third-party service providers to financial institutions, FinCEN believes that the final rule authorizes the disclosure of FinCEN BOI to such services providers provided that they and their employees are ‘‘agents’’ or ‘‘contractors’’ of a financial institution with access to BOI and are performing a function on behalf of the financial institution that requires direct access to it. If a financial institution relies on a service provider or other contractor to 159 See 31 U.S.C. 5336(c)(10); see also AntiMoney Laundering Act of 2020, section 6502. 160 31 U.S.C. 716(a) entitles GAO to ‘‘obtain such agency records as . . . require[d] to discharge [its] duties . . . .’’ Only certain foreign intelligence records and agency records ‘‘specifically exempted from disclosure to the Comptroller General by a statute’’ fall outside this requirement. Id. at 716(d)(1). Indeed, 31 U.S.C. 716 expressly contemplates agencies’ disclosure of confidential information to GAO, requiring GAO to ‘‘maintain the same level of confidentiality’’ over records disclosed to it as is required of the agency responsible for the record. Id. at 716(e)(1). 161 See 31 U.S.C. 5336(c)(5). PO 00000 Frm 00031 Fmt 4701 Sfmt 4700 88761 request, obtain, and access BOI, the financial institution will ultimately be responsible for the activity of any service provider or contractor accessing BOI on its behalf. Service providers that are agents or contractors of a financial institution authorized to access BOI will be able to request and access BOI through accounts associated with that financial institution. It will be the financial institution’s responsibility to ensure that its service providers or other such contractors comply with all applicable obligations, including requirements to protect and store BOI in compliance with the rule, and ensuring that BOI is used for appropriate purposes. Additionally, service providers and other contractors will not be permitted to use the BOI accessed on behalf of a financial institution for any purpose not authorized by the CTA or FinCEN’s regulations. For example, BOI requested by a service provider on a financial institution’s behalf cannot be integrated into downstream services that the service provider makes accessible to other financial institutions. When requesting BOI for a financial institution, a service provider or contractor is acting for or on behalf of this specific financial institution; it cannot repurpose BOI for the contractor’s own use, such as data aggregation, or for the use of other financial institutions. Regarding authentication of BOI, FinCEN declines to add a specific regulatory provision to address this issue. With respect to foreign countries, foreign laws will govern what constitutes an authenticated record in a particular legal proceeding. Many foreign countries have developed information sharing arrangements for criminal, civil, or other investigations or proceedings. These arrangements include Mutual Legal Assistance Treaties (MLATs), multilateral conventions, and other agreements that are typically consistent with a foreign country’s rules concerning authentication. In most such international arrangements, the U.S. Department of Justice’s Office of International Affairs (DOJ/OIA) is the intermediary Federal agency that would receive information from FinCEN and transmit it to the requesting foreign authority. In some cases, a foreign country’s laws may require FinCEN, as the records custodian of BOI, to certify the information’s authenticity. Some foreign countries may require that DOJ/OIA certify the authenticity of the BOI, while others still might require that both agencies provide a certification. The preamble to the NPRM explained: E:\FR\FM\22DER3.SGM 22DER3 88762 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations Where a request for BOI includes a request that the information be authenticated for use in a legal proceeding in the foreign country making the request, FinCEN may establish a process for providing such authentication via MOU with the relevant intermediary Federal agency. Such process may include an arrangement where FinCEN searches the beneficial ownership IT system and provides the information and related authentication to the intermediary Federal agency consistent with the terms of the relevant MOU.162 This approach allows for variations in the requests for authentication that may come from foreign countries. All government agencies obtaining BOI from FinCEN, including those transmitting BOI to foreign countries, will be required to enter into an MOU with FinCEN in order to ensure that all domestic agencies have appropriate protocols in place to ensure the proper handling and use of BOI. FinCEN will take into consideration the question of authentication in crafting its MOUs with intermediary Federal agencies such as OIA. FinCEN did not accept the proposal that the regulation should be altered to allow State, local, and Tribal agencies to themselves authenticate BOI they obtain from FinCEN, that is, without obtaining a certificate of authenticity or other form of evidentiary authentication from FinCEN. The authentication of evidence depends on the operation of applicable law. For example, state-level rules of evidence often require documents maintained by Federal agencies to be authenticated by the affixing of the official seal of the agency, a statement or testimony by a designated custodian of those records by the agency, or some other certification of authenticity by the agency.163 Each jurisdiction has its own applicable rules of evidence, however, and may not require certification by a Federal agency. FinCEN declines to issue a blanket rule on authentication, as such a rule would be hard to craft given the variation in State, local, and Tribal procedures and would invite needless confusion on the interaction between State, local, or Tribal rules of evidence and FinCEN’s rule. FinCEN believes that existing laws will suffice to provide for authentication of BOI. ddrumheller on DSK120RN23PROD with RULES3 D. Use of Information i. Use of Information by Authorized Recipients Proposed Rule. Proposed 31 CFR 1010.955(c)(1) provided generally that authorized recipients shall use BOI received from FinCEN ‘‘only for the particular purpose or activity for which 162 87 FR at 77414–15. e.g., Fed. R. Evid. 902(1)–(2), (4). 163 See, VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 such information was disclosed,’’ unless otherwise authorized by FinCEN. In the unique case of a Federal agency that receives information pursuant to 31 CFR 1010.955(b)(3) (Disclosure for Use in Furtherance of Foreign National Security, Intelligence, or Law Enforcement Activity), the rule more specifically provided that the Federal agency shall only use it to facilitate a response to that foreign request for assistance. In other words, the proposed rule limits the use of BOI by an intermediary Federal agency to facilitating a response to a proper request for BOI from a foreign requester. Comments Received. One commenter suggested deleting the word ‘‘only’’ from proposed 31 CFR 1010.955(c)(1) and adding language that would allow BOI to be used for any CTA-authorized purpose for that agency once FinCEN disclosed it. This commenter raised practical concerns about the restriction that BOI obtained from FinCEN only be used for the particular purpose or activity for which the information was disclosed, noting that this could lead to multiple requests to FinCEN for the same information by the same agency. They then provided the example of a Federal functional regulator obtaining BOI, and then realizing it would be critical for a legal action. Final Rule. FinCEN adopts the proposed rule with two revisions to the first sentence of 31 CFR 1010.955(c)(1). First, FinCEN amends this sentence to begin ‘‘[e]xcept as permitted under paragraph (c)(2) of this section,’’ instead of ‘‘[u]nless otherwise authorized by FinCEN.’’ Second, FinCEN has added the phrase ‘‘shall not further disclose such information to any other person’’ to this sentence, so that the first sentence of 31 CFR 1010.955(c)(1) of the final rule reads: ‘‘Except as permitted under paragraph (c)(2) of this section, any person who receives information disclosed by FinCEN under paragraph (b) of this section shall not further disclose such information to any other person, and shall use such information only for the particular purpose or activity for which such information was disclosed.’’ Both of these newly added phrases were (with minor, non-substantive differences) previously contained in proposed 31 CFR 1010.955(c)(2)(ix), the last provision of proposed § 1010.955(c), and establish that recipients of BOI under § 1010.955(b) may only redisclose that BOI when authorized under § 1010.955(c)(2). Given the importance of this limitation to BOI use generally, FinCEN determined that this text should be given greater prominence at the beginning, rather than placed at PO 00000 Frm 00032 Fmt 4701 Sfmt 4700 the end, of § 1010.955(c)’s provisions governing the use of BOI.164 FinCEN also continues to believe that limiting the use of BOI by authorized recipients to the ‘‘particular purpose or activity for which such information was disclosed’’ is necessary to reflect the general expectation in the CTA that authorized recipients should not obtain BOI for one authorized activity and then use it for another, unrelated purpose. Thus, for example, a Federal agency officer, employee, contractor, or agent who obtains BOI from FinCEN for use in furtherance of national security activity would be authorized to use that BOI only for the particular national security activity for which the request was made. With respect to the commenter’s suggestion to delete the word ‘‘only’’ from this paragraph, FinCEN believes such a change is unnecessary. With respect to the commenter’s suggestion to add language to allow BOI to be used for any CTA-authorized purpose for that agency, FinCEN declines to adopt this suggestion. FinCEN believes that such an authorization would be overbroad and would run counter to the disclosure framework and oversight, audit, and access protocols of the CTA and the proposed rule. Further, as described in proposed 31 CFR 1010.955(c)(2), FinCEN has proposed to allow the redisclosure of BOI in certain specified circumstances to further the goals of the CTA, subject to applicable security and confidentiality requirements. ii. Disclosure of Information by Authorized Recipients Proposed Rule. Proposed 31 CFR 1010.955(c)(1) would establish a blanket prohibition on the ‘‘re-disclosure’’ of BOI by an authorized recipient unless such disclosure is authorized by FinCEN. However, provided that the authorized recipient abides by applicable security and confidentiality requirements, the proposed rule would permit authorized recipients to redisclose BOI in eight circumstances, as summarized here: 1. Officers, employees, contractors, or agents of a Federal, State, local or Tribal agency may disclose BOI to other officers, employees, contractors, or agents within the same organization for the particular purpose or activity for which the BOI was requested (proposed § 1010.955(c)(2)(i)). 2. Officers, employees, contractors, or agents of a financial institution may 164 As discussed below in section III.D.ii.e. (ReDisclosure with Written Consent of FinCEN), FinCEN’s decision to move this language to 31 CFR 1010.955(c)(1) was also based in part on FinCEN’s consideration of a commenter recommending an alteration to proposed 1010.955(c)(2)(ix). E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 disclose BOI to other officers, employees, contractors, or agents within the United States of the same financial institution for the particular purpose or activity for which the BOI was requested (proposed § 1010.955(c)(2)(ii)). 3. Officers, employees, contractors, or agents of a financial institution may disclose BOI to the financial institution’s Federal functional regulator, a self-regulatory organization that is registered with or designated by a Federal functional regulator pursuant to Federal statute, or other appropriate regulatory agency, that meets the requirements identified in proposed 31 CFR 1010.955(b)(4)(ii)(A) through (C) (proposed § 1010.955(c)(2)(iii)).165 4. Any officer, employee, contractor, or agent of a Federal functional regulator may disclose BOI to a selfregulatory organization that is registered with or designated by the Federal functional regulator, provided that the self-regulatory organization meets the requirements of proposed 31 CFR 1010.955(b)(4)(ii)(A) through (C) (proposed § 1010.955(c)(2)(iv)). 5. Any officer, employee, contractor, or agent of a Federal agency that receives BOI from FinCEN after requesting it on behalf of a foreign authority pursuant to proposed § 1010.955(b)(3) may disclose the BOI to the foreign person on whose behalf the Federal agency made the request (proposed § 1010.955(c)(2)(v)). 6. Any officer, employee, contractor, or agent of a Federal agency engaged in a national security, intelligence, or law enforcement activity, or any officer, employee, contractor, or agent of a State, local, or Tribal law enforcement agency may disclose BOI to a court of competent jurisdiction or parties to a civil or criminal proceeding (proposed § 1010.955(c)(2)(vi)). 7. Any officer, employee, contractor, or agent of a Federal agency that receives BOI from FinCEN pursuant to 31 CFR 1010.955(b)(1) (Federal agencies engaged in national security, intelligence, or law enforcement activity), (b)(4)(ii) (Federal functional regulators or other appropriate regulatory agencies), or (b)(5) (The 165 Proposed 31 CFR 1010.955(b)(4)(ii)(A) through (C) provide that the agency— ‘‘(A) [i]s authorized by law to assess, supervise, enforce, or otherwise determine the compliance of such financial institution with customer due diligence requirements under applicable law; (B) [w]ill use the information solely for the purpose of conducting the assessment, supervision, or authorized investigation or activity described in paragraph (b)(4)(ii)(A) of this section; and (C) [h]as entered into an agreement with FinCEN providing for appropriate protocols governing the safekeeping of the information.’’ VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 Department of the Treasury) may disclose BOI to the United States Department of Justice for purposes of making a referral to the Department of Justice or for use in litigation related to the activity for which the requesting agency requested the information (proposed § 1010.955(c)(2)(vii)). 8. A foreign authority specified in proposed § 1010.955(b)(3) may disclose and use BOI consistent with the international treaty, agreement, or convention under which the request for BOI was made (proposed § 1010.955(c)(2)(viii)). In addition to these eight circumstances, the proposed rule contains a catch-all, proposed 31 CFR 1010.955(c)(2)(ix), that would permit FinCEN to authorize the re-disclosure of BOI by an authorized recipient, so long as the re-disclosure is for an authorized purpose. To this end, proposed 31 CFR 1010.955(c)(2)(ix) specified that, except as described above, any information disclosed by FinCEN under proposed 31 CFR 1010.955(b) shall not be further disclosed to any other person for any purpose without the prior written consent of FinCEN, or as authorized by applicable protocols or guidance that FinCEN may issue. In sum, the proposed rule would permit the re-disclosure of BOI by authorized recipients in limited circumstances that further the core underlying national security, intelligence, and law enforcement objectives of the CTA while at the same time ensuring that BOI is disclosed only where appropriate for those purposes. Generally, authorized re-disclosures would be subject to protocols designed, as with those applicable to initial disclosures of BOI from the BO IT system, to protect the security and confidentiality of BOI. a. Re-Disclosure—In General Comments Received. Several commenters approved of the approach in the proposed rule permitting certain broad categories of re-disclosure, and not requiring a case-by-case determination by FinCEN. On the other hand, several commenters felt that, as written, the scope of the authorized redisclosure of BOI was too limiting. One commenter proposed that FinCEN consider creating a special ‘‘amended request’’ form for situations in which an agency or a financial institution requests BOI and then comes back to FinCEN to request authorization to re-disclose that BOI, rather than requiring separate requests for the BOI and subsequent redisclosure authorization. Several commenters felt that the proposed re-disclosure provisions PO 00000 Frm 00033 Fmt 4701 Sfmt 4700 88763 would unduly restrict the use of the BOI. They raised concerns about repeatedly needing to return to FinCEN for requests to use the same BOI for one purpose, then another, in the course of, for example, a regulatory examination. Two commenters expressed concern that the proposed rule might not permit re-disclosure in open court. Commenters raised several other, more specific issues related to redisclosure that are discussed elsewhere in this preamble.166 Final Rule. FinCEN adopts the proposed rule with several modifications described in subsections below. Specifically, FinCEN inserted a new 31 CFR 1010.955(c)(2)(viii) to allow a re-disclosure of BOI by State, local, and Tribal law enforcement agencies to State, local, and Tribal agencies for the purpose of making a referral for possible prosecution by that agency, or for use in litigation related to the activity for which the requesting agency requested the information (discussed in greater detail below). FinCEN also renumbered 31 CFR 1010.955(c)(2)(ix) as 31 CFR 1010.955(c)(2)(x) to account for the insertion of the new paragraph (c)(2)(viii) and revised the text of that paragraph. Concerning comments that the proposed rule might not permit redisclosure in open court, proposed 31 CFR 1010.955(c)(2)(vi) would permit redisclosure ‘‘to a court of competent jurisdiction or parties to a civil or criminal proceeding,’’ including, in the appropriate circumstance, in open court. Further, this rule would also permit re-disclosure to a court of competent jurisdiction in broader settings such as in an application for a search warrant or a warrant pursuant to the Foreign Intelligence Surveillance Act. Thus, no changes to the proposed rule are needed to allow for the disclosure of BOI in these circumstances. As to the comment that FinCEN consider an ‘‘amended request’’ form, FinCEN will consider the appropriate process for requesting authorization to re-disclose BOI and will issue guidance for such requests when implementing the final rule. b. Re-Disclosure—Law Enforcement Proposed Rule. As described above, the proposed rule would permit re166 Such topics include re-disclosure to outside contractors and agents, re-disclosure to state examiners, re-disclosure within a financial institution to persons and directors responsible for monitoring compliance with customer due diligence rules, re-disclosure related to 314(b) sharing, and geographic limitations on redisclosure. E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 88764 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations disclosure of BOI for law enforcement purposes by Federal, State, local, or Tribal agencies in several contexts. As relevant here, under the proposed rule, Federal, State, local, or Tribal agencies that receive BOI from FinCEN pursuant to a request under 31 CFR 1010.955(b)(1) or (2) would be permitted to re-disclose BOI to a court of competent jurisdiction or parties to a civil or criminal proceeding (proposed § 1010.955(c)(2)(vi)); and agencies that receive BOI under 31 CFR 1010.955(b)(1) (Federal agencies engaged in national security, intelligence, or law enforcement activities), (b)(4)(ii) (Federal functional regulators or other appropriate regulatory agencies), or (b)(5) (the Department of the Treasury) would be permitted to re-disclose BOI to the United States Department of Justice (DOJ) for purposes of making a referral to DOJ or for use in litigation related to the activity for which the requesting agency requested the information (proposed § 1010.955(c)(2)(vii)). Comments Received. One commenter noted that State, local, and Tribal law enforcement agencies did not have a rule analogous to § 1010.955(c)(2)(vii) that would permit re-disclosure of BOI to State, local, or Tribal prosecutors for purposes of making a case referral, and recommended the addition of such a rule. The commenter suggested amending proposed 31 CFR 1010.955(c)(2)(vi) to insert ‘‘to any officer, employee, contractor, or agent of an attorney general, district attorney’’ after the word ‘‘jurisdiction,’’ in order to enable such re-disclosure. Another commenter noted that, at times, law enforcement and regulatory agencies engage in joint investigations— that is, multiple agencies investigate a single fact pattern, sharing information among themselves. The commenter proposed that FinCEN clarify that authorization from FinCEN is not needed for re-disclosure within a joint investigation. Commenters expressed concern that the re-disclosure rules would prevent effective use of BOI by law enforcement. For example, authorized recipients outside of law enforcement would be prohibited from providing the information to law enforcement without first going to FinCEN to obtain permission to re-disclose that information. One commenter suggested an edit to proposed 31 CFR 1010.955(c)(2)(ix), the catch-all provision permitting FinCEN to authorize re-disclosure of BOI, to permit an authorized recipient to disclose BOI to a Federal agency engaged in national security, intelligence, law enforcement VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 activities, or a Federal regulatory agency when in the judgment of that person redisclosure would be in the public interest and would assist in combatting illicit finance. Final Rule. FinCEN modifies the proposed rule to include an additional re-disclosure authorization for State, local, and Tribal law enforcement agencies, what is now 31 CFR 1010.955(c)(2)(viii), as noted above. FinCEN agrees that State, local, and Tribal law enforcement agencies should be permitted to disclose BOI for the purpose of making a referral to another State, local, or Tribal agency for possible prosecution. Although such disclosures may be covered by proposed 31 CFR 1010.955(c)(2)(vi) in certain contexts, FinCEN is electing to expand 31 CFR 1010.955(c)(2) to include a new provision, 31 CFR 1010.955(c)(2)(viii), to explicitly address such disclosures. FinCEN declines the proposed edits to 31 CFR 1010.955(c)(2)(vi) as that paragraph is intended to apply to active litigation matters. FinCEN recognizes that at times agencies engage in joint investigations; that is, multiple agencies work together on a single investigation. Federal agencies that are a part of a task force to target specific criminal activity, such as drug trafficking or corruption, may also need to share BOI within the task force. In such cases, it would be more efficient for the agencies involved to share BOI directly among themselves instead of each agency having to separately request the same BOI from FinCEN.167 FinCEN did not include a provision permitting re-disclosure in joint investigations or task forces in the proposed rule, but it did explicitly address joint investigations and task forces in the preamble to the proposed rule. There, FinCEN indicated that it would evaluate requests to share BOI in the context of a joint investigation or task force under its discretionary redisclosure authority under proposed 31 CFR 1010.955(c)(2)(ix). FinCEN recognizes that sharing between agencies in the context of joint investigations or task forces is consistent with the CTA’s direction that BOI should be used to advance law enforcement interests. However, joint investigations and task forces come in many potential permutations—for example, multiple Federal agencies, a mix of Federal and state agencies, state and Tribal agencies, multiple state agencies, etc. Each such permutation raises unique issues. For example, in a joint investigation between Federal and state law enforcement agencies, do the 167 87 PO 00000 FR at 77419. Frm 00034 Fmt 4701 Sfmt 4700 agencies have to provide FinCEN both a request from Federal law enforcement under 31 CFR 1010.955(b)(1) and a court authorization under 31 CFR 1010.955(b)(2), or would one type of process suffice? If a Federal law enforcement agency obtained BOI for the purpose of investigating Federal crimes, could it re-disclose that information to a state law enforcement agency for its purpose in investigating state crimes? Does a task force consisting of both state and Tribal law enforcement agencies need to obtain a court authorization from multiple courts of competent jurisdiction, or just one? It would be difficult to establish a regulation that would resolve all of these issues, and even attempting to do so in a regulation runs the risk of further complicating the issue. For these reasons, FinCEN is not creating a specific re-disclosure provision in 31 CFR 1010.955(c)(2) that would address these scenarios. Instead, FinCEN will address joint investigations and task forces in future guidance, with an eye toward issuing guidance that captures the most common or straightforward circumstances, and in more unusual or complex situations evaluating specific re-disclosure requests on a case-by-case basis under its 31 CFR 1010.955(c)(2)(x) authority to approve in writing re-disclosure of BOI in furtherance of an authorized purpose or activity. This approach permits FinCEN greater flexibility in crafting appropriate rules for varied circumstances. As noted, one commenter stated that FinCEN should permit an authorized recipient to re-disclose BOI to a Federal agency engaged in national security, intelligence, law enforcement activities, or a Federal regulatory agency, when in the judgment of that person, redisclosure would be in the public interest and would assist in combating illicit finance. FinCEN finds such a provision to be too vague and subjective to be implementable. The CTA prohibits re-disclosure of beneficial ownership information except as authorized in the protocols promulgated by regulation, thereby leaving it to FinCEN to establish the appropriate re-disclosure rules.168 FinCEN is promulgating rules to permit the re-disclosure of beneficial ownership information under certain, limited circumstances that would further the core underlying national security, intelligence, and law 168 31 U.S.C. 5336(c)(2)(A). The CTA appears to presume that some re-disclosure will be permitted when it requires requesting agencies to keep records related to their requests, including of ‘‘any disclosure of beneficial information made by . . . the agency.’’ 31 U.S.C. 5336(c)(3)(H). E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 enforcement objectives of the CTA while at the same time ensuring that BOI is disclosed only where appropriate for those purposes. However, the proposed change suggests supplementing objective standards with the subjective judgment of any person in receipt of BOI. This proposal is beyond the confines of the CTA’s disclosure provisions. Although the number of cases in which BOI would need to be disclosed to law enforcement as a matter of emergency is likely to be quite low, FinCEN will consider future guidance on this topic. c. Re-Disclosure—Financial Institutions Proposed Rule. Proposed 31 CFR 1010.955(c)(2)(ii) would authorize any director, officer, employee, contractor, or agent of a financial institution who received BOI from FinCEN to re-disclose the information to another director, officer, employee, contractor, or agent within the United States of the same financial institution for the particular purpose or activity for which the BOI was requested, consistent with the security and confidentiality requirements of 31 CFR 1010.955(d)(2). Proposed 31 CFR 1010.955(c)(2)(iii) would further authorize financial institutions to re-disclose BOI received from FinCEN to regulators—specifically, Federal functional regulators, specified SROs, and other appropriate regulatory agencies—that meet the requirements identified in paragraphs (b)(4)(ii)(A) through (C) of the proposed rule. Financial institutions would be able to rely on a Federal functional regulator, SRO, or other appropriate regulatory agency’s representation that it meets the requirements. Comments Received. Commenters generally opposed the requirement in proposed 31 CFR 1010.955(c)(2)(ii) and 31 CFR 1010.955(d)(2)(i) that financial institutions limit disclosure of BOI obtained from FinCEN under the CTA to directors, officers, employees, contractors, and agents physically present within the United States. These comments and FinCEN’s response to them are consolidated in the discussion of proposed 31 CFR 1010.955(d)(2)(i) in section III.E.ii.a below. Several comments interpreted these proposed authorizations as prohibitions against financial institutions disclosing BOI to directors, officers, employees, contractors, or agents. One commenter asked FinCEN to include safe harbor provisions to permit employees to share BOI within their institutions according to that institution’s policies and procedures. Other comments asked FinCEN to state explicitly that the proposed rule would authorize BOI VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 disclosure ‘‘enterprise-wide,’’ as well as to certain specific parties. These specific parties were (1) internal and external auditors; (2) legal and compliance personnel; (3) state regulators; (4) affiliated financial institutions and other financial institutions involved in syndicated loans; (5) other financial institutions under USA PATRIOT Act section 314(b); and (6) third-party service providers, including RegTech companies. Final Rule. FinCEN adopts proposed 31 CFR1010.955(c)(2)(ii) and (iii) without change, other than deletion of the phrase ‘‘within the United States,’’ the reasons for which will be discussed in section III.E.ii.a below. As indicated above, 31 CFR 1010.955(c)(2)(ii) does not prohibit financial institution directors, officers, employees, contractors, or agents from re-disclosing BOI received from FinCEN to one another, but rather authorizes them to do so, provided re-disclosure is for the particular purpose or activity for which the BOI was requested. ‘‘Employees’’ might include, among others, a financial institution’s internal legal and compliance personnel. ‘‘Contractors’’ and ‘‘agents’’ might include any individual or entity providing services by contract, including, for example, outside counsel, auditors, and providers of data analysis software tools. FinCEN views state regulators that meet the requirements identified in paragraphs (b)(4)(ii)(A) through (C) of the final rule as ‘‘other appropriate regulatory agencies’’ to which financial institutions may re-disclose BOI from FinCEN under 31 CFR 1010.955(c)(2)(iii). FinCEN understands that financial institutions might want or need to redisclose BOI from FinCEN to parties that are not their directors, officers, employees, contractors, agents, or regulators. Examples provided in comments include affiliated financial institutions, other financial institutions involved in syndicated loan agreements, and other financial institutions eligible to participate in section 314(b) information sharing. Another example might be an external compliance monitor appointed as part of a civil or criminal enforcement matter. These are typically complex arrangements with highly variable facts and circumstances that do not lend themselves well to one broad regulation. FinCEN will therefore address these issues in future guidance, with an eye toward evaluating specific re-disclosure requests on a case-by-case basis under its 31 CFR 1010.955(c)(2)(x) authority to approve in writing redisclosure of BOI in furtherance of an authorized purpose or activity. PO 00000 Frm 00035 Fmt 4701 Sfmt 4700 88765 d. Re-Disclosure Required by Law Proposed Rule. The proposed rule did not provide for explicit directions for responding to legal demands for BOI. Comments Received. Several commenters requested that the rule contain specific processes for responding to legal demands for BOI. For example, a commenter asked how a financial institution should respond to a law enforcement subpoena for BOI obtained from FinCEN. Another commenter asked that FinCEN treat BOI like SAR information and issue a prohibition on re-disclosure of BOI by financial institutions in response to legal process. Final Rule. FinCEN recognizes the issues that may be raised when compulsory legal process—such as a court order or grand jury subpoena— calls for the production of BOI obtained from FinCEN. The resolution of these issues is most appropriate for post-rule guidance. FinCEN will seek to address these issues in future guidance or through specific re-disclosure requests under its 31 CFR 1010.955(c)(2)(x) authority to approve in writing redisclosure of BOI in furtherance of an authorized purpose or activity. e. Re-Disclosure With Written Consent of FinCEN Proposed Rule. Proposed 31 CFR 1010.955(c)(2)(ix) would prohibit the redisclosure of BOI obtained under proposed 31 CFR 1010.955(b) other than as permitted in proposed 31 CFR 1010.955(c)(2), and would permit FinCEN to authorize the re-disclosure of BOI in other circumstances via written consent, or through applicable protocols or guidance that FinCEN may issue. Comments Received. One commenter recommended removing the first sentence of proposed § 1010.955(c)(2)(ix) as redundant given proposed 31 CFR 1010.955(a), the baseline prohibition on re-disclosure. The language the commenter suggested removing reads, ‘‘[e]xcept as described in this paragraph (c)(2), any information disclosed by FinCEN under paragraph (b) of this section shall not be further disclosed to any other person for any purpose without the prior written consent of FinCEN, or as authorized by applicable protocols or guidance that FinCEN may issue.’’ Final Rule. FinCEN adopts proposed 31 CFR 1010.955(c)(2)(ix) with technical and organizational changes. First, FinCEN made a minor technical update to renumber 31 CFR 1010.955(c)(2)(ix) as 31 CFR 1010.955(c)(2)(x) to reflect the insertion of the new 31 CFR 1010.955(c)(2)(viii). Second, FinCEN E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 88766 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations considered the comment which suggested the removal of the first sentence of proposed 31 CFR 1010.955(c)(2)(ix). Although there is some overlap with 31 CFR 1010.955(a), FinCEN believes that the first sentence of this provision is important to clarify the obligations of authorized recipients of BOI with respect to the re-disclosure of such information once they have obtained it. However, as described above in section III.D.i (Use of Information by Authorized Recipients), FinCEN concluded that language describing this obligation was better placed in 31 CFR 1010.955(c)(1) given its importance and general applicability. Accordingly, FinCEN removed the portions of the first sentence of proposed 31 CFR 1010.955(c)(2)(ix) prohibiting re-disclosure of BOI, except as permitted in § 1010.955(c)(2), and inserted them into the first sentence of 31 CFR 1010.955(c)(1). FinCEN retained the proposed provision providing that FinCEN may authorize further re-disclosures of BOI not otherwise permitted under § 1010.955(c)(2) by prior written consent or ‘‘by applicable protocols or guidance that FinCEN may issue,’’ but moved this limitation into the remaining sentence in new 31 CFR 1010.955(c)(2)(x). This part now reads, ‘‘FinCEN may by prior written authorization, or by protocols or guidance that FinCEN may issue, authorize persons to disclose information obtained pursuant to paragraph (b) of this section in furtherance of a purpose or activity described in that paragraph.’’ This provision gives FinCEN the ability to authorize, either on a case-by-case basis or categorically through written protocols, guidance, or regulations, the re-disclosure of BOI in limited cases to further the purposes of the CTA. As stated in the proposed rule, this provision could be used to address situations involving sharing of BOI by government agencies as part of a joint investigation or within a task force. The requirements that an agency would need to satisfy to obtain BOI through redisclosure are the same as those an agency would need to satisfy to obtain BOI from FinCEN directly under this proposed rule. FinCEN also envisions including re-disclosure limitations in the BOI disclosure MOUs it enters into with recipient agencies. These provisions would make clear that it would be the responsibility of a recipient agency to take necessary steps to ensure that BOI is made available for purposes specifically authorized by the CTA, and not for the general purposes of the agency. Such agency-to-agency agreements can be effective at creating VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 and enforcing standards on use, reuse, and redistribution of sensitive information. E. Security and Confidentiality Requirements The CTA directs the Secretary to establish by regulation protocols to protect the security and confidentiality of any BOI provided directly by FinCEN.169 It then prescribes specific security and confidentiality requirements that FinCEN must impose on ‘‘requesting agencies’’ and grants the Secretary authority to ‘‘provide such other safeguards which the Secretary determines (and which the Secretary prescribes in regulations) to be necessary or appropriate to protect the confidentiality of the beneficial ownership information.’’ 170 i. Security and Confidentiality Requirements for Domestic Agencies a. General Proposed Rule. Proposed 31 CFR 1010.955(d)(1)(i) addressed general security and confidentiality requirements applicable to Federal, State, local, and Tribal requesting agencies, including intermediary Federal agencies acting on behalf of authorized foreign requesters, Federal functional regulators, and other appropriate regulatory agencies (collectively, ‘‘requesting agencies’’). These general requirements would need to be satisfied by a requesting agency for it to be eligible to receive BOI from FinCEN. Proposed 31 CFR 1010.955(d)(1)(i) required that each requesting agency: (1) Enter into an agreement with FinCEN specifying the standards, procedures, and systems to be maintained by the agency, and any other requirements FinCEN might specify, to protect the security and confidentiality of such information; (2) Establish standards and procedures, approved by the head of the agency, to protect the security and confidentiality of BOI; (3) Provide FinCEN with an initial report that describes these standards and procedures established and includes a certification from the head of the agency that the standards and procedures implement the requirements of this paragraph; (4) Establish and maintain a secure system for storing BOI which complies with information security standards prescribed by FinCEN; (5) Establish and maintain a permanent, auditable system of standardized records of the agency’s BOI requests; (6) Restrict access to BOI to personnel meeting specified criteria, which would 169 31 170 31 PO 00000 U.S.C. 5336(c)(3)(A). U.S.C. 5336(c)(3)(B)–(K). Frm 00036 Fmt 4701 Sfmt 4700 include meeting the training requirements of the proposed rule; (7) Conduct an annual audit to verify that information obtained from FinCEN has been accessed and used appropriately, provide FinCEN with the results of the audit upon FinCEN’s request, and cooperate with FinCEN’s annual audit of requesting agencies’ adherence to the requirements established under this paragraph; (8) Provide a semi-annual certification from the head of the agency, on a nondelegable basis, that the agency’s standards and procedures are in compliance with the security and confidentiality requirements of this provision; and (9) Provide FinCEN an annual report that describes the standards and procedures the agency uses to ensure the security and confidentiality of the BOI it receives from FinCEN. The preamble to the proposed rule explained that the agreement required by 31 CFR 1010.955(d)(1)(i)(A) would be a MOU that each requesting agency would enter into with FinCEN before being able to request any BOI. Comments Received. FinCEN received several comments on security and confidentiality requirements for all authorized users, as well as comments focused more specifically on security and confidentiality requirements for domestic requesting agencies. For all authorized users, one commenter expressed support for the proposed rule’s general security and confidentiality requirements, noting that these align with the CTA. Several other commenters expressed appreciation for FinCEN’s efforts to balance the interests of those requesting BOI against the protections and restrictions mandated by the CTA. One commenter viewed these requirements as adequate and argued that FinCEN should not add any new requirements that were not included in the CTA. As for the requirements applicable to requesting agencies, one commenter argued that the proposed requirements would be so strict that they could hinder the agencies’ access to BOI. However, this commenter recognized that in proposing these requirements, FinCEN was simply implementing statutory requirements, and that any change to these requirements would have to come from Congress. With respect to the requirement that agencies establish and maintain secure systems for BOI storage, one commenter welcomed the clarification in the Access NPRM preamble that agencies may rely on existing databases and related IT infrastructure to satisfy this requirement. This commenter proposed additional points of clarification with respect to these systems—for example, on how FinCEN would coordinate with E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations agencies to develop technology-enabled access that ‘‘maximize[s] the utility of access and minimize[s] additional development costs,’’ and whether agencies would be able to pool their resources and collaborate to satisfy this requirement. There were several comments requesting additional clarifications or changes to proposed 31 CFR 1010.955(d)(1)(i). Two commenters asked that FinCEN clarify in the final rule that certain security and confidentiality requirements for requesting agencies apply to the entire information-sharing relationship between FinCEN and the requesting agency, instead of applying on what one commenter referred to as an ‘‘iterative’’ basis, which FinCEN understands to mean case-by-case or request-by-request. One commenter cited the provisions of the CTA contained in sections 5336(c)(2)(C)(iii) and 5336(c)(3)(B)–(D), (H), and (I), which 31 CFR 1010.955(d)(1)(i) implements, as examples of provisions that should apply at the relationship rather than the case-by-case level. These commenters argued that applying certain of these requirements for each individual request would be impractical and would effectively undermine the usability of the BOI database. These same commenters asked FinCEN to further clarify that it does not intend to review access determinations on a case-by-case basis prior to authorized users accessing the BOI database. There were also several comments related to the proposed rule’s audit requirements. One commenter suggested that FinCEN should expand the audit requirements in the final rule to require that agencies verify that requests for BOI are appropriate under proposed 31 CFR 1010.955(b) and that records of BOI requests are kept in accordance with proposed 31 CFR 1010.955(d)(1)(i)(E), which requires agencies to maintain an auditable record of requests. This commenter also suggested that the final rule should include audit requirements specifically for Federal agencies that are making requests on behalf of foreign persons, i.e., for intermediary Federal agencies. These requirements would include ensuring that the information required of intermediary Federal agencies under 31 CFR 1010.955(d)(1)(ii)(B)(3) and (4) has been maintained and that these agencies are compliant with 31 CFR 1010.955(d)(3), the security and confidentiality requirements for foreign persons on whose behalf an intermediary Federal agency requests BOI. A different commenter also requested that FinCEN audit BOI requests from foreign VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 requesters. Another commenter recommended that FinCEN modify the audit and annual report requirements to be completed by requesting agencies to also include data relevant for evaluating the accuracy, completeness, and usefulness of the BOI database. One commenter requested that FinCEN provide for greater involvement by the head of a requesting agency in satisfying the agency’s security and confidentiality requirements. For example, this commenter suggested that the final rule should specify that only the head of an agency, on a nondelegable basis, could enter into the agreement with FinCEN, or acknowledge the final audit report satisfying the requirements under 5336(c)(3)(B) and (H). In addition, one commenter asked FinCEN to add a provision requiring that agencies specify which agency personnel can make requests to FinCEN for BOI and access BOI. Finally, one commenter suggested that FinCEN could develop a series of model MOUs for each agency type (local law enforcement agency, state law enforcement agency, etc.). Final Rule. The final rule adopts proposed 31 CFR 1010.955(d)(1)(i) with only minor technical changes. FinCEN agrees with the commenter that the general security and confidentiality requirements for domestic agencies are statutory requirements, and any change to these requirements would have to be mandated by Congress. FinCEN believes these requirements are reasonable given the sensitive nature of BOI and expects that once a requesting agency meets the general security and confidentiality requirements, it should be able to use the BO IT system to access BOI in a rapid and efficient manner. With respect to requests for additional clarifications on the requirement that agencies establish and maintain a secure system for BOI storage, FinCEN appreciates these suggestions and will give them due consideration in the context of entering into MOUs with domestic agencies. FinCEN believes that agencies will likely be able to leverage existing databases and related IT infrastructure to meet this requirement, and has included the statutory language ‘‘to the satisfaction of the Secretary’’ in the regulatory text to ensure sufficient flexibility to implement this approach.171 FinCEN may also choose to 171 With the addition of the statutory language ‘‘to the satisfaction of the Secretary’’ to the regulatory text, FinCEN also removed as unnecessary the proposed language that would have required any agency’s secure system for BOI storage to ‘‘compl[y] with information security standards prescribed by FinCEN.’’ PO 00000 Frm 00037 Fmt 4701 Sfmt 4700 88767 provide additional guidance on these topics in the future. As for the comments requesting clarification that the requirements in this provision apply generally and not on a request-by-request basis, FinCEN believes that the rule text, and the heading ‘‘general requirements,’’ made it sufficiently clear that these requirements apply to requesting agencies generally, and that the requirements of 31 CFR 1010.955(d)(1)(ii), as the heading ‘‘requirements for requests for disclosure’’ suggests, are request-byrequest requirements. Several of the general requirements, such as the audit, certification, and report requirements, explicitly state that these requirements apply on an annual or semi-annual basis. Other requirements, such as the requirement that requesting agencies establish and maintain a secure system to store BOI, would by their nature apply on an ongoing basis. FinCEN also considered comments suggesting that additional audit requirements are necessary. Regarding the commenter suggesting that FinCEN include audit requirements to ensure that BOI requests are appropriate under proposed 31 CFR 1010.955(b) and that requesting agencies have properly maintained an auditable record of requests, FinCEN believes that the proposed audit requirements sufficiently cover these areas. FinCEN also declines to accept this commenter’s proposal to add specific requirements concerning the audit of requests by intermediary Federal agencies on behalf of foreign persons. In FinCEN’s view, when a request for BOI is made under an international treaty, agreement, or convention, the arrangements set forth in (or authorized by) that treaty, agreement, or convention would govern. When no such treaty, agreement, or convention is involved, and a trusted foreign country is involved, FinCEN will work closely with the intermediary Federal agency and will take measures to confirm compliance with proposed 31 CFR 1010.955(d)(3). In response to the commenter recommending that the audit and reporting requirements for requesting agencies should also address the accuracy, completeness, and usefulness of the BOI database, FinCEN does not view these issues as relevant to the security and confidentiality provisions of the regulation, which FinCEN adopted directly from the CTA. FinCEN may consider these requirements in the context of MOUs with relevant agencies to establish feedback mechanisms to facilitate evaluation of the quality of the E:\FR\FM\22DER3.SGM 22DER3 88768 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 database with a view to improving compliance and enforcement. As for the commenter suggesting an additional requirement for agencies to specify which personnel may request and access BOI, FinCEN does not believe a rule change is necessary but will consider this suggestion further and potentially address it in future guidance. In response to the commenter suggesting an expanded role in the security and confidentiality requirements for agency heads, FinCEN believes that the involvement of agency heads in these requirements is already significant, and that greater involvement would create burdens on agencies without clear benefits. Lastly, concerning the comment regarding MOUs, FinCEN appreciates this feedback and will consider developing template MOUs for different types of BOI user agencies. FinCEN will also consider further tailoring MOUs as needed for specific agencies and will work with agencies on MOUs when appropriate. b. Minimization and Requirements for Individual Requests for BOI by Domestic Agencies Proposed Rule. Proposed 31 CFR 1010.955(d)(1)(ii) includes requirements that would apply to each individual request for BOI from requesting agencies. This provision includes two general requirements. First, agencies must minimize, to the greatest practicable extent, the scope of the BOI they request consistent with the purpose of the request (the NPRM referred to this as the ‘‘minimization’’ requirement). Second, the head of a Federal agency, or their designee, must provide written certifications to FinCEN, in the form and manner that FinCEN prescribes, (1) that the agency is engaged in a national security, intelligence, or law enforcement activity, and (2) that the BOI requested is for use in such activity, along with the specific reasons why the BOI is relevant to the activity. Comments Received. FinCEN did not receive comments concerning the minimization requirement. FinCEN received several comments relating to FinCEN’s review process for BOI requests from authorized users generally, and these comments also apply to proposed 31 CFR 1010.955(d)(1)(ii)(B) on the requirements for written certification by Federal agencies. Commenters generally requested that FinCEN clarify in the final rule that FinCEN will not review the agency requests for BOI on a caseby-case basis. One commenter claimed that case-by-case review of the purpose of an agency’s requests would not be VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 worth the costs given FinCEN’s resource constraints. This commenter focused on the general security and confidentiality requirements that the CTA imposes on requesting agencies and argued that additional oversight on a case-by-case basis would be unnecessary. Another commenter argued that case-by-case review would create administrative hurdles for agencies in accessing BOI, thereby undermining the usefulness of the BOI database. This commenter also argued that the CTA was not meant to give FinCEN the authority to question requesting agencies’ substantive reasons for requesting BOI. Thus, this commenter urged FinCEN to clarify in the final rule that FinCEN will not evaluate the purpose of agencies’ requests in deciding whether to grant requests for BOI. Separately, one commenter recommended that FinCEN should further strengthen the safeguards concerning individual requests for BOI by requiring senior-level review and written approvals by requesting agencies for each BOI request. While this commenter did not specify which provision of the rule text should be changed, the commenter appeared to suggest adding additional requirements to proposed 31 CFR 1010.955(d)(1)(ii). This commenter argued that because of the highly sensitive nature of BOI and the importance of securing it, FinCEN should require senior-level officials of agencies to provide written approval for each BOI request to FinCEN by an agency. These senior-level officials, the commenter argued, should be Senateconfirmed Presidential appointees of Federal agencies and chief executives or their designees for State, local, or Tribal agencies. Final Rule. The final rule adopts 31 CFR 1010.955(d)(1)(ii) largely as proposed. Although not specifically suggested by comments, FinCEN is removing the proposed requirement at 31 CFR 1010.955(d)(1)(ii)(B)(3)(ii) that intermediary Federal agencies identify the date of the international treaty, agreement, or convention under which a request for BOI is being made; FinCEN believes that identification of the date is unnecessary. Regarding the comments expressing concerns that FinCEN will be reviewing each agency’s requests for BOI on a case-by-case basis, FinCEN does not believe it is necessary to change the rule to address this concern. Instead, FinCEN reiterates here that it has no intention of reviewing each individual request for BOI from a requesting agency. The requirement for certifications from requesting agencies is sufficient to establish a basis for FinCEN to know which agencies are PO 00000 Frm 00038 Fmt 4701 Sfmt 4700 accessing the BOI database, and the basis on which they are doing so. This is important for purposes of meeting FinCEN’s audit requirements. FinCEN, however, will not review each individual request from these agencies in real time. As for the commenter who argued that FinCEN should add a requirement that senior-level officials at requesting agencies must approve each BOI request, FinCEN declines to adopt this recommendation. Such a requirement would add an unwarranted burden on requesting agencies and would not be outweighed by sufficient benefits. ii. Security and Confidentiality Requirements for Financial Institutions a. Restriction on Personnel Access to Information Proposed Rule. FinCEN proposed to require financial institutions to limit access to BOI obtained from FinCEN to the financial institutions’ directors, officers, employees, contractors, and agents within the United States. Proposed 31 CFR 1010.955(d)(2)(i) explicitly imposed this limitation, while proposed 31 CFR 1010.955(c)(2)(ii) made clear that it not only applied to initial BOI recipients, but continued to apply when directors, officers, employees, contractors, and agents of a financial institution wanted to redisclose BOI to directors, officers, employees, contractors, and agents within the same financial institution for the particular purpose or activity for which the financial institution requested the information. Comments Received. Commenters generally opposed the requirement that financial institutions limit disclosure of BOI obtained from FinCEN to directors, officers, employees, contractors, and agents physically present within the United States. One commenter supported the limitation, but many more did not. Comments stated that the limitation would cause a disruption in the financial industry and run counter to current business practices. Commenters indicated that contracting with foreign workers is common for AML/CFT purposes, and financial institution personnel outside of the United States (including contractors and agents) routinely have access to customer information. Commenters further argued that the limitation would decrease the utility of BOI. Some stated that financial institutions may choose to continue to collect BOI from customers under the 2016 CDD Rule and forego accessing FinCEN’s BO IT system altogether to avoid the BOI handling requirements set E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations out in the NPRM. One commenter stated that the limitation would result in less effective risk management, while others indicated that it would increase compliance costs. One commenter estimated that it will take years and millions of dollars to ‘‘onshore’’ job functions tasked with handling BOI from FinCEN. Further, commenters asserted that the limitation is not included in the CTA and that it contradicts other portions of the AML Act. Commenters also claimed that the proposed limitation is inconsistent with U.S. and international regulatory expectations for enterprise-wide risk management. Comments pointed to previous Treasury, FinCEN, and other regulatory guidance about sharing information across borders within enterprises. A commenter stated that FinCEN did not give a specific reason for the limitation. Some comments proposed alternatives, such as allowing redisclosure to individuals outside of the United States and relying on technological safeguards and security requirements to protect the information. Another suggestion was to limit access to the BO IT system to personnel within the United States, but allow redisclosure to directors, officers, employees, contractors, and agents in other countries. A few comments suggested those counterparts could be limited to ‘‘trusted foreign countries’’ or other specified destinations. Finally, one commenter asked FinCEN to define ‘‘physically present in the United States.’’ Final Rule. The final rule at 31 CFR 1010.955(d)(2)(i) and (ii) revises the limitation on sending BOI outside the United States so that it is less stringent than the proposed rule. Under the final rule, financial institutions do not need to keep BOI confined to the United States, but rather are prohibited from sending BOI to certain foreign jurisdictions and categories of jurisdictions. As articulated in the Access NPRM, the CTA describes a framework for disclosures of BOI to foreign governments, and the regulations should seek to ensure consistency with the broader CTA framework. At the same time, FinCEN takes seriously commenters’ argument that a flat prohibition on sending BOI abroad is too blunt a mechanism that would impose significant costs.172 172 At least one commenter suggested that any such limitation is in conflict with the FFIEC manual’s recognition that ‘‘[a] bank may choose to implement customer due diligence policies, procedures and processes on an enterprise-wide basis.’’ Such a choice, however, as the manual itself acknowledges, is permissible only ‘‘to the extent VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 FinCEN has determined that it is not necessary to prohibit all offshoring of BOI in order to address the threat posed by sending BOI to jurisdictions of greatest concern. Instead, 31 CFR 1010.955(d)(2)(i) prohibits BOI from being sent to Russia, China, any jurisdiction designated as a state sponsor of terrorism, and any jurisdiction that is subject to comprehensive sanctions under U.S. law, which are the jurisdictions SARs cannot be sent to pursuant to 31 U.S.C. 5318(g)(8)(C)(i). While the information contained in SARs is clearly different from BOI in many respects, FinCEN considers the selection of these jurisdictions to be a strong indicator of a broader congressional perspective on the acceptability of exposing sensitive information filed with the U.S. government to the legal processes of these foreign jurisdictions. As the selection of these jurisdictions indicates, Congress clearly regards the exposure of such sensitive information as more acceptable when it involves some jurisdictions than when it involves others. FinCEN has used this list of jurisdictions based on that understanding of the general congressional perspective on offshoring of information. The Secretary is authorized to add to this list to ensure compliance with the CTA or for national security reasons. FinCEN acknowledges that allowing BOI to be used and disseminated offshore creates a risk of unauthorized disclosure and misuse, and entails translating U.S. legal requirements for non-U.S. personnel and training them to understand and comply with those requirements. FinCEN weighed these risks against the burden that limiting BOI to directors, officers, employees, contractors, and agents within the United States would impose on some financial institutions. Many financial institutions operate global compliance programs that apportion responsibilities among different regions and reduce compliance expenses. Relocating certain compliance functions to the United States simply to allow them to obtain BOI from FinCEN could be very costly, and in many cases might be financially permitted by law.’’ FFIEC BSA/AML Examination Manual, Assessing Compliance with BSA Regulatory Requirements, Customer Due Diligence—Overview (May 5, 2018), p. 4, https:// www.ffiec.gov/press/pdf/ Customer%20Due%20Diligence%20%20Overview%20and%20Exam%20ProceduresFINAL.pdf. Here, the CTA establishes the legal parameters under which an institution can choose its enterprise-wide policies by authorizing FinCEN to prescribe by regulation any safeguards it determines to be necessary or appropriate to protect the confidentiality of BOI. 31 U.S.C. 5336(c)(3)(K). PO 00000 Frm 00039 Fmt 4701 Sfmt 4700 88769 infeasible. FinCEN assesses that the cost of the targeted offshoring limitation should be de minimis: it is FinCEN’s understanding that U.S financial institutions currently do not send a significant volume of customer information to Russia, China, any jurisdiction designated as a state sponsor of terrorism, or any jurisdiction that is subject to comprehensive sanctions under U.S. law, and with respect to jurisdictions that are state sponsors of terrorism, sending such information is already prohibited by other law. In addition, in order for FinCEN to monitor foreign government interest in obtaining BOI, the final rule requires that financial institutions notify FinCEN within three business days of receiving a demand from a foreign government for BOI obtained from FinCEN. FinCEN assesses that this offshoring limitation with notification requirement addresses the legitimate issues regarding security and conformity with the CTA raised by sending BOI outside the United States, without resorting to a blanket onshoring requirement. b. Safeguards and Security Standards Proposed Rule. Proposed 31 CFR 1010.955(d)(2)(ii) described safeguards applicable to financial institutions that were designed to maintain the security and confidentiality of BOI while preserving accessibility and usefulness.173 Proposed 31 CFR 1010.955(d)(2)(ii)(A) required financial institutions to develop and implement administrative, technical, and physical safeguards reasonably designed to protect BOI as a precondition for receiving BOI. The provision did not prescribe specific safeguards or security requirements. Rather, proposed 31 CFR 1010.955(d)(2)(ii)(A) provided that the application to BOI obtained from FinCEN of security and information handling procedures established by a financial institution to comply with section 501 of the Gramm-Leach-Bliley Act (Gramm-Leach-Bliley) 174 and its implementing regulations, with regard to the protection of its customers’ nonpublic personal information, would satisfy the requirement. Gramm-Leach-Bliley provides general baseline expectations for keeping data secure and confidential, while each agency’s implementing regulations take into account factors unique to the financial institutions the agency supervises. Section 501 of GrammLeach-Bliley, codified at 15 U.S.C. 173 See 31 U.S.C. 5336(c)(3)(K). Law 106–102, 113 Stat. 1338, 1436–37 174 Public (1999). E:\FR\FM\22DER3.SGM 22DER3 88770 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 6801(b) and 6805, requires each Federal functional regulator to establish appropriate standards relating to administrative, technical, and physical safeguards for financial institutions it regulates to: (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer. The Federal functional regulators have implemented these requirements in different ways. The OCC, FRB, FDIC, and the NCUA incorporated into their regulations the Interagency Guidelines Establishing Interagency Security Standards (Interagency Guidelines).175 The Interagency Guidelines add detail to the more general Gramm-Leach-Bliley requirements, covering specific subjects related to identifying, managing, and controlling risk (e.g., physical and electronic access controls, encryption and training requirements, and testing). The CFTC has incorporated the GrammLeach-Bliley expectations of financial institutions into its regulations 176 and recommended best practices for meeting them that are ‘‘designed to be generally consistent with’’ the Interagency Guidelines.177 The SEC has also incorporated the Gramm-Leach-Bliley expectations of financial institutions into its regulations,178 and has instituted enforcement actions for violations of such regulations.179 Under proposed 31 CFR 1010.955(d)(2)(ii)(B), financial institutions that were not subject to the requirements of section 501 of GrammLeach-Bliley could apply security and handling procedures that were ‘‘at least as protective of the security and confidentiality of customer information’’ as procedures that satisfy the standards set out in Gramm-LeachBliley. For these financial institutions, the proposed rule suggested that the Interagency Guidelines might serve as a useful checklist against which to 175 See Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness, 66 FR 8616 (Feb. 1, 2001). The agencies’ implementing regulations are at 12 CFR part 30, app. B (OCC); 12 CFR part 208, app. D–2 and part 225, app. F (FRB); 12 CFR part 364, app. B (FDIC); and 12 CFR part 748, apps. A & B (NCUA). 176 See 17 CFR 160. 177 See CFTC Staff Advisory No. 14–21 (Feb. 16, 2014). 178 See 17 CFR 248.1–248.100. 179 See, e.g., Morgan Stanley Smith Barney LLC, SEC Exchange Act Release No. 95832 (Sept. 20, 2022). VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 evaluate existing security and confidentiality practices, as well as a useful guide for possible information security program modifications. Comments Received. Commenters generally concurred with the proposal to anchor BOI security and confidentiality requirements to GrammLeach-Bliley, noting that the information security program requirements under that statute and its implementing regulations were sufficient to secure BOI received by financial institutions. Commenters observed that these requirements are already familiar to financial institutions and integrated into business practices. Commenters further encouraged FinCEN not to impose additional security and information handling protocols on financial institutions that could be duplicative of, inconsistent with, or more burdensome than these existing requirements. A commenter requested that FinCEN create a safe harbor provision for all employees of a financial institution that is compliant with Gramm-Leach-Bliley to further minimize compliance burden. Regarding information security requirements generally, commenters requested clarification on whether background checks would be required for any employees, and whether a ‘‘firewall’’ would be required to block access to BOI by employees not involved in opening accounts for new customers. Final Rule. The final rule adopts the proposed rule without change. Allowing financial institutions to satisfy the requirement to safeguard BOI by applying the security and information handling procedures used to comply with Gramm-Leach-Bliley and its implementing regulations is intended to avoid duplicative or inconsistent requirements and reduce burdens, while maintaining a high degree of security and confidentiality. As commenters pointed out, many financial institutions are generally familiar with the GrammLeach-Bliley requirements and already have policies, procedures, and infrastructure in place to comply with its requirements. In addition, Federal functional regulators currently assess financial institutions for compliance with Gramm-Leach-Bliley, which reduces burdens on supervisors while ensuring continued predictability for financial institutions. Lastly, for financial institutions not subject to Gramm-Leach-Bliley, the Interagency Guidelines provide a blueprint for establishing or benchmarking existing compliance systems so that those financial institutions can access the BO IT system and manage BOI securely. PO 00000 Frm 00040 Fmt 4701 Sfmt 4700 FinCEN is not extending a safe harbor to employees of a financial institution that is compliant with Gramm-LeachBliley standards. It is important for FinCEN to retain discretion to evaluate individual conduct by a director, officer, employee, contractor, or agent and related facts and circumstances on a case-by-case basis where there are unauthorized disclosures or uses by a financial institution, and to consider potential enforcement action. On the question of background checks and firewalls, the final rule does not include additional safeguards or other requirements. FinCEN views the security and information handling procedures implemented by financial institutions to comply with GrammLeach-Bliley to be sufficient. Additional requirements could create inconsistencies with existing security and information handling programs and create unnecessary burdens on both financial institutions and their supervisors, without a clear security benefit given the absence of specific concerns from commenters on the sufficiency of the Gramm-Leach-Bliley requirements. FinCEN also declines to impose specific, additional safeguards on financial institutions that are not subject to Gramm-Leach-Bliley because such requirements could result in unintended consequences. These financial institutions can vary significantly in size, organizational structure, client base, risk profile, resources, and other characteristics. Many of these financial institutions could face significant costs and technical challenges in implementing uniform, additional standards, or FinCEN would need to expend resources to consider case-bycase modifications to address the diversity of unique circumstances. c. Protocols and Training Proposed Rule. For each BOI request, proposed 31 CFR 1010.955(d)(2)(iii) would require a financial institution to certify in writing that it fulfilled information security and other requirements set out in that section. The proposed rule explained that FinCEN expected that financial institutions would establish protocols to satisfy these information security requirements, including appropriate recordkeeping, to enable FinCEN to fulfill its audit and oversight responsibilities. The proposed rule also indicated that financial institutions would need to develop a training program that would ensure that BO IT system users at the financial institution received training on the protocols and completed FinCENprovided online training as a condition E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations for creating and maintaining system accounts. Comments Received. One commenter was skeptical that financial institutions would act in accordance with FinCEN’s expectations for protocols and training without specific regulatory requirements. The commenter suggested expressly setting out in the regulations the expectations regarding protocols and training. Another commenter expressed appreciation that FinCEN planned to provide training on the BO IT system when it becomes available. A third commenter asked FinCEN to confirm that only financial institution employees who will access the system would need to take this training, and not employees who may view and use BOI retained on the financial institution’s system in accordance with applicable requirements. Final Rule. FinCEN adopts the proposed rule without change given that the imposition of additional requirements regarding protocols and training would likely be duplicative and potentially confusing. Financial institutions can satisfy the requirements of 31 CFR 1010.955(d)(2)(ii) by either applying to BOI security and information handling procedures designed to comply with section 501 of Gramm-Leach-Bliley Act or by implementing procedures that are ‘‘at least’’ as protective of customer information as procedures that satisfy Gramm-Leach-Bliley standards. The different materials promulgated by the Federal functional regulators to implement Gramm-Leach-Bliley have in common requirements to (1) establish policies and procedures that govern security; and (2) provide related training.180 Additional requirements to establish protocols and training could create confusion and inconsistencies in implementation, and likely impose additional burdens on financial institutions and FinCEN. Moreover, the final rule imposes on the director, officer, employee, contractor, or agent of a financial institution the individual responsibility for ensuring compliance with BOI security and information handling requirements. Accordingly, FinCEN believes that financial institutions have appropriate incentives to develop protocols and training programs that adequately train relevant financial institution staff on requirements for handing BOI based on the nature, scope, and risks presented in particular circumstances. 180 See generally Interagency Guidelines, supra note 168, p. 138. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 d. Consent To Obtain Information Proposed Rule. The CTA authorizes FinCEN to disclose a reporting company’s BOI to a financial institution only if the reporting company consents to the disclosure.181 Proposed 31 CFR 1010.955(b)(4) would have allowed FinCEN to disclose a reporting company’s BOI to a financial institution only if the reporting company consented to the disclosure. In addition, proposed 31 CFR 1010.955(d)(2)(iii) would have required a financial institution that wanted a reporting company’s BOI to obtain and document the company’s consent to having its BOI disclosed before requesting the BOI from FinCEN. Comments Received. FinCEN received comments for and against requiring financial institutions to obtain consent from reporting companies. It also received comments addressing specific aspects of how the consent process should be managed. Commenters in favor of imposing the requirement on financial institutions to obtain consent generally agreed with the rationale articulated in the proposed rule. In the preamble, the proposed rule reasoned that financial institutions are best positioned to obtain consent because they have (1) direct customer relationships with reporting companies, and (2) existing policies and procedures to obtain and document consent on other matters. Commenters agreed that financial institutions can leverage these existing relationships and processes to fulfill the consent requirement and did not view the additional requirement to be overly burdensome. Several commenters noted concerns, however, that a request by a financial institution to a reporting company for consent could be perceived to be ‘‘tipping off’’ reporting companies if the financial institution was investigating the company for suspicious activity. Two commenters recommended that FinCEN add provisions to prevent tipping off reporting company prospects or customers. Other commenters argued that FinCEN, rather than financial institutions, should obtain a reporting company’s consent. One commenter stated that FinCEN’s role as the central U.S. repository for BOI made FinCEN the appropriate choice for collecting consent and revocations of that consent. Another noted that FinCEN would have a direct relationship with reporting companies through the collection of BOI reports and could use the reporting mechanism to obtain and document consent. Commenters also suggested 181 31 PO 00000 U.S.C. 5336(c)(2)(B)(iii). Frm 00041 Fmt 4701 Sfmt 4700 88771 ways that FinCEN could facilitate reporting company consent at the time the company submits a BOI report. For example, FinCEN could generate a blanket notice to a reporting company at the time it submits a BOI report stating that government agencies and financial institutions can request the reporting company’s information for specific purposes. A related suggestion was to allow reporting companies to preauthorize financial institutions to access their BOI at the submission of the BOI report, as a way to reduce burdens on the reporting companies. Commenters covered additional subjects. One commenter noted that financial institutions already collect BOI from customers under existing requirements and argued that requiring explicit consent to retrieve the same information from another source—in this case FinCEN’s BO IT system—adds unnecessary complexity. Another commenter recommended delaying the consent requirement until FinCEN finalizes revisions to the 2016 CDD Rule. Two commenters stated that money launderers and other illicit actors who deliberately form shell companies to engage in criminal activity will see the consent requirement as an opportunity to further obscure their identity, noting that it is difficult to imagine a shell company providing consent to retrieve its BOI. Two commenters noted that the consent requirement could have unintended consequences on reporting company access to financial services. One commenter stated that reporting companies risk losing financial services if they do not provide consent. Another commenter stated that the consent requirement may push reporting companies to seek out alternative financing rather than provide financial institutions with consent to retrieve their BOI. FinCEN also received numerous comments about when and how reporting company consent should be obtained. Several commenters stated that consent should be obtained at account opening in a customeracknowledged agreement, not as a standalone document. Commenters also likewise requested that FinCEN expressly allow financial institutions to obtain consent in conjunction with other required consents and certifications, and through normal account opening and customer onboarding processes. Numerous commenters requested that FinCEN clarify that consent need only be obtained once at account opening and that it does not expire unless expressly revoked. One commenter stated that E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 88772 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations consent should remain valid for the length of the customer relationship, and that a financial institution should not need to renew consent or notify a reporting company each time the financial institution retrieves its BOI. One commenter asked whether a reporting company changing its structure would affect its consent. That commenter also asked whether a new consent is required each time a reporting company customer opens a new account. Several commenters requested that FinCEN create standardized consent language for financial institutions to use to obtain a reporting company’s consent. One commenter requested that FinCEN explicitly permit reporting companies to grant consent on behalf of their parent companies. Several commenters proposed alternatives to requiring a reporting company to provide affirmative consent. Two commenters suggested permitting a reporting company to opt-out if it did not want to consent to its BOI being obtained by a financial institution. One commenter suggested that financial institutions be allowed to provide disclosures of intent to obtain a reporting company’s BOI from FinCEN that would be acknowledged by the reporting company, instead of requiring affirmative consent. Other commenters proposed alternatives to written affirmative consent, with one commenter suggesting a checkbox and another commenter suggesting replacing the term ‘‘written’’ with ‘‘documented’’ or defining ‘‘written’’ in a way that provides financial institutions with flexibility about how to implement the requirement. Several commenters suggested that any consent that satisfies these requirements should benefit from a safe harbor under which such consent is deemed effective. Two commenters stated that consent should be in writing and financial institutions should furnish a copy of that written consent to FinCEN when requesting the relevant BOI. Two other commenters expressed the opposite view that FinCEN should not require financial institutions to submit proof of consent. A few commenters requested clarification on how consent may be provided and by whom. Several commenters stated that FinCEN should expressly permit a financial institution to obtain consent from a reporting company customer authorizing the financial institution to use that customer’s BOI for broader purposes. Another commenter stated that financial institutions should be able to rely on VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 their affiliates to obtain consent, providing the example of futures commission merchants often relying on introducing brokers to engage with customers as a way of arguing that the former should be able to obtain a reporting company’s BOI based on consent obtained by the latter. One commenter requested a clear definition of what constitutes customer consent and sought guidance on when customer consent is deemed revoked. Several commenters requested clarification on how revocation should be documented, while others recommended that FinCEN issue guidance to financial institutions on what to do if a customer refuses to provide consent. Final Rule. FinCEN adopts the proposed rule with the clarification that reporting company consent must be documented but need not specifically be in writing. FinCEN cannot eliminate the consent requirement as suggested by commenters given that the CTA authorizes FinCEN to disclose a reporting company’s BOI to a financial institution only if the reporting company consents to the disclosure.182 Nor can FinCEN side-step the consent requirement by notifying reporting companies that financial institutions can request their BOI for specific purposes or treat the submission of a BOI report as implied consent. After carefully considering comments and the relative burdens and options, FinCEN continues to believe that financial institutions are better positioned to obtain and document a reporting company’s consent. As explained in the proposed rule, financial institutions are wellpositioned to obtain consent—and to track any revocation of such consent— given that they maintain direct customer relationships and are able to leverage existing onboarding and account maintenance processes to obtain reporting company consent. By contrast, considerable delay and burdens on reporting companies could result if FinCEN were to administer the consent process. For example, it would be impractical for FinCEN to administer a process through which a reporting company could consent to the disclosure of BOI to some financial institutions, but not others. It would also be administratively complex for FinCEN to establish a mechanism to timely verify and respond to consent requests, which could result in delays in a reporting company’s ability to access financial services. 182 31 PO 00000 U.S.C. 5336(c)(2)(B)(iii). Frm 00042 Fmt 4701 Sfmt 4700 The final rule does not prescribe any particular means by which a financial institution must obtain a reporting company’s consent. Rather, the final rule affords financial institutions substantial discretion in the manner in which they obtain consent. FinCEN recognizes that financial institutions vary greatly in customer bases, risk tolerance, and resources. All financial institutions obtain customer consent on a range of subjects and have existing policies and procedures for doing so that reflect their unique attributes. Those policies and procedures also reflect different legal requirements, including those involving consent in the data privacy context at the Federal and state levels. Additionally, in response to comments that suggested replacing the term ‘‘written’’ with ‘‘documented’’ to provide financial institutions with more flexibility in how to implement the requirement (e.g., via a checkbox), the final rule no longer requires consent to be in writing; it only requires that the consent be documented. FinCEN also believes that providing financial institutions with flexibility in how they implement this requirement will help minimize the burden associated with obtaining consent from reporting company customers. Financial institutions may satisfy this requirement through any lawful method of obtaining meaningful consent from a customer. As a consequence of offering this flexibility, however, FinCEN cannot offer a safe harbor for any particular method used to obtain consent. The final rule does not require a financial institution to notify a reporting company each time the financial institution retrieves the reporting company’s BOI from FinCEN, nor does it require financial institutions to submit proof of consent to FinCEN, unless otherwise required by law. The final rule only requires the financial institution to obtain a reporting company’s consent at a time prior to an initial request for the reporting company’s BOI from FinCEN, and it may rely on that consent to retrieve the same reporting company’s BOI on subsequent occasions, including to open additional accounts for that reporting company, unless the consent is revoked. The ability of financial institutions to broadly obtain reporting company consent is expected to alleviate concerns regarding ‘‘tipping off’’ reporting companies about investigations that require the retrieval of BOI. The final rule also does not address either revocation or expiration of consent. Rather, the final rule provides E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations flexibility to financial institutions to develop appropriate procedures and mechanisms with respect to the revocation of consent or the expiration of consent. This flexibility will allow financial institutions to develop processes appropriate to their size, business lines, and customer types, among other considerations, and provide reporting companies greater flexibility regarding the manner in which they provide and revoke consent—in contrast, a FinCEN mechanism will likely provide less flexibility and disadvantage both financial institutions and reporting companies. For example, if needed, financial institution may set terms through contract or otherwise to provide for the expiration of consent or revocation given that the final rule does not specify any time frames for expiration of consent. The final rule also does not articulate specific procedures or mechanisms through which a reporting company can provide or revoke consent, e.g., what forms or mechanisms a financial institution should use, which company representatives may provide or revoke consent, whether affiliates can consent on behalf of one another, when corporate changes would require obtaining new consent, or how financial institutions should handle customers who refuse to provide consent. Rather, FinCEN believes that it is appropriate to provide flexibility to a financial institution based on its practices and circumstances, as well as its extensive experience in implementing consent procedures in other contexts and subject to different legal requirements. FinCEN will consider additional guidance or FAQs if additional clarification is required. Lastly, FinCEN does not share concerns that the consent requirement could drive customers with legitimate business away from financial institutions. FinCEN’s 2016 CDD Rule already requires financial institutions to identify the beneficial owners of legal entity customers, and financial institutions regularly seek information from reporting companies regarding beneficial ownership information. As such, FinCEN does not expect reporting companies to systemically decline financial services because of the consent requirement and the availability of the FinCEN database to confirm reporting company BOI. e. Certification Proposed Rule. Proposed 31 CFR 1010.955(d)(2)(iv) would require a financial institution to ‘‘make a written certification to FinCEN’’ for each BOI VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 request that it: (1) is requesting the information to facilitate its compliance with customer due diligence requirements under applicable law; (2) obtained the reporting company’s ‘‘written consent’’ to request its BOI from FinCEN; and (3) fulfilled the other security and confidentiality requirements financial institutions must satisfy to receive BOI from FinCEN (as reflected in other provisions of § 1010.955(d)(2)). The Access NPRM indicated that a financial institution would be able to make the certification via a checkbox when requesting BOI via the BO IT system.183 Comments Received. One commenter suggested that the final rule should not require a financial institution to obtain a ‘‘written’’ certification from financial institutions. Final Rule. FinCEN is amending the proposed rule to require that financial institutions provide a certification to FinCEN ‘‘in such form and manner as FinCEN shall prescribe.’’ The revision in the final rule will allow FinCEN to take a flexible approach towards implementation of the certification requirement that takes into account a range of considerations, such as technological feasibility. Accordingly, FinCEN intends to prescribe a certification mechanism that seeks to minimize burdens and provide certainty, and may include checkboxes or other forms. As it develops the BO IT system, FinCEN anticipates that a financial institution will be able to make the certification via a simple checkbox when requesting BOI via the BO IT system. Additionally, FinCEN amends proposed § 1010.955(d)(2)(iv) to require a financial institution to certify that it has obtained and ‘‘documented’’ a reporting company’s consent to request the reporting company’s BOI from FinCEN. The revised approach eliminates the requirement for the financial institution to obtain ‘‘written’’ consent from the reporting company, requiring only that consent be ‘‘documented.’’ iii. Sensitivity of Beneficial Ownership Information Proposed Rule. Proposed 31 CFR 1010.955(a) states that information reported to FinCEN pursuant to 31 CFR 1010.380 is confidential and may not be disclosed except in certain enumerated circumstances.184 The draft rule identifies five categories of recipients who may receive BOI, with each category of disclosure limited to a 183 87 184 31 PO 00000 FR at 77422. U.S.C. 5336(c)(2)(A). Frm 00043 Fmt 4701 Sfmt 4700 88773 particular purpose or purposes, and an additional eight categories of authorized re-disclosure, plus a catch-all provision permitting FinCEN to authorize redisclosure in other circumstances.185 Comments Received. Commenters provided mixed views on the overall sensitivity of BOI and the security and confidentiality requirements that should be applicable to protect BOI from unauthorized use or disclosure and the privacy interests of beneficial owners and company applicants. Some commenters felt that the CTA’s confidentiality requirement was too broad, and that individuals should have little or no privacy interest in such information. One commenter noted that the CTA never identifies ‘‘privacy’’ as a statutory objective, arguing that while the CTA does direct FinCEN to build a secure database, ensuring data security is not equivalent to implementing privacy protections for individuals or entities. Another argued that individuals should not have any expectation of privacy over BOI because an entity ‘‘exists only through the public’s concession.’’ Others felt that the CTA’s confidentiality requirements were too narrow, highlighting the impact on small businesses. One commenter noted that the proposed rule did not provide adequate reassurances that the information would be protected; others felt that the disclosure provisions under proposed 31 CFR 1010.955(b) rendered the idea of confidentiality or privacy meaningless. Finally, as discussed above in section III.D.v.a, one commenter felt that the confidentiality requirements for BOI should mirror those for tax returns and tax return information under 26 U.S.C. 6103 to ensure that BOI is protected. Final Rule. The final rule adopts proposed 31 CFR 1010.955(a) as written. FinCEN considered the comments and is sensitive to concerns about data security and privacy. As discussed throughout this preamble, the CTA establishes that BOI is ‘‘sensitive information’’ and imposes strict security and confidentiality requirements on BOI. For example, 31 U.S.C. 5336(c)(2)(A) creates a baseline presumption of confidentiality with a provision on prohibition on disclosure by any individual who receives it. Other provisions reinforce the sensitivity of BOI and further limit such disclosures. For example, the CTA mandates ‘‘appropriate protocols’’ in order to disclose BOI to recipients, and even specifies procedural steps in certain 185 31 E:\FR\FM\22DER3.SGM U.S.C. 5336(c)(2)(B). 22DER3 88774 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations cases,186 such as the requirement that a State, local, or Tribal law enforcement agency obtain authorization from a court of competent jurisdiction to seek the information in a criminal or civil investigation. FinCEN is following the statutory requirements prescribed by Congress in the CTA in promulgating the security and confidentiality provisions in the final rule. On the other hand, FinCEN agrees with comments that the overarching goal of the CTA is to make BOI available to help law enforcement and agencies engaged in national security activities prevent and combat money laundering, terrorist financing, tax fraud, and other illicit activity, as well as protect national security. As discussed above in section III.D.v.a, FinCEN has declined to adopt provisions that mirror those in 26 U.S.C. 6103. The CTA provides detailed security and confidentiality requirements tailored to the BO IT system’s authorized uses and authorized recipients, and the final rule adopts these requirements to ensure the protection of this sensitive information. In addition, FinCEN believes that the requirements of 26 U.S.C. 6103 would impose a substantial burden on the overall functionality of the BO IT system and the requirement to establish a BOI database highly useful to law enforcement. For example, 26 U.S.C. 6103 at times requires Federal law enforcement to obtain a court order to access tax returns and tax return information, while the CTA imposes no such restriction.187 Further, the CTA envisions that financial institutions would have access to BOI for its customers through access to FinCEN’s database, while 26 U.S.C. 6103 has no analogous provision. Ultimately, FinCEN found this suggestion unworkable in the context of the CTA. to disclose BOI if FinCEN, in its sole discretion, finds that, with respect to the request, the requester has failed to meet any requirements of the rule, the BOI is being requested for an unlawful purpose, or other good cause exists to deny the request. Comments Received. FinCEN received several comments relating to the level of discretion that FinCEN can exercise in determining when to grant or deny a request for access to BOI. One commenter supported the proposed rule’s provisions related to FinCEN’s authority to reject requests for BOI as a faithful implementation of the CTA. A few commenters requested that FinCEN remove the words ‘‘sole discretion’’ from proposed 31 CFR 1010.955(e)(2)(ii). One commenter argued that there are significant protocols under the CTA to adequately protect the security and confidentiality BOI, so it is not consistent with the CTA for FinCEN to have unlimited discretion to reject or grant access. The commenter also noted that the CTA does not use the term ‘‘sole discretion.’’ Final Rule. The final rule adopts 31 CFR 1010.955(e)(2) as proposed. In FinCEN’s view, it is important to clearly state in 31 CFR 1010.955(e)(2)(ii) that FinCEN has the sole discretion to approve or deny requests for access to BOI because FinCEN has obligations under the CTA to protect the security and confidentiality of BOI, ensure that BOI is used for authorized purposes by authorized recipients, and to ensure audit and oversight of the BO IT System. The CTA does not require that FinCEN consult with any other agency or with those requesting access to BOI when it decides to grant or reject access. FinCEN believes it is within its authority under the CTA to decide, based on its sole discretion, whether to accept or reject a request for access to BOI. F. Administration of Requests ii. Suspension of Access Proposed Rule. In keeping with the CTA,188 proposed 31 CFR 1010.955(e)(3)(i) specified that FinCEN could suspend or debar a requesting agency or financial institution (referred to in the proposed provision as a ‘‘requesting party’’) from access to BOI for (1) failing to meet applicable regulatory requirements; (2) requesting BOI for an unlawful purpose; or (3) other good cause. Proposed 31 CFR 1010.955(e)(3)(ii) further specified that FinCEN could reinstate a suspended or debarred party’s access upon the latter satisfying any terms or conditions that FinCEN deems appropriate. The Access NPRM explained that suspension of ddrumheller on DSK120RN23PROD with RULES3 i. Rejection of Requests Proposed Rule. Proposed 31 CFR 1010.955(e)(1) provided that requests for BOI under 31 CFR 1010.955(b) shall be submitted to FinCEN in such form and manner as FinCEN shall prescribe. Proposed 31 CFR 1010.955(e)(2)(i) states that FinCEN will reject requests for BOI made under 31 CFR 1010.955(b)(4) (Disclosure to facilitate compliance with customer due diligence requirements) if such request is not submitted in the form and manner prescribed by FinCEN. Furthermore, proposed 31 CFR 1010.955(e)(2)(ii) provided that FinCEN may reject requests or otherwise decline 186 31 187 26 U.S.C. 5336(c)(3). U.S.C. 6013(i). VerDate Sep<11>2014 19:01 Dec 21, 2023 188 31 Jkt 262001 PO 00000 U.S.C. 5336(c)(6)–(7). Frm 00044 Fmt 4701 Sfmt 4700 access to BOI would be temporary while debarment would be permanent. FinCEN alone would determine suspension periods.189 Comments Received. One commenter asked for more information about how FinCEN would evaluate whether to suspend or debar a financial institution. This commenter also asked whether FinCEN or the financial institution’s appropriate state or Federal functional regulator would make the ultimate suspension or debarment decision, and whether a financial institution would have an opportunity to rebut a claim that it improperly used BOI. Several commenters asked how financial institutions should continue meeting their customer due diligence obligations if they lose access to BOI from FinCEN. One commenter viewed the use of the term ‘‘requesting party’’ in proposed § 1010.955(e)(3)(i) as limiting FinCEN to permanently debarring or temporarily suspending only entities rather than individual users as well. This commenter recommended that FinCEN clarify that there may be times when FinCEN wants to allow continued access by an agency or financial institution but disallow continued access by an individual user from that agency or financial institution. Final Rule. FinCEN adopts 31 CFR 1010.955(e)(3)(i) and (ii) with minor modifications. These final regulations as a whole establish the requirements that a financial institution must satisfy to obtain BOI from FinCEN, what they may do with the information, and how they must safeguard it. Section 1010.955(e)(3)(i) makes clear that failing to abide by these requirements and restrictions, including by requesting BOI for an unlawful purpose, can result in suspension or debarment from access to BOI. FinCEN further reserves the right to suspend or debar a requesting party for good cause involving other circumstances. As stated in the Access NPRM, the decision to suspend or debar a financial institution from access to BOI is subject to FinCEN’s sole discretion. Imposing limitations on that discretion as a regulatory matter, such as by implementing a ‘‘three strikes’’ rule on certain conduct while identifying other activity as grounds for immediate debarment, are premature and require further evaluation. FinCEN will make determinations on a case-bycase basis after considering the available facts and circumstances. FinCEN will continue to consider whether additional standards or limitations are needed to foster predictability, provide fairness, 189 87 E:\FR\FM\22DER3.SGM FR at 77423. 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 and enhance compliance after gaining experience. Questions about how a financial institution temporarily or permanently losing access to BOI from FinCEN might affect the institution’s ability to meet its customer due diligence obligations are also premature because they implicate the forthcoming 2016 CDD Rule revisions. FinCEN may address those issues in that future rulemaking. FinCEN, however, has decided to make modest changes to 31 CFR 1010.955(e)(3)—changing the term ‘‘requesting party’’ in 31 CFR 1010.955(e)(3)(i) and the term ‘‘requester’’ in 1010.955(e)(3)(ii) to ‘‘individual requester or requesting entity’’—in order to clarify that FinCEN may permanently debar or temporarily suspend individual users at an agency or financial institution in addition to the entity itself. G. Violations—Unauthorized Disclosure or Use Proposed Rule. Proposed rule 31 CFR 1010.955(f) tracks the CTA’s language making it unlawful for any person to knowingly disclose, or knowingly use, BOI obtained by that person, except as authorized by the CTA and these regulations. The rule applies to BOI whether the person obtained it directly or indirectly, and whether this information was contained in a report submitted to FinCEN under 31 CFR 1010.380 or disclosed by FinCEN under 31 CFR 1010.955(b). The rule goes on to broadly define ‘‘unauthorized use’’ to include accessing information without authorization, or ‘‘any violation’’ of the security and confidentiality requirements described in 31 CFR 1010.955(d) in connection with any access. Comments Received. Several commenters stated that they approved of the enforcement provisions of the proposed rule, largely in the context of providing comments to other parts of the rule. Otherwise, FinCEN did not receive substantive comments about the enforcement provisions. Final Rule. FinCEN adopts the rule as written and notes that the CTA provides civil penalties in the amount of $500 for each day a violation continues or has not been remedied. Criminal penalties are a fine of not more than $250,000 or imprisonment for not more than 5 years, or both.190 The CTA also provides for enhanced criminal penalties, including a fine of up to $500,000, imprisonment of not more than 10 years, or both, if a person commits a violation while violating another law of the United 190 31 U.S.C. 5336(h)(3)(B). VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 States or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period.191 H. Implementation Efforts i. Implications for Revision of the 2016 CDD Rule Proposed Rule. The preamble to the proposed rule discussed the requirement in section 6403(d) of the CTA that FinCEN revise the 2016 CDD Rule in order to (1) ensure that the rule conforms with the CTA; (2) address how financial institutions with customer due diligence obligations will access the database; and (3) reduce burdens on financial institutions and legal entity customers.192 The CTA requires that FinCEN revise the 2016 CDD Rule within one year of January 1, 2024, the effective date of the final BOI Reporting Rule, by rescinding paragraphs (b) through (j) of 31 CFR 1010.230.193 The preamble to the proposed rule noted that FinCEN will revise the 2016 CDD Rule at a later date instead of addressing it in this rulemaking. The preamble further stated that FinCEN expected that the revision of the 2016 CDD Rule would likely address the interaction of financial institutions’ existing customer due diligence efforts and the BOI database. The proposed rule did not otherwise address the required revision to the 2016 CDD Rule. Comments Received. Some commenters expressed that it was difficult to comment comprehensively on the Access NPRM as FinCEN has not yet issued a notice of proposed rulemaking concerning revisions to the 2016 CDD Rule. Other commenters, however, addressed the future rulemaking despite FinCEN’s express reservation of 2016 CDD Rule issues for consideration at a later date. In particular, these commenters identified several issues that they believe a revision of the 2016 CDD Rule should address in light of financial institution access to the BOI database. These issues included (1) whether FinCEN should mandate that financial institutions access the BOI database; (2) the verification and identification of financial institutions customers’ beneficial owners; (3) how to address discrepancies between the BOI database and the BOI that financial institutions 191 31 U.S.C. 5336(h)(3)(B)(ii)(II). CTA, section 6403(d)(1)(A)–(C). 193 CTA, section 6403(d)(1), (2). The CTA orders the rescission of paragraphs (b) through (j) directly (‘‘the Secretary of the Treasury shall rescind paragraphs (b) through (j)’’) and orders the retention of paragraph (a) by a negative rule of construction (‘‘nothing in this section may be construed to authorize the Secretary of the Treasury to repeal . . . [31 CFR] 1010.230(a)[.]’’). 192 See PO 00000 Frm 00045 Fmt 4701 Sfmt 4700 88775 receive directly from their customers; (4) whether there should be a safe harbor for financial institutions in case of such discrepancies; and (5) regulatory expectations related to financial institutions’ use of the BOI database. FinCEN also received comments on a number of technical issues related to specific provisions of the 2016 CDD Rule, the desirability of changes to those provisions, and the overall process of revision. Final Rule. FinCEN appreciates the comments on the interaction of the proposed rule with the forthcoming revision to the 2016 CDD Rule but declines to make modifications in this final rule based on consideration of the forthcoming revision. Furthermore, comments that relate to how FinCEN should revise the 2016 CDD Rule are not addressed in this rule. However, FinCEN will consider these comments in its development of a notice of proposed rulemaking on this topic in the future. Covered financial institutions will continue to be subject to the existing 2016 CDD Rule until a revision of that rule is effective. In addition, FinCEN, in consultation with the Federal functional regulators, will issue guidance on this topic as appropriate. While FinCEN is reserving consideration of certain issues for the 2016 CDD Rule revision, comments on the Access NPRM are addressed here— in particular those comments that are relevant to the use of the BOI database by financial institutions in the period between the effective date of this final rule and the revision to the 2016 CDD Rule. FinCEN is also addressing comments that requested specific changes to this final rule in connection with reporting discrepancies in BOI, as well as those that requested a definitive authorization to rely on BOI or a definitive exemption from liability (a safe harbor provision). FinCEN addresses these matters as follows. Some commenters requested that FinCEN explicitly state in this final rule that use of the BOI database by financial institutions is not mandatory. As with the proposed rule, the final rule outlines who may access the BOI database and for what purpose; however, it does not require financial institutions to access the BOI database, nor does it speak to what financial institutions’ obligations may be once the 2016 CDD Rule is revised. FinCEN expects to more fully address the question of the extent to which, and how, financial institutions should access the BOI database for the purpose of fulfilling their customer due diligence obligations when FinCEN revises the 2016 CDD Rule. As E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 88776 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations explained in section III.C.iv.b.1, the final rule does not create a new regulatory requirement for financial institutions to access BOI from the BO IT System or a supervisory expectation that they do so. Thus, the Access Rule does not necessitate changes to BSA/ AML compliance programs designed to comply with existing BSA requirements, such as the 2016 CDD Rule, customer identification program requirements,194 and suspicious activity reporting.195 However, any access to and use of BOI obtained from the BO IT System must comply with the requirements of the CTA and the Access Rule. Similarly, on the issue of discrepancies between the BOI that financial institutions obtain from FinCEN and the BOI that they obtain directly from their customers, several commenters asked FinCEN to clearly state in the final rule that financial institutions would not be required to report discrepancies. This final rule does not require financial institutions to access the BOI database, nor does it require them to report discrepancies between information obtained from customers and BOI obtained from FinCEN, if any are discovered. This final rule also does not change a financial institution’s obligations under other provisions of the BSA and implementing regulations, including the regulatory requirement for financial institutions to maintain an anti-money laundering program that involves, among other things, the reporting of suspicious transactions to FinCEN.196 FinCEN declines to follow suggestions from commenters that the final rule address this subject. If FinCEN finds that additional guidance or regulatory changes are necessary, it may issue stand-alone guidance or take up the subject in a later rulemaking such as the revision of the 2016 CDD Rule. The issues raised by commenters relating to handling discrepancies and the provision of a safe harbor are connected to the issue, also raised by commenters, of the extent to which financial institutions may rely on BOI obtained from FinCEN for the purpose of fulfilling their regulatory customer due diligence requirements. As explained above, revisions to the 2016 CDD Rule and its requirements will be the subject of a future rulemaking. However, FinCEN appreciates the consideration of these issues, as reflected in the comments already submitted, and FinCEN will take them 194 31 CFR 1010.220. CFR 1010.320. 196 See 31 CFR 1020.320. 195 31 VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 into account in the context of that future rulemaking. Finally, with respect to the comments that raised concerns about regulatory expectations, FinCEN continues to work closely with Federal functional regulators on how financial institutions are examined with respect to their use of the BOI database to facilitate compliance with customer due diligence requirements under applicable law, including the 2016 CDD Rule and its revision. As part of this effort, FinCEN will continue consulting with the Federal functional regulators on whether to issue guidance in this area. ii. Information Technology Systems Issues a. Access—In General Comments Received. Several commenters made general comments on access to beneficial ownership information reported to FinCEN. Two commenters made statements that access to BOI should be simple, uncomplicated, and timely. One commenter stated that the beneficial ownership database should be built so that it maximizes access to authorized users with eventual public access in mind. Another commenter stated that the final rule should clarify that the structure and nature of the access protocols in the CTA are meant to facilitate auditable and technologicallyenabled access to the BOI database, and that access will generally not be considered by FinCEN on a case-by-case basis. One commenter stated that any required certifications should be filed electronically. Another commenter stated that BOI should be available in bulk, noting that bulk data formats will allow users to find patterns or red flags relating to beneficial ownership, or to assess and improve data quality. Another commenter requested that financial institutions have the ability to submit required certifications and access BOI on a bulk, automated basis. This commenter noted that if access to the BO IT system requires manual submissions on a customer-by-customer basis, this would be unnecessarily cumbersome and would adversely impact the ability of financial institutions to use information from the database effectively and efficiently for illicit finance risk management. Two commenters requested that FinCEN clarify what information authorized users will receive from the BO IT system, and that such information should include the chain of ownership between the reporting company and the beneficial owners. Several commenters PO 00000 Frm 00046 Fmt 4701 Sfmt 4700 requested clarification as to whether authorized users will have access to the underlying BOI when a FinCEN identifier is included in a beneficial ownership information report in lieu of the personal identifying information of a beneficial owner or company applicant. One commenter suggested that this be explicit in the regulatory text. Another commenter explained that if a bank relies on a BOI report with FinCEN identifiers in lieu of know-yourcustomer/customer identification program information, it will be unable to fully conduct customer due diligence or enhanced due diligence. Another commenter noted that FinCEN should provide BOI in a structured data format, and recommended that FinCEN adopt the Beneficial Ownership Data Standard (BODS) as the common data standard for BOI stored in the IT system so that the data is compatible with other jurisdictions’ BOI databases. One commenter suggested that one authorized access be assigned to each entity, and that each entity should be held responsible for controlling who uses that access. Another commenter stated that ensuring limited access to beneficial ownership data is essential to help with public confidence in the system and for compliance purposes and encouraged FinCEN to think about how to prevent, mitigate, and manage potential data breaches that could occur, including how affected parties will be notified and how remedies can be implemented within reasonable timelines. This commenter also suggested that FinCEN should have the highest protective protocols in place for the database and that access to the database should be tracked, so that FinCEN is aware at all times of who has access to the database and who is making requests. Further, given the sensitive nature of BOI and the limited uses for which BOI obtained from FinCEN might be used, one commenter requested that FinCEN consider providing financial institutions with confirmation that BOI was obtained from FinCEN. Response. FinCEN appreciates the need to provide automated, userfriendly access to the BO IT system, and is developing the BO IT system against those parameters and the requirements set forth in the CTA. Notably, the CTA does not provide for public access to BOI, and the modalities for authorized users to access BOI reflect that fact. With respect to comments regarding bulk access to BOI, FinCEN does not, at this time, anticipate providing bulk data exports of BOI to authorized users. However, FinCEN expects that financial E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations institutions will use Application Programming Interfaces (APIs) to access BOI, and that the BO IT system will accommodate the use of APIs for this purpose (including the submission of required certifications). Regarding comments that FinCEN should avoid engaging in case-by-case reviews of BOI access requests, FinCEN notes that this is generally consistent with the proposed access modalities for the six categories of authorized users. Although FinCEN had initially proposed a case-by-case review mechanism for State, local, and Tribal law enforcement agency requests for BOI, it has eliminated that requirement from the final rule. FinCEN will review certain requests for BOI from a ‘‘trusted foreign country’’ on a case-by-case basis, but believes that the case-by-case handling of those requests is warranted given their nature (i.e., they are requests from a foreign government that are not governed by an existing treaty, agreement, or convention) and the fact that foreign governments, per the CTA, must submit requests for BOI through an intermediary Federal agency and will not have direct access to the BO IT system. Two commenters requested that FinCEN clarify what information authorized users will receive from the BO IT system, and that such information should include the chain of ownership between the reporting company and the beneficial owners. Other commenters requested clarification as to whether authorized users will have access to the underlying BOI when a FinCEN identifier is included in beneficial ownership information report in lieu of the personal identifying information of a beneficial owner or company applicant. FinCEN will disclose to authorized users the information that reporting companies are required to report under 31 CFR 1010.380(b). This means that authorized users will receive information about (1) the reporting company, (2) its beneficial owners, and (3) any company applicants. For the reporting company, authorized users will receive a transcript with (1) the full legal name and any trade or ‘‘doing business as’’ names of the reporting company, (2) the complete current address of the reporting company, (3) the State, Tribal, or foreign jurisdiction of formation of the reporting company, (4) for a foreign reporting company, the State or Tribal jurisdiction where the foreign reporting company first registers, and (5) the IRS Taxpayer Identification Number or foreign tax identification number of the reporting company. For beneficial owners or VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 company applicants, authorized users will receive a transcript with (1) the full legal name of the individual, (2) the individual’s date of birth, (3) a complete current address, and (4) the unique identifying number and the issuing jurisdiction from an acceptable identification document (i.e., a nonexpired U.S. passport, a non-expired identification document issued to the individual by a State, local government, or Indian tribe for the purpose of identifying the individual, a nonexpired driver’s license issued to the individual by a state, or a non-expired passport issued by a foreign government to the individual). Images of individuals’ identification documents will be made available to Federal agencies engaged in law enforcement, national security, or intelligence activities, or to State, local, or Tribal law enforcement agencies. Information associated with a FinCEN identifier that has been reported in a beneficial ownership information report will be included in the BOI transcripts made available to authorized users. Lastly, FinCEN intends to mark BOI reports to identify them as originating from FinCEN’s BO IT system. In respect of data format, FinCEN evaluated existing data standards, which includes Extensible Markup Language (XML), and the Open Ownership (OO) data standards when developing its beneficial ownership data standards. To the extent possible, FinCEN did use those standards in the OO data catalog that could be incorporated consistent with the CTA. The BO IT system will adhere to FISMA (Federal Information Security Management Act) ‘‘High’’ standards, which require implementing the highest level of security controls for a system at the unclassified level, to help protect against the loss of confidentiality, integrity, or availability of information. For the BO IT systems, FinCEN is responsible for implementing Executive Order 14028 (‘‘Improving the Nation’s Cybersecurity’’), Treasury’s Zero Trust mandates, Continuous Diagnostic Mitigation Program, and other Federal directives to protect systems and information. In addition, Treasury has established a Cyber Review Board, which has established the Treasury Incident Coordination Process (T–ICP) to appropriately escalate any data breaches and compromises. b. IT System Search Capabilities Comments Received. FinCEN received comments both on how all authorized users would conduct searches for BOI in the IT system, and more specific comments about how financial PO 00000 Frm 00047 Fmt 4701 Sfmt 4700 88777 institutions would conduct searches. Multiple commenters requested that all users be able to search using a wide range of search fields or that FinCEN adopt a layered approach in which some users would be able to conduct wider ranging searches while others would be more limited. One commenter also requested that users be able to search for historical BOI on a single reporting company. Commenters also highlighted the need for information on how authorized users can access BOI and requested that FinCEN provide guidance for users in conducting searches in the form of pre-populated forms, templates, guidance documents, FAQs, or an ‘‘access toolkit.’’ With respect to financial institution access, several commenters argued that the proposed level of financial institution searching capabilities is far too restrictive and should mirror that of law enforcement agencies so financial institutions can conduct broad and open-ended queries. One commenter stated that financial institutions should be able to broadly search throughout the BOI database to learn more about a specific customer’s beneficial owners and their connections to other companies in order to strengthen their customer due diligence compliance. Many commenters also requested that FinCEN adopt technologies that would facilitate immediate, on-demand access to BOI that would be compatible with financial institutions’ systems, and the most common request was for FinCEN to allow the use of APIs to access the IT system. Some commenters asked FinCEN to clarify that FinCEN would not manually review and approve each request to search the database, as this could overwhelm FinCEN’s capabilities considering the number of search requests. Many commenters requested an automated system for financial institutions to certify their requests for access and be approved by FinCEN so that they could conduct bulk searches instead of individual searches, and they argued that the proposal in the NPRM of a single ‘‘electronic transcript’’ per BOI search would be costly and inefficient. Commenters also requested that FinCEN make changes to the information FinCEN requires from financial institutions to conduct searches, and one commenter argued that FinCEN should require that financial institutions use a reporting company’s FinCEN identifier as an added security measure. Finally, related to financial institution searches of the database, a few commenters asked that, prior to January 1, 2024, FinCEN clarify how financial institutions would be informed when their queries match or E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 88778 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations fail to match data in the database, and how FinCEN will handle query errors and mismatches generally. One commenter provided specific suggestions for a matching system that FinCEN could use. Response. As explained in the proposed rule, FinCEN expects that there will be differing levels of access to the BO IT system, depending on the type of authorized BOI recipient. Domestic agency users (i.e., Federal agencies engaged in national security, intelligence, and law enforcement activity; Treasury officers and employees who require access to BOI to perform their official duties or for tax administration; and State, local, and Tribal law enforcement agencies) will be able to access and query the BO IT system directly. This type of access would permit authorized individuals within an authorized recipient agency to log in, run queries using multiple search fields, and review one or more results returned immediately. This broad access to the BO IT system will allow domestic agency users to conduct a wide range of searches using a variety of search fields. FinCEN believes this broad, flexible access for domestic agency users is necessary to enable them to use BOI effectively to facilitate investigations or other activities for which they may obtain BOI. As discussed in the proposed rule, such broad search capabilities within the BO IT system require domestic agencies to clearly understand the scope of their authorization and their responsibilities under it. That is why the proposed rule establishes protocols for requirements, limitations, and expectations with respect to searches by domestic agencies of the BO IT system. As part of these protocols, each domestic agency would first need to enter into an MOU with FinCEN before being allowed access to the system. Several commenters also requested that FinCEN provide guidance to users on how to conduct searches. FinCEN expects to offer guidance and training for all authorized users on the use of the BO IT system, similar to the trainings it provides to law enforcement and others on access to BSA data. As noted in the proposed rule, other categories of authorized BOI recipients will have more limited search capabilities. Foreign BOI recipients will have no access to the BO IT system, as their requests will flow through an intermediary Federal agency. Financial institutions and their regulators (Federal functional regulators and other appropriate regulatory agencies) would both have direct access to the BO IT system, albeit in more limited form than VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 domestic agency users. The difference in access between domestic government agencies and financial institutions is explained by the provisions of the CTA, which require the consent of the reporting company before a financial institution may obtain the company’s BOI from FinCEN. FinCEN anticipates that once a financial institution has obtained that consent, the financial institution would submit identifying information specific to that reporting company and receive in return an electronic transcript with that entity’s BOI. FinCEN anticipates that financial institutions will be able to obtain a transcript immediately after submitting the search request; financial institutions’ search requests will not be subject to manual review. Because of the need to limit financial institution access to those BOI transcripts for which it has reporting company consent, FinCEN believes that it would not be consistent with this statutory requirement to allow financial institutions to broadly query the BO IT system, which may result in the financial institutions obtaining information about other reporting companies or beneficial owners for which they do not have consent. One commenter suggested that FinCEN require financial institutions to use a reporting company’s FinCEN identifier for the search as an added security measure. FinCEN notes, however, that reporting companies are not required to obtain FinCEN identifiers, and not all reporting companies will request them. With respect to Federal functional regulators and other appropriate regulatory agencies exercising supervisory functions, the CTA allows these agencies to request from FinCEN BOI that the financial institutions they supervise have already obtained from FinCEN, but only for assessing a financial institution’s compliance with customer due diligence requirements under applicable law. FinCEN expects regulators acting in this supervisory capacity to be able to retrieve any BOI that the financial institutions they supervise received from FinCEN during a particular period, but they will not be able to broadly search the BO IT system. However, Federal functional regulators and other appropriate regulatory agencies responsible for bringing civil enforcement actions will be able to avail themselves of the broader search functionality described above for domestic agency users. c. Notification of Updates or Changes to BOI Comments Received. Several commenters argued that the final rule should provide more clarity on whether PO 00000 Frm 00048 Fmt 4701 Sfmt 4700 FinCEN will provide financial institutions with the updates to BOI that reporting companies provide when there are changes to that company’s BOI. These commenters specifically asked that FinCEN create a mechanism for automated updates of BOI to financial institutions when reporting companies change their BOI. Commenters argued that such automated updates would meet the requirements of the CTA that BOI provided to FinCEN is ‘‘highly useful’’ and assists financial institutions in meeting their customer due diligence and AML/CFT obligations. A few commenters requested that FinCEN develop a ‘‘push’’ notification system for the automated updates, and others requested a system in which financial institutions could sign up for updates when they first queried the database for a reporting company’s BOI. Commenters also suggested that financial institutions could be given a choice to ‘‘opt out’’ at any point, such as when a financial institution’s customer withdraws consent for searches of its BOI. Response. FinCEN appreciates the commenters’ suggestions regarding the BO IT system functionality. FinCEN will consider these suggestions as a possible future enhancement to the BO IT system. d. Inability and Loss of Access Comments Received. Several commenters asked FinCEN how financial institutions should continue meeting their customer due diligence obligations in the event of an unexpected event that results in loss of access to the BO IT system, such as a system outage or cyberattack that causes the system to be inaccessible. One commenter asked for FinCEN to clarify whether access to the system would be limited to business days and whether financial institutions would be prohibited from opening accounts during times of inaccessibility. Response. FinCEN anticipates that the BO IT system will be available for access 24 hours a day and 7 days a week. When there are planned system outages for regular maintenance activities or period of unexpected system unavailability, FinCEN will provide appropriate notification to users. Questions pertaining to the use of BOI for 2016 CDD rule compliance will be addressed in FinCEN’s forthcoming proposed rule to revise 31 CFR 1010.230. e. Verification of Beneficial Ownership Information In the preamble to the proposed rule, FinCEN stated that it continues to E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations review the options available to verify BOI within the legal constraints in the CTA. It also clarified that in the term ‘‘verification,’’ as FinCEN uses it in this context, means confirming that the reported BOI submitted to FinCEN is actually associated with a particular individual. Comments Received. FinCEN received several comments on the issue of verification of the beneficial ownership information it will receive under 31 CFR 1010.380. Commenters argued that FinCEN is required by the CTA to verify information in the BO IT system, and that such verification is necessary to ensure the BOI reported to FinCEN is ‘‘accurate, complete, and highly useful’’ consistent with the CTA. Some commenters urged FinCEN itself to verify data in the BOI database, while others suggested that verification should involve coordination with other governmental agencies and that such coordination is required by the CTA. Suggested verification mechanisms included checks against the Consular Consolidated Database maintained by the Department of State, the National Law Enforcement Telecommunications System, the U.S. Postal Service, and Departments of Motor Vehicles. One commenter noted that any verification method should be efficient and not burdensome to businesses. Some commenters noted the experience of other countries in verifying information in their beneficial ownership registers, and that FinCEN’s proposal did not meet the verification requirements set forth by FATF. Others noted that FinCEN’s definition of ‘‘verification’’ was unduly narrow and should be expanded to include verifying both that identifying information submitted is for an actual person and that the BOI is related to the named reporting company. Multiple commenters argued that verification, by ensuring BOI was accurate and complete, would reduce burden for financial institutions (or concomitantly, that failing to verify BOI would increase burden by imposing additional compliance costs on financial institutions). Commenters also argued that BOI would not be useful for financial institutions without verification. Multiple commenters suggested that FinCEN explore verification using privacy-protected data sharing mechanisms such as a ZeroKnowledge Proof which match certain data elements without requiring any of the parties to exchange or disclose the underlying data. With respect to the timing of verification, one commenter suggested that cross-checking information should VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 happen at the time an entity is formed and that financial institutions should therefore not have to collect the information but instead access the FinCEN database to assist in customer due diligence. Other commenters suggested that information should be verified upon submission to FinCEN. One commenter noted that FinCEN could increase the usefulness of the database by sanctions screening BOI against OFAC’s Specially Designated Nationals and Blocked Persons List and alerting users who access such BOI. Response. Although verification is not addressed in this rule, FinCEN appreciates the comments on this topic and is carefully considering the suggestions provided. FinCEN agrees that verification is an important part of its overall efforts to ensure that the BOI reported to it is ‘‘accurate, complete, and highly useful’’ and continues to assess options to verify BOI taking into consideration practical, legal, and resource challenges. f. Other IT System Issues Comments Received. FinCEN received additional comments pertaining to the functionality or use of the BO IT system. Two commenters suggested that FinCEN should make the BO IT system compatible with other countries’ databases. Others suggested that FinCEN provide a proof of registration page when a BOI report is successfully filed. Another commenter noted that the proposed rule does not address whether authorized users may make copies of the BOI reports they obtain from the BO IT system. One commenter recommended that FinCEN develop an interactive database which discloses generic BOI database query trends. Response. FinCEN appreciates these ideas and will take them into consideration as it continues to implement the CTA. iii. The Proposed BOI Reporting Form Comments Received. While not the subject of this proposed rule, FinCEN received several comments on the proposed Beneficial Ownership Information Report (BOIR), which is the form that FinCEN will use to collect beneficial ownership information from reporting companies pursuant to 31 CFR 1010.380. Commenters were critical of checkboxes on the proposed BOIR form that would provide a mechanism for reporting companies to indicate when they are unable to obtain certain information about the reporting company’s beneficial owners and company applicants. Several of these commenters requested that FinCEN remove all such checkboxes. Two PO 00000 Frm 00049 Fmt 4701 Sfmt 4700 88779 commenters expressed concern with the quality and reliability of BOI if reporting companies are allowed to indicate that they are unable to identify beneficial owners entirely or provide only certain information associated with beneficial owners. One commenter stated that the checkboxes would act as a roadblock to banks’ compliance with customer due diligence obligations and principles. One commenter stated that inclusion of the checkboxes supports financial institutions’ voluntary use of BOI. One commenter stated that submission of declarations where the reporting company does not know who its beneficial owners are should not be permitted outside exceptional circumstances and that in such circumstances, the reporting company should submit supporting evidence and an explanation why the person is anonymous or their identity is unknown. Response. As part of its obligations under the Paperwork Reduction Act of 1995 (PRA), FinCEN separately solicited public comment on the proposed BOIR form through a 60-day PRA notice, issued on January 17, 2023.197 Given that the BOIR form is outside the scope of this rulemaking and was instead the subject of the 60-day PRA notice, FinCEN considered the comments it received on the form as part of its consideration of the comments received in response to the 60-day PRA notice. Pursuant to the PRA, on September 29, 2023, the Department of the Treasury, on behalf of FinCEN, published a 30-day PRA notice, which considered these comments and proposed a revised approach to the BOIR form.198 OMB approved the proposed BOIR form on November 27, 2023. iv. Outreach and Guidance Proposed Rule. FinCEN acknowledged in the proposed rule that implementation of the final rule will require additional engagement with stakeholders to ensure a clear understanding of the Access Rule’s requirements, including through guidance and FAQs, help lines, and other communications. In question 29 in the Access NPRM, FinCEN asked what specific issues FinCEN should address via public guidance or FAQs as well as whether there were specific recommendations on engagement with stakeholders to ensure that the authorized recipients—in particular, State, local, and Tribal authorities and small and mid-sized financial 197 88 198 88 E:\FR\FM\22DER3.SGM FR 2760 (Jan. 17, 2023). FR 67443 (Sept. 29, 2023). 22DER3 ddrumheller on DSK120RN23PROD with RULES3 88780 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations institutions—are aware of requirements for access to the BO IT system. Comments Received. FinCEN received a variety of comments in response to the outreach questions in the Access NPRM. Commenters noted that a Small Entity Compliance Guide and FAQs, available well in advance of any effective date, would be useful for authorized users of the BO IT system. Training videos and step-by-step guides for each type of authorized recipient, including an online tip platform, would also improve CTA effectiveness. Commenters also suggested the importance of having educational materials for foreign requesters available in as many languages as feasible. Those commenters stated that the guidance on foreign access should include examples, templates, forms, and other materials that can streamline the process as much as possible. Several commenters suggested developing guidance and educational materials for financial institutions, Certified Public Accountants, and Secretary of State offices that could be provided to their customers and constituents. One commenter specifically highlighted a variety of national law enforcement and tribal association annual conferences where FinCEN should present and be available to educate participants on access to, and the utility of, the BO IT system. Regarding engagement with potential foreign requesters, one commenter suggested that FinCEN consider discussing access requirements with the key foreign partners of Federal agencies. One commenter recommended that FinCEN use clear font styles and sizes, avoid small footnotes and legalese, and use contrasting colors. Final Rule. As with the Reporting Rule published on September 30, 2022,199 FinCEN envisions committing significant resources upon publication of the final Access Rule to prepare for and enable successful implementation. FinCEN anticipates that these resources will be used to conduct outreach, as well as draft and issue guidance, user guides, FAQs, and other educational materials. FinCEN recognizes the need to ensure that reporting companies, authorized users, and other stakeholders have a thorough understanding of the beneficial ownership Reporting and Access Rules and their requirements, both before and after the effective date of the rules. FinCEN also remains mindful of the imperative to minimize burdens on reporting companies, financial institutions, and authorized users while also fulfilling the CTA’s directives for establishing an effective 199 87 FR at 59548. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 reporting and access framework. FinCEN appreciates that outreach and education is an important element of the effort to reduce compliance burdens and enhance the utility of the BO IT system. In addition to its planned outreach and educational efforts, FinCEN continues to track inquiries coming into its Regulatory Support Section and will draw on those inquiries when planning outreach and drafting future guidance and educational materials. FinCEN notes that 31 U.S.C. 5336(g) requires the Director of FinCEN, in promulgating regulations carrying out the CTA, to reach out to the small business community and other appropriate parties to ensure efficiency and effectiveness of the process for the entities subject to the CTA’s requirements. FinCEN has engaged in such outreach throughout the Access rulemaking processes. As noted in the Access NPRM, FinCEN conducted more than 30 outreach sessions to solicit input on how best to implement the statutory authorizations and limitations regarding BOI disclosure. Participants included representatives from Federal agencies, state courts, state and local prosecutors’ offices, Tribal governments, financial institutions, financial SROs, and government offices that had established BOI databases. Topics discussed included how stakeholders might use BOI, potential IT system features, circumstances in which potential stakeholders might need to redisseminate BOI, and how different approaches might help further the purposes of the CTA. These conversations helped FinCEN refine its thinking about how to create a useful database for stakeholders while protecting BOI and individual privacy. FinCEN intends to continue its substantial outreach to stakeholders, including Federal and state law enforcement officials, Indian Tribes, trade groups, and others, to ensure coordinated efforts to provide notice and sufficient guidance to all potential authorized users. FinCEN will also provide guidance materials and training materials for authorized users of the BO IT system. FinCEN appreciates the suggestions on how to minimize burden to State, local, and Tribal authorities and make the use of the BO IT system as effective as possible. FinCEN currently administers access to the FinCEN Query system and would build on its experience and contacts with law enforcement agencies and others in administering access to and providing training on BOI access. PO 00000 Frm 00050 Fmt 4701 Sfmt 4700 I. Other Access NPRM Comments i. Inspector General Complaint Process Comments received. One commenter stated that the proposed rule lacked any acknowledgement of the user complaint process established in the CTA.200 The CTA provides that the Inspector General of the Department of the Treasury, in coordination with the Secretary of the Treasury, shall provide public contact information to receive external comments or complaints regarding the beneficial ownership information notification and collection process or regarding the accuracy, completeness, or timeliness of such information. The CTA also requires the Inspector General to make a periodic report to Congress on user complaints and any resulting recommendations to ensure the beneficial ownership information reported to FinCEN is accurate, complete, and highly useful.201 Response. FinCEN is cognizant of the CTA’s requirements with respect to the user complaint process. FinCEN acknowledged Treasury OIG’s role in this process in the final beneficial ownership Reporting Rule, noting that the Treasury OIG had established an email inbox (CorporateTransparency@ oig.treas.gov) to receive such complaints.202 FinCEN expects that officers and employees of OIG, as officers and employees of the Department of the Treasury, would have access to BOI in the BO IT system for any official duties that require access to information in that system, including for purposes of fulfilling the Treasury OIG’s responsibilities under the user complaint process as outlined in the CTA. ii. Effective Date Proposed Rule. FinCEN proposed an effective date for the Access Rule of January 1, 2024, to align with the date on which the Reporting Rule at 31 CFR 1010.380 becomes effective.203 FinCEN explained in the proposed rule that a January 1, 2024, effective date is intended to provide the public and authorized users of BOI with sufficient time to review and prepare for implementation of the rule.204 Comments Received. Several commenters expressed concern about the January 1, 2024, effective date. One commenter stated that it is unlikely that FinCEN will be able to promulgate a final access rule by the end of 2023 or 200 31 U.S.C. 5336(h)(4). 201 Id. 202 87 203 87 FR 59498, 59508. FR 77404, 77425. 204 Id. E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations that the related BO IT system will be built, tested, and operational by the end of 2023. The commenter noted that it is unlikely that authorized users will have met the regulatory obligations that are prerequisites to their ability to access BOI by that date. The commenter suggested that FinCEN should set out a manageable, realistic timeline extending past January 1, 2024, and communicate this timeline to all stakeholders. Another commenter expressed concern about a ‘‘go live’’ date of January 1, 2024,205 and the ability of FinCEN and financial institutions to make the necessary implementation preparations by that date given resource constraints. This commenter suggested that FinCEN delay the effective date of the beneficial ownership rules and consider a staged implementation approach. Finally, another commenter expressed concern that the effective date of FinCEN’s beneficial ownership rules will coincide with a regulatory action by the Consumer Financial Protection Bureau, which would overwhelm financial institution compliance staff. Final Rule. This final rule will be effective February 20, 2024. However, the effective date of the Reporting Rule remains January 1, 2024, and FinCEN continues to target January 1, 2024, for the release of the BO IT system. Given the publication date of this final rule in advance of January 1, 2024, and FinCEN’s phased implementation approach outlined in section II.D.iii, FinCEN believes authorized users will have sufficient advance notice of the requirements of this rule. FinCEN appreciates these comments and pragmatic suggestions and will make adjustments to its implementation plans if circumstances warrant. With respect to concerns about potential overlap with another significant regulatory action, FinCEN notes that under the Reporting Rule, existing reporting companies will have one year (until January 1, 2025) to file their initial beneficial ownership reports. FinCEN also notes that there is no requirement in the rule that authorized users of the BO IT system access the system immediately upon the effective date of this rule. The final CTA-related rulemaking to revise FinCEN’s customer due diligence rule must occur no later than one year after the effective date of the Reporting Rule, or January 1, 2025, and this process will likely extend into 2024.206 205 The commenter actually referred to January 1, 2025, but FinCEN believes this was a typographical error intended to refer to January 1, 2024. 206 CTA, section 6304(d). VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 iii. Budget and Staffing Proposed Rule. The preamble of the proposed rule included a discussion of FinCEN’s resource constraints with respect to implementation of the CTA.207 FinCEN noted in that discussion that without the availability of additional appropriated funds to support this project and other missioncritical services, FinCEN may need to identify trade-offs, including with respect to guidance and outreach activities, and the staged access by different authorized users to the database. Comments Received. One commenter made note of this discussion in the proposed rule and requested a fuller explanation of the staged access approach. This same commenter also observed that FinCEN would likely receive an exponentially greater number of inquiries and requests for technical support from filers and users of the BO IT system than it currently handles and that FinCEN will need to hire and train hundreds of support personnel in the next twelve months. Another asked what ‘‘staged access’’ means and noted that the final rule should address specifics about this and how it will impact community banks. Finally, one commenter suggested that FinCEN address its resource constraints by considering a professional internship program to address short term staffing needs to support CTA implementation. Response. As previewed in the proposed rule, FinCEN has undertaken efforts to identify options to implement the requirements of the CTA within its current resources. One of several options to manage implementation in the current resource-constrained environment is to implement a phased rollout of access to the BO IT system— meaning that different groups of authorized users would obtain access to the system at different times in a set timeframe. As discussed further in section II.D.iii, to manage smoothly the draw on resources that this process will demand, FinCEN will take a phased approach to providing access to the BO IT system. FinCEN continues to move expeditiously to put in place the necessary infrastructure to implement the CTA and to provide adequate guidance and support to reporting companies and authorized users of the BO IT system. To this end, FinCEN is currently working to implement and staff a dedicated beneficial ownership contact center to field both substantive and IT-related inquiries. FinCEN has 207 87 PO 00000 FR 77404, 77408. Frm 00051 Fmt 4701 Sfmt 4700 88781 also hired additional full-time staff who will be assigned to support the beneficial ownership portfolio and has procured additional contractor support for FinCEN’s CTA implementation efforts. Any changes to FinCEN’s plans to implement the CTA will be clearly communicated to the public and stakeholders. IV. Severability If any of the provisions of this rule, or the application thereof to any person or circumstance, is held to be invalid, such invalidity shall not affect other provisions or application of such provisions to other persons or circumstances that can be given effect without the invalid provision or application. V. Regulatory Analysis This section contains the final regulatory impact analysis (RIA) for this final rule; it estimates the anticipated cost of the BOI access requirements to the public, among other items. The final rule imposes requirements on domestic agencies, foreign requesters, and financial institutions when they elect to access FinCEN’s BOI database. The requirements and the associated costs vary depending on whether the affected entity is a domestic agency, foreign requester, or financial institution. To estimate costs associated with accessing beneficial ownership information in accordance with the final rule, FinCEN assigns an hourly burden to each requirement in the rule and uses an estimated wage rate to determine a perentity expected cost of following that requirement. Where appropriate, FinCEN varies the hourly burden and wage according to the entity type and the size of the entity. To approximate an upper bound of aggregate expected costs, FinCEN multiplies the per entity costs computed as described by the total number of expected affected entities. These expected costs do not represent fees that affected entities need to pay to access beneficial ownership information, as no such fees are imposed by the final rule. Instead, the costs as estimated below reflect the dollar value FinCEN assigned, where possible, to the estimated time burden associated with the rule’s requirements. Many of the rule’s benefits are not as readily quantifiable, in part because the rule sets forth access requirements for obtaining BOI that is not yet available,208 and because expected use (and hence benefits) by at least some 208 BOI will be collected pursuant to 31 CFR 1010.380, finalized under the Reporting Rule, which will be effective January 1, 2024. E:\FR\FM\22DER3.SGM 22DER3 88782 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 parties cannot be reliably estimated before the CTA’s required revision to the 2016 CDD Rule has been finalized.209 Other important expected benefits of the rule are not reliably quantifiable because an attempt to isolate the incremental benefits uniquely attributable to this rule would be inherently speculative, and even if such discrete increments could be identified, assigning a dollar value to items such as national security or public faith in the integrity of the U.S. financial system is impracticable. The rule, nevertheless, is generally expected to improve investigations by law enforcement and assist other authorized users in a variety of activities. To the extent that this increased efficiency in information gathering can be proxied by reduced search costs,210 FinCEN quantified these expected benefits to certain affected parties in the NPRM and in the RIA below. The potential improvements in the breadth, scope, and efficiency of investigations and other activities by authorized users should in turn strengthen national security, enhance financial system transparency and integrity, and align the United States more closely with international AML/CFT standards. The RIA includes a discussion of these qualitative benefits and quantifiable efficiency gains which may accrue to domestic agencies alongside the quantitative discussion of costs. FinCEN has made efforts to assess the expected costs and benefits of the rule realistically, but notes that the rule relates to access to newly required information that is not yet available; thus, the estimates are based on several assumptions where FinCEN lacks certain direct supporting data. FinCEN further notes that the analysis of expected costs and benefits, as previewed in the NPRM and discussed below, is performed over annual increments that assume a fully operational framework, one in which all potentially affected parties access a database that includes BOI reports from all reporting companies that are in existence as of the Reporting Rule’s 209 FinCEN would need to know how access to BOI under the rule will impact financial institutions’ customer due diligence obligations, which FinCEN will not be able to assess until its revises the 2016 CDD Rule. Thus, FinCEN will instead assess the value that BOI access has to financial institutions in the regulatory analysis of FinCEN’s upcoming revisions to the 2016 CDD Rule. Throughout the analysis, FinCEN notes issues that may be affected by the required revision to the CDD rule. 210 In this analysis, ‘‘search cost’’ refers to the cost associated with obtaining beneficial ownership information. See. discussion in section V.A.ii.g. about monetizing the time component of search costs. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 effective date.211 This framing is not expected to specifically depict the costs or benefits corresponding to the first, or subsequent, calendar year(s) following the adoption of the final rule, given the phased nature of related regulatory implementation.212 However, FinCEN is utilizing this approach because it imposes the fewest extraneous assumptions about how phased regulatory implementation impacts the expected economic effects. FinCEN acknowledges that during initial implementation, while entities begin to gain access to BOI and initial BOI reports are populated in the database, the anticipated aggregate costs and benefits of the rule may be lower that the estimates presented below. FinCEN further acknowledges that during this period, the balance of costs to benefits may also differ such that the relative economic value (benefits scaled by costs) of the rule as discussed below could be overestimated. However, as the methodological approach of the RIA, in the NPRM and below, conservatively ascribes no quantifiable benefits to financial institutions as a subgroup of authorized users while nevertheless incorporating an estimated full cost burden of access to them, it is unlikely that the aggregate net benefits in the RIA are overstated because in practice the benefit to participating financial institutions is expected to be nonzero. FinCEN has described its cost estimates in detail to inform the public about the rule and its impact and has analyzed the final rule as required under Executive Orders (E.O.s) 12866, 13563, and 14094, the Regulatory Flexibility Act, the Unfunded Mandates Reform Act, and the Paperwork Reduction Act. FinCEN’s analysis assumes the baseline scenario is the current regulatory framework, in which there is no general Federal beneficial ownership information disclosure requirement and therefore no access to this information. Thus, any estimated costs and benefits as a result of the rule are new relative to maintaining the current framework. It has been determined that this regulation is a ‘‘significant regulatory action’’ under section 3(f)(1) of E.O. 12866, as amended. Pursuant to the Regulatory Flexibility Act, FinCEN’s analysis concluded that the rule will have a significant economic impact on a substantial number of small entities. Furthermore, pursuant to the Unfunded Mandates Reform Act, FinCEN 211 The Reporting Rule requires such entities to report BOI within one year of the effective date. 212 The phased implementation is discussed in section II.D.iii. of the preamble. PO 00000 Frm 00052 Fmt 4701 Sfmt 4700 concluded that the rule will result in an expenditure of $177 million or more annually by State, local, and Tribal governments or by the private sector.213 Because the rule is a significant regulatory action under section 3(f)(1) of E.O. 12866, FinCEN prepared and made public a preliminary RIA, along with an Initial Regulatory Flexibility Analysis (IRFA) pursuant to the Regulatory Flexibility Act, on December 16, 2022.214 FinCEN received multiple comments about the RIA and the IRFA, which are addressed in this section. FinCEN has incorporated additional data points, additional cost considerations, and responses to other points raised by commenters into the final RIA, which is published in its entirety following a narrative response to the comments. A. Executive Orders 12866, 13563, and 14094 E.O.s 12866, 13563, and 14094 direct agencies to assess costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, and public health and safety effects; distributive impacts; and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, reducing costs, harmonizing rules, and promoting flexibility. It has been determined that this regulation is a significant regulatory action under section 3(f)(1) of E.O. 12866, as amended. Accordingly, this final rule has been reviewed by the Office of Management and Budget (OMB). i. Discussion of Comments to the RIA FinCEN received several comments related to the Access NPRM RIA. The majority of these comments focused on the estimated costs for financial institutions to comply with the proposed access requirements. A smaller group of comments raised points on other aspects of the NPRM’s RIA, primarily on the cost analysis. 213 The Unfunded Mandates Reform Act requires an assessment of mandates that will result in an annual expenditure of $100 million or more, adjusted for inflation. The U.S. Bureau of Economic Analysis reports the annual value of the gross domestic product (GDP) deflator in 1995, the year of the Unfunded Mandates Reform Act, as 71.823, and as 127.224 in 2022. See U.S. Bureau of Economic Analysis, ‘‘Table 1.1.9. Implicit Price Deflators for Gross Domestic Product’’ (accessed Friday, June 2, 2023). Thus, the inflation adjusted estimate for $100 million is 127.224/71.823 × 100 = $177 million. 214 See 87 FR 77426–77454. E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations a. Comments Related to Costs to Financial Institutions Comments generally stated that the access requirements will be burdensome for financial institutions. Time and resources will be required to adjust to the rule’s requirements for financial institutions to access BOI. In particular, a comment noted that compliance costs will include training relevant staff, changing policies and procedures, enhancing information security, and educating senior management and customers, and that these costs are significant and should not be overlooked or underestimated. Comments also stated that banks would need to hire or reallocate personnel if the rule is implemented as proposed. FinCEN generally agrees with comments observing that time and resources that will be required for financial institutions to adjust to the rule’s requirements. FinCEN aims in this analysis to accurately estimate the burden of implementing requirements to access BOI. Comments also discussed the estimates in the NPRM for financial institution costs. One comment stated that the estimates were generally inaccurate and were not reasonable. Comments provided specific feedback on the following financial institution cost estimates: Administrative, Technical, and Physical Safeguards. A few commenters stated that the NPRM’s estimate of the costs for financial institutions to establish administrative and physical safeguards to protect accessed BOI was far too low—one comment called it ‘‘exponentially off’’—and needed to be revisited. One commenter stated that financial institutions would need to spend vastly more than estimated to develop and implement new systems, with ongoing costs that would include training on how to treat BOI from FinCEN differently than other BOI a financial institution may collect. The commenter estimated it would cost between $1 million and $3 million to develop new systems or adapt existing systems to comply with the proposed rule and to prevent BOI obtained from FinCEN from ‘‘flowing’’ into other financial institution monitoring systems or to affiliates outside of the United States. The commenter notes this cost could double if financial institutions are only able to access BOI on a manual, and not automated, basis. Relatedly, a commenter stated that FinCEN significantly underestimates the costs financial institutions will incur to update processes and IT systems to comply with the proposed rule. The VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 commenter stated that financial institutions would need to ‘‘reengineer’’ their existing processes and technology to comply with the limitations on sharing outside of the United States and to segregate BOI from FinCEN from standard customer documentation. The commenter did not provide a cost estimate. A commenter reminded FinCEN to be mindful that modifying existing procedures to accommodate requests and other related issues will take time and resources and requested FinCEN write the final rule in a clear and straightforward manner. Finally, a commenter expressed concern that BOI reported to FinCEN will not be accurate or reliable, forcing banks to shoulder the majority of the burden in implementing the CTA by acting as ‘‘regulatory quality control.’’ Commenters stated that if financial institutions are required to rely on BOI reported to FinCEN, the quality and reliability of customer risk profiles would be undermined unless the financial institutions maintain duplicate systems of BOI financial institutions receive directly from their customers and identify discrepancies between the two data sources. In response to these comments, FinCEN increased the burden estimate of financial institutions establishing administrative and physical safeguards. FinCEN retains its estimate for IT costs. As explained in section III.H.ii.e. although this rule does not address the verification of BOI reported to FinCEN, FinCEN agrees that verification is an important part of its overall efforts to ensure that the BOI reported is ‘‘accurate, complete, and highly useful’’ and continues to assess options to verify BOI taking into consideration practical, legal, and resource challenges. Regardless of exactly how FinCEN ultimately addresses verification, FinCEN does not anticipate that the final rule will require financial institutions to need to separate BOI obtained from FinCEN and BOI obtained from customers under their existing customer due diligence processes, as some commenters suggested would be necessary if FinCEN retained a strict prohibition on financial institutions using or storing BOI obtained from FinCEN outside the United States; therefore, FinCEN is not estimating the burden for financial institutions to reallocate resources or create duplicative systems to separately store BOI obtained from FinCEN. FinCEN also notes that financial institutions will have the ability to submit multiple search requests simultaneously through an automated process, lessening costs PO 00000 Frm 00053 Fmt 4701 Sfmt 4700 88783 associated with manual searches by financial institutions. Customer Consent. Under the rule, financial institutions must obtain and document the consent of a reporting company customer prior to accessing BOI about that customer. Multiple commenters stated that FinCEN’s estimate for the burden of obtaining this customer consent was too low and not reasonable; one comment called the estimate ‘‘patently absurd.’’ Commenters noted that this process would involve multiple steps, including identifying all applicable forms, drafting and reviewing appropriate consent language, and updating or establishing new processes and procedures. A commenter noted that updating online forms, which is the format that many banks use for account opening documents, requires technical development work and testing, among other tasks. The commenter stated that small banks will require less than the estimated 10 hours, but the majority of institutions will require significantly more time to implement the requirement. Another commenter stated that the NPRM estimate disregarded the time and attention necessary to devote on an ongoing basis to meeting this requirement. Another commenter noted that costs could also arise if a customer does not give consent or revokes consent, because the financial institution would be required to expend resources to monitor on an ongoing basis which customers have consented. A commenter estimated it would take 10,000 hours of personnel time, and potentially 100,000 hours in the largest institutions, to update account opening policies, procedures, processes, and forms to include the customer consent requirement. A commenter noted that large banks will be able to absorb these costs but predicted small and mid-sized banks will turn to service providers. FinCEN changed the burden estimate for obtaining customer consent based on these comments. FinCEN increased the initial burden for updating forms and procedures to account for this requirement and considered the multiple steps this will require based on comments. FinCEN also added an ongoing maintenance cost for this requirement to account for the necessity to change or update procedures. FinCEN assesses, however, that this ongoing maintenance cost is relatively minimal. FinCEN is not estimating costs related to obtaining customer consent more than once, but will assess if such a cost should be considered in the future CDD Rule revision. FinCEN is not assessing a cost related to a customer not providing or revoking consent. FinCEN E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 88784 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations believes that the tracking of such information would be included in the existing cost estimates related to customer consent. Additionally, FinCEN expects that few customers will not provide consent given that providing BOI and general consent for financial institutions to access information from other sources are both routine requirements that customers anticipate and accept. Customer consent was the focus of one of the regulatory alternatives analyzed in the NPRM. Under this alternative, FinCEN, rather than financial institutions, would have obtained the required consent from reporting companies before financial institutions could access those companies’ BOI.215 A commenter stated that the cost savings to financial institutions would be much larger in practice than FinCEN estimated in the NPRM’s alternative analysis, and that FinCEN’s reason for rejecting this alternative—that financial institutions are better positioned to obtain consent (and track consent revocation) given their direct customer relationships and ability to leverage existing onboarding and account maintenance processes— does not make sense. FinCEN retains this alternative scenario but notes that the related cost savings estimate has changed given the changes to the financial institution burden estimates throughout the analysis. FinCEN, however, rejects the commenter’s claim that the NPRM’s reasoning was nonsensical. As explained in section III.E.ii.d above, FinCEN remains convinced that financial institutions are better situated than FinCEN to obtain and document a reporting company’s consent given financial institutions’ direct customer relationships. By contrast, FinCEN believes considerable delay could result if it were itself to take on direct management of the consent process. For this reason and as further explained in section III.E.ii.d above, FinCEN declines to adopt the alternative of FinCEN collecting customer consent. Training. A few commenters stated that the estimated cost of training financial institution employees who will access BOI under the rule was underestimated. A commenter stated that the NPRM estimates did not account for lost productivity to the financial institution while employees are attending training sessions. However, FinCEN notes the use of a wage rate for financial institution employees implicitly accounts for lost productivity to the institution of 215 See 87 FR 77427–77428. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 employees working on the rule’s requirements rather than other items. Commenters stated that in addition to those directly accessing FinCEN’s BOI database, all employees that interact with BOI through account opening or customer interactions would also need to participate in training. This training would most likely not be centralized and would be spread over departments and branches in financial institutions. A commenter stated that the increased cost due to training contradicts Congress’ intent for the CTA to minimize burden on financial institutions. A commenter stated this burden could be alleviated by keeping the registration and requirements simple. A commenter also stated that training would be necessary to inform financial institution employees on how to treat BOI obtained from FinCEN separately from BOI obtained through other means. FinCEN has concluded that these comments overstate the burden imposed by the rule. The final rule (31 CFR 1010.955(d)(2)(ii)) requires financial institutions to develop and implement administrative, technical, and physical safeguards reasonably designed to protect BOI as a precondition for receiving BOI. But, as explained in section III.E.ii.c, FinCEN is authorizing financial institutions to satisfy this requirement by applying security and information handling procedures under section 501 of Gramm-Leach-Bliley Act and applicable regulations for nonpublic customer personal information to BOI. The Federal functional regulators have implemented the requirements of the Gramm-LeachBliley Act in different ways, but they all generally reference providing related training.216 Thus, FinCEN does not expect BOI training to be unduly burdensome because training to protect nonpublic customer personal information is already part of a financial institutions’ Gramm-Leach-Bliley Act requirements.217 As explained in section III.E.ii.c, FinCEN thus anticipates that financial institutions will determine how best to train personnel who will have access to BOI but who will not interact with the BO IT system. Nonetheless, financial institutions will need to provide some training to 216 See generally Interagency Guidelines, supra note 91, p. 95. 217 As discussed, the final rule does not require financial institutions to separate BOI obtained from FinCEN and BOI obtained from customers under their existing customer due diligence processes. Thus, training on how to segregate BOI obtained from different sources should not be necessary, and FinCEN accordingly does not need to account for the costs of such training. PO 00000 Frm 00054 Fmt 4701 Sfmt 4700 ensure that relevant financial institution personnel access BOI in a manner consistent with this rule. As part of estimating the cost of this training, the NPRM included an estimate of the number of employees that would access BOI at both small and large financial institutions. Commenters stated that these estimates were too low and depended on many assumptions, including an assumption that the connection to the BO IT system is fast and easy for the user with minimal manual intervention. Commenters proposed alternative estimates. A commenter assumed that banks would have between 5 and 15 percent of employees involved in customer due diligence processes (the percentage varied depending on financial institution size), and used December 2021 FDIC bank data to estimate that 3,586 small banks will have between 1.5 to 10 people, and an average of 4 to 5 people, performing customer due diligence, and 1,263 large banks will have between 5 and 5,000 people, and an average of 26 to 27 people, performing customer due diligence. Another comment from a bank industry representative stated that a member estimated it has hired 50 full-time equivalent employees to address the existing CDD Rule requirements, and additional employees would be needed for the proposed rule. Similarly, another commenter estimated that some large banks will need to hire up to 40 or 50 additional staff to manage the technical process associated with BOI. A financial institution comment stated that they would like to have at least 20 or 25 staff members (out of 40 full-time staff) available to access this data, which would be a minimum of 3 staff per location. FinCEN appreciates the estimates provided by commenters and has incorporated changes to the analysis based on these comments. However, FinCEN notes that the assumption that connection to the BO IT system is fast and easy for the user is in line with FinCEN’s expectations. Financial institutions will also not need to access the BO IT system manually if they access via API. Requests for BOI and Related Certification Costs. Commenters raised questions about the assumptions related to the NPRM’s estimate of the number of annual requests for BOI from financial institutions. The NPRM included this estimate to calculate the cost burden of the proposed rule’s requirement that financial institutions certify that each request for BOI meets certain requirements. A commenter stated that FinCEN’s reliance on E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations estimates of annual new entity accounts from the 2016 CDD Rule was wrong because: (1) the CDD Rule requires the collection and verification of BOI for every new customer and every existing customer opening a new account; (2) the definition of legal entity customer under the CDD Rule is broader than the definition of reporting company under the CTA; and (3) the use of an average for a diverse set of financial institutions may not be appropriate. Another commenter questioned the assumption that financial institutions will seek to access BOI every time a new legal entity customer that qualifies as a reporting company opens a new account because another part of the NPRM stated that the proposed rule would not impose an obligation to access BOI. Another commenter claimed that most banks expect that the total annual costs of certifying their compliance when making BOI requests will be significantly higher than FinCEN’s estimate, but did not provide an alternative cost estimate. FinCEN retains the methodology used in the NPRM, which results in an estimated range of 5 million to 6 million annual requests for BOI from financial institutions. FinCEN proposed the upper bound of 6 million based on the 2016 CDD Rule’s regulatory analysis. The comments identified several reasons why the actual number of requests may differ, but FinCEN maintains it is appropriate to provide an upper bound estimate based on the CDD Rule. FinCEN agrees with commenters that this final rule does not impose an obligation to access BOI. However, FinCEN uses this upper bound estimate to illustrate potential costs to financial institutions if the financial institutions access BOI at the rate estimated in the current CDD Rule. FinCEN also acknowledges the point raised by another commenter regarding differences between the CDD Rule and Reporting Rule. If the future CDD Rule revision includes a different estimate for the number of annual requests for BOI per year, FinCEN will note that change, and its effect on financial institution costs, in that revision. Other Financial Institution Costs. Commenters recommended that audit and legal review costs to financial institutions be incorporated into the RIA. There are no audit requirements for financial institutions in the rule; however, FinCEN understands that in practice financial institution audits will include reviewing the safeguards implemented to protect accessed BOI. FinCEN clarifies in the analysis that the administrative safeguards burden estimate includes audit and legal review VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 of such safeguards, and increases the burden estimate accordingly. A commenter also stated that the costs to financial institutions should be presented on a per account basis, and that the amount per account would be a few hours of an operations specialist work (at $50 per hour rate) to access BOI, corroborate it, address any remediation of errors in the BOI, and supervise the process, totaling $100– $200 per account opening in maintenance fees. FinCEN believes that the per institution cost estimate methodology used in the NPRM is appropriate and retains it here. The per account cost estimate would not capture fixed costs of establishing new procedures, and other requirements, that are necessary at the institutional level to comply with the rule. A commenter noted that complying with the rule’s security and confidentiality requirements for BOI access will require significant time and resources for small businesses (presumably meaning small financial institutions), and that this will put such small businesses at a disadvantage compared to large companies with more resources. FinCEN considers the cost of the rule to small financial institutions in the Regulatory Flexibility Act section of the analysis, below. A commenter requested that FinCEN publish Small Entity Compliance Guides and FAQs to assist such entities with compliance. FinCEN anticipates issuing a Small Entity Compliance Guide pursuant to section 212 of Small Business Regulatory Enforcement Fairness Act (SBREFA) to assist small entities in complying with the BOI access requirements. b. Comments Related to Government and Reporting Company Costs A handful of commenters raised other cost issues outside of those that pertained specifically to financial institutions. Regarding other estimates in the NPRM’s RIA, one commenter stated that the cost estimate for State, local, and Tribal law enforcement agencies failed to include the number of hours such agencies would spend on the proposed written justification requirement. FinCEN did consider this burden in the NPRM and estimated that submitting a request to FinCEN for BOI would take one employee approximately 15 minutes, or 0.25 hours, per request. For State, local, and Tribal agencies, FinCEN estimated an additional 20 to 30 hours of burden per request to obtain a court authorization in the NPRM. Therefore, State, local, and Tribal requests were estimated to have 20.25 to 30.25 hours of burden per PO 00000 Frm 00055 Fmt 4701 Sfmt 4700 88785 request because of the court authorization and written certification requirements.218 FinCEN changed this estimate in the analysis given changes to the final rule’s requirements.219 A commenter stated that the NPRM RIA did not address significant burdens on reporting companies that would have to provide BOI to both financial institutions and FinCEN. The commenter stated that such a burden would be duplicative and unnecessary. FinCEN expects that consideration of such burden will be included in the future CDD Rule revision, which will discuss the current requirements that financial institutions identify and verify the beneficial ownership information of their legal entity customers. Finally, a commenter agreed with the estimates of FinCEN’s costs in the NPRM, noting the estimates appeared reasonable. c. Comments Related to Benefits A few commenters stated that access to BOI would not have a benefit for financial institutions. These commenters stated that the requirements would impose additional compliance costs without enhancing customer due diligence processes and could result in duplicative processes. A commenter stated this would result in an inefficient allocation of resources across AML compliance programs. Another commenter stated that resources would be reallocated away from risk-based activities that more effectively mitigate illicit finance risks. As in the NPRM, FinCEN is not attempting to estimate the benefits of this rule to financial institutions. To do so, FinCEN would need to know how access to BOI under the rule will impact financial institutions’ customer due diligence obligations, which FinCEN will not be able to assess until its revises the 2016 CDD Rule. Thus, FinCEN will instead assess the value that BOI access has to financial institutions in the regulatory analysis of FinCEN’s upcoming revisions to the 2016 CDD Rule.220 As explained in section II.B, mandatory revisions to the 2016 CDD Rule include: (1) bringing the rule into conformity with the AML Act as a whole, including the CTA; (2) accounting for financial institutions’ access to BOI reported to FinCEN ‘‘in order to confirm the beneficial ownership information provided directly to’’ financial institutions for AML/CFT and customer due diligence purposes; and (3) reducing unnecessary 218 FinCEN clarifies that this requirement is a certification and not a justification. 219 31 CFR 1010.955(d)(1)(ii)(B)(2). 220 CTA, Section 6403(d)(1). E:\FR\FM\22DER3.SGM 22DER3 88786 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations or duplicative burdens on financial institutions and legal entity customers.221 d. Comments on Other Topics A commenter recommended that FinCEN require secretaries of state and similar offices to incorporate collection of BOI into their registration processes, and then submit this information to FinCEN. The commenter noted that while this option was explored and rejected in the Reporting Rule, it could possibly be implemented in the long term and would minimize burden. As noted in the Reporting Rule, FinCEN rejected this alternative in part due to concerns raised by comments from several State authorities.222 FinCEN will continue to explore other avenues to coordinate with secretaries of state and similar offices on beneficial ownership matters and to minimize burden. ii. Final Regulatory Impact Analysis ddrumheller on DSK120RN23PROD with RULES3 a. Overview of the RIA The RIA begins with a summary of the rationale for the final rule, three regulatory alternatives to the final rule, and findings from the cost and benefit analysis (sections (b)–(d)). Section (e) describes the type and number of entities expected to be affected by the rule. Section (f) provides a detailed cost analysis (including discussions of each requirement’s quantifiable costs) that considers costs to domestic agencies (including SROs), foreign requesters, financial institutions, and FinCEN. Section (g) is a detailed discussion of benefits. Section (h) summarizes the overall impact of the quantifiable portions of the rule. Changes to the analysis or assumptions are clearly specified, as well as references to comments that are incorporated into the RIA. In the course of this discussion, FinCEN describes its estimates, along with any nonquantifiable costs and benefits.223 In response to comments, FinCEN has made the following changes to its estimates: increased the number of SROs that may access BOI; increased the hourly burden for financial institutions to establish administrative and physical safeguards by 200 percent; increased the hourly burden for financial institutions to obtain and document customer 221 CTA, Section 6403(d)(1)(A)–(C). 222 87 FR 59559 (Sept. 30, 2022). 223 Throughout the analysis, FinCEN rounds estimates for entity counts to the nearest whole number, and any wage and growth estimates to the nearest 1 or 2 decimal places. Calculations may not be precise due to rounding, but FinCEN expects this rounding method produces no meaningful difference in the magnitude of FinCEN’s estimates or conclusions. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 consent by 400–600 percent in year 1 224 and an additional 10 to 20 hours in subsequent years; 225 and increased the expected number of financial institution employees requiring training to 4 to 5 for small financial institutions and 25 to 30 for large financial institutions. FinCEN also decreased the hourly burden estimate for written certification of requests by State, local, and Tribal law enforcement agencies, and described additional requirements for financial institutions, consistent with changes made to this requirement in the final rule. FinCEN also made changes to update data, underlying sources, and estimates with more recent information, if available. b. Rationale for the Final Rule This rule is necessary to comply with and implement the CTA. As described in section I, this rule is consistent with the CTA’s statutory mandate that FinCEN issue regulations regarding access to beneficial ownership information. Specifically, the final rule implements the provisions in the CTA, codified at 31 U.S.C. 5336(c), that authorize FinCEN to disclose identifying information associated with reporting companies, their beneficial owners, and their company applicants (together, BOI) to certain recipients. c. Discussion of Regulatory Alternatives to the Final Rule The rule is statutorily mandated, and therefore FinCEN has limited ability to implement alternatives. However, FinCEN considered certain significant alternatives in the NPRM that were available under the statute. FinCEN replicated some of those alternatives here, with adjustments for clarity and for incorporated changes to the RIA, and added another alternative. The sources and analysis underlying the burden and cost estimates cited in these alternatives are explained in the RIA. 1. Change Customer Consent Requirement FinCEN considered altering the customer consent requirement for financial institutions. Under the final rule, financial institutions are required to obtain and document customer consent once for a given customer. 224 As discussed in section V above, Year 1 in this analysis is the first year in which all potentially affected parties access a database that includes BOI reports from reporting companies that are in existence as of the Reporting Rule’s effective date. 225 Subsequent years (sometimes referred to as ‘‘Years 2+’’) in this analysis are the years after the first year in which all potentially affected parties access a database that includes BOI reports from reporting companies that are in existence as of the Reporting Rule’s effective date. PO 00000 Frm 00056 Fmt 4701 Sfmt 4700 FinCEN considered an alternative approach in which FinCEN would directly obtain the reporting company’s consent. Under this scenario, financial institutions would not need to spend time and resources on drafting or modifying customer consent forms, ensuring legal compliance, and testing the forms.226 Using an hourly wage estimate of $106 per hour for financial institutions, FinCEN estimates this would result in a savings per financial institution of approximately $5,300 to $7,420 in year 1 and $1,060 to $2,120 in subsequent years. FinCEN estimates an aggregate savings of $83.3 to $116.6 million in year 1 and $16.7 to $33.3 million in subsequent years. To estimate the potential range of aggregate savings under this scenario, FinCEN multiplies the respective estimates of yearly savings by the number of financial institutions (e.g., $7,420 per institution × 15,716 financial institutions = $116,612,720, to estimate the upper bound). The cost savings for small financial institutions under this scenario would be approximately $72.6 million ($5,300 per institution × 13,699 small financial institutions = $72,604,700), assuming the lower bound of the estimated time burden applies. Though this alternative results in a savings to financial institutions, including small entities, FinCEN believes that financial institutions are better positioned to obtain consent—and to track consent revocation—given their direct customer relationships and ability to leverage existing onboarding and account maintenance processes, as also discussed in sections III.E.ii.d and V.A.i.a above. Therefore, FinCEN decided not to adopt this alternative. 2. Impose Court Authorization Requirement on Federal Agencies Another alternative extends the requirement that State, local, and Tribal law enforcement agencies provide a court authorization with each BOI request to 201 Federal agencies. FinCEN estimates that requests submitted by State, local, and Tribal law enforcement agencies have an additional 8 to 10 hours of burden owing to an additional requirement that a court of competent jurisdiction, including any officer of such a court, authorizes the agency to seek the information in a criminal or civil investigation. Therefore, FinCEN applies this additional 8 to 10 hours of burden per BOI request to the estimated BOI requests submitted by Federal 226 FinCEN expects this process to require approximately 50 to 70 hours in year 1 and 10 to 20 hours in subsequent years for ongoing forms maintenance. E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 agencies and by State regulators. Using FinCEN’s internal BSA request data as a proxy, FinCEN anticipates that Federal agencies could submit as many as approximately 2 million total BOI requests annually.227 Using an hourly wage estimate of $110 per hour for Federal employees, this requirement would result in additional aggregate annual costs in the first year between approximately $1.76 and $2.2 billion ((2 million Federal requests × 8 hours × $110 per hour = $1.76 billion) and (2 million Federal requests × 10 hours × $110 per hour = $2.2 billion)) and between $1.32 billion and $1.76 billion in subsequent years ((2 million Federal requests × 6 hours × $110 per hour = $1.32 billion) and (2 million Federal requests × 8 hours × $110 per hour = $1.76 billion)). This alternative could minimize the potential for broad or nonspecific searches by any agency not currently subject to the requirement because of the higher initial barrier to accessing the data. However, FinCEN believes that imposing this requirement on authorized recipients for whom such a requirement is not statutorily mandated could lead to unnecessary delays for Federal agencies in obtaining BOI and impose unjustified burdens. For these reasons, FinCEN decided not to adopt this alternative. 3. Require Court Order for State, Local, and Tribal Law Enforcement Requests This alternative would require State, local, and Tribal law enforcement agencies to provide a copy of a court order for each BOI request, which was required in the proposed rule. In the NPRM RIA, FinCEN estimated that State, local, and Tribal law enforcement agencies would have a per request hourly burden between 20 to 30 hours to obtain a court order for each BOI request. Considering comments received, FinCEN changed this requirement in the final rule. The final rule requires that State, local, and Tribal law enforcement agencies obtain authorization from a court of competent jurisdiction to request BOI. FinCEN estimates that State, local, and Tribal law enforcement agencies will have a per request hourly burden of 8 to 10 hours in year 1 and 6 to 8 hours in subsequent years to obtain a court authorization. Thus, in rejecting the alternative proposed in the NPRM, 227 While FinCEN’s estimates do not incorporate an estimated growth rate in the number of requests throughout the 10-year time horizon of this analysis, it is nevertheless possible that the number of BOI requests could increase significantly in the years following initial implementation of the BOI reporting requirements as awareness of the ability to access and the utility of BOI increases. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 FinCEN estimates a reduction in hourly burden per request between 12 to 20 hours in year 1 and 14 to 22 hours in subsequent years. Using FinCEN’s internal BSA request data as a proxy, FinCEN anticipates that State, local, and Tribal law enforcement agencies will submit between 1 and 23,000 BOI requests per agency and, in total, as many as approximately 200,000 BOI requests annually. Using an hourly wage estimate of $80 per hour for State, local, and Tribal agency employees, FinCEN estimates adopting this alternative would result in a range of additional costs per State, local, and Tribal law enforcement agency of approximately $960 to $36.8 million in year 1 ((1 request × 12 hours × $80 per hour = $960) and (23,000 × 20 hours × $80 per hour = $36.8 million)) and $1,120 to $40.48 million in subsequent years ((1 request × 14 hours × $80 per hour = $1,120) and (23,000 × 22 hours × $80 per hour = $40.48 million)). In total, adopting this alternative would have resulted in additional aggregate annual costs in the first year between approximately $192 and $320 million ((200,000 requests × 12 hours × $80 per hour = $192 million) and (200,000 × 20 hours × $80 per hour = $320 million)) and between $224 million and $352 million in subsequent years ((200,000 requests × 14 hours × $80 per hour = $224 million) and (200,000 × 22 hours × $80 per hour = $352 million)). Given the concerns raised by commenters and the reasons outlined in section III.C.ii, FinCEN decided not to adopt this alternative, which results in a burden reduction to State, local, and Tribal law enforcement agencies. d. Summary of Findings 1. Costs The cost analysis estimates costs to domestic agencies (including SROs), foreign requesters, financial institutions, and FinCEN. Each of the affected entities will have costs associated with the rule if it elects to access FinCEN BOI. The costs vary based on the access procedures for the authorized recipients. The rule requires different access procedures for domestic agencies, foreign requesters, and financial institutions. Whether the costs of these requirements are one-time, ongoing, or recurring, and whether the costs accrue on a per recipient or per request basis varies from requirement to requirement. Additionally, some requirements are administrative and involve the creation of documents, while others involve IT. The estimated average per agency cost in year 1 is between $2,888 and $10.1 PO 00000 Frm 00057 Fmt 4701 Sfmt 4700 88787 million per Federal agency, between $2,100 and $.5 million per State and local regulator, between $2,740 and $18.9 million per State, local, and Tribal law enforcement agency, and between $2,783 to $662,500 per SRO. The estimated average per agency cost each year after the first year is between $1,238 and $10 million per Federal agency, between $900 and $.5 million per State and local regulator, between $1,380 and $15.2 million per State, local, and Tribal law enforcement agency, and between $1,193 to $662,500 per SRO. The total estimated aggregate cost to domestic agencies in year 1 is between $190.1 million and $260.4 million, and then between $157.5 million and $197.4 million each year thereafter. FinCEN is unable to estimate aggregate costs on foreign requesters given the lack of data on the number of foreign requesters that may access BOI, but FinCEN provides partial cost estimates of the requirements on a foreign requester. FinCEN’s estimates annual cost to foreign requesters as between approximately $16,600 and $74,700. FinCEN also assumes that Federal agencies that submit BOI requests on behalf of foreign requesters to FinCEN will incur additional costs; FinCEN itself expects to incur costs from the submission of such requests. Therefore, FinCEN estimates that BOI requests on behalf of foreign requesters result in a cost per request of approximately $220 to Federal agencies, and a total annual cost to Federal agencies between approximately $44,000 and $198,000. The estimated average cost per financial institution in year 1 is between approximately $27,161 and $43,668 and between approximately $10,201 and $12,928 each year thereafter. The estimated aggregate cost for financial institutions is between approximately $426.9 and $686.3 million in the first year, and then between approximately $160.4 and $203.2 million each year thereafter. In addition to the costs of accessing BOI data as a domestic agency, FinCEN will incur costs from managing the access of other authorized recipients. FinCEN’s estimated annual cost for such activities is $13 million. 2. Benefits The rule will result in benefits for authorized recipients, including through improving the effectiveness and efficiency of U.S. national security, intelligence, and law enforcement activity by providing access to BOI. FinCEN has quantitatively estimated a portion of such benefits in this analysis. E:\FR\FM\22DER3.SGM 22DER3 88788 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations The rule will also have non-quantifiable benefits to authorized recipients of BOI and to society more widely. FinCEN estimates quantifiable benefits attributable to enhanced BOI search efficiency between $33,000 and $2.2 million per Federal agency and similar benefits between $24,000 and $1.6 million per State, local, and Tribal agency. In aggregate, FinCEN estimates quantifiable benefits between $10.6 million and $708.2 million. e. Affected Entities In order to analyze cost and benefits, the number of entities affected by the rule must first be estimated. Authorized recipients of BOI are affected by this rulemaking if they elect to access BOI because they are required to meet certain criteria to receive that BOI. The criteria vary depending on the type of authorized recipient. Federal agencies engaged in national security, intelligence, and law enforcement activity will have access to BOI in furtherance of such activities if they establish the appropriate protocols prescribed for them in the rule. Additionally, Treasury officers and employees who require access to BOI to perform their official duties or for tax administration will have access. The number of agencies that could qualify under these categories is large and difficult to quantify. FinCEN uses the number of Federal agencies that are active entities 228 with BSA data access 229 as a proxy for the number of Federal agencies that may access BOI. FinCEN believes this proxy is apt. While the criteria for access to BSA data are somewhat different outside of the CTA ddrumheller on DSK120RN23PROD with RULES3 228 For purposes of this analysis, an agency has active access to BSA data if the official duties of any agency employee or contractor includes authorized access to the FinCEN Query system, a web-based application that provides access to BSA reports maintained by FinCEN. 229 For purposes of this analysis, BSA data consists of all of the reports submitted to FinCEN by financial institutions and individuals pursuant to obligations that currently arise under the BSA, 31 U.S.C. 5311 et seq., and its implementing regulations. These include reports of cash transactions over $10,000, reports of suspicious transactions by persons obtaining services from financial institutions, reports of the transportation of currency and other monetary instruments in amounts over $10,000 into or out of the United States, and reports of U.S. persons’ foreign financial accounts. In fiscal year 2019, more than 20 million BSA reports were filed. See Financial Crimes Enforcement Network, ‘‘What is the BSA data?,’’ available at https://www.fincen.gov/what-bsa-data. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 context, Federal agencies that have access to BSA data will generally also meet the criteria for access to BOI under the CTA. FinCEN believes that Federal agencies that have access to BSA data will most likely want access to BOI as well and will generally be able to access it under the parameters specified by the rule. FinCEN includes offices within the U.S. Department of the Treasury, such as FinCEN itself,230 in this proxy count. As of June 2023, 201 Federal agencies and agency subcomponents are active entities with BSA data access. State, local, and Tribal law enforcement agencies will have access to BOI for use in criminal and civil investigations if they follow the process prescribed for them in the rule. FinCEN uses the number of State and local law enforcement agencies that are active entities with BSA data access as a proxy for the number of State, local, and Tribal law enforcement agencies that may access BOI, for the reasons discussed in the Federal agency context. As of June 2023, 158 State and local law enforcement agencies and agency subcomponents are active entities with access to BSA data.231 The process that the rule sets forth involves these agencies obtaining a court authorization for each BOI request. Courts of competent jurisdiction that issue such authorizations may therefore also be affected by the rule; FinCEN has not estimated the burden that may be imposed on such entities because of a lack of relevant data and because such burden will depend on choices made by courts in authorizing BOI requests that they receive from agencies. Foreign government entities, such as law enforcement, prosecutors, judges or other competent or central authorities, will be able to access BOI after submitting a request as described in the rule. FinCEN does not estimate the number of different foreign requesters that may request BOI, but instead estimates a range of the total number of annual requests for BOI that FinCEN may receive from all foreign requesters. The rule requires that foreign requests 230 In addition to incurring costs as an authorized recipient of BOI, FinCEN expects to incur costs from administering data to other authorized recipients. 231 No Tribal law enforcement agencies currently have access to BSA data through the FinCEN Query system. PO 00000 Frm 00058 Fmt 4701 Sfmt 4700 be made through an intermediary Federal agency. Therefore, Federal agencies will also be affected by foreign requests. The six Federal functional regulators that supervise financial institutions with customer due diligence obligations—the FRB, the OCC, the FDIC, the NCUA, the SEC, and the CFTC—may access BOI for purposes of supervising a FI’s compliance with those obligations. Additionally, other appropriate regulatory agencies may access BOI under the rule. FinCEN uses the number of regulators that both supervise entities with requirements under FinCEN’s CDD Rule and are active entities with access to BSA data as a proxy for the number of regulatory agencies that may access BOI. As of June 2023, 63 regulatory agencies satisfy both criteria.232 FinCEN adds three SROs to this count, 233 which totals to 66 regulatory agencies. Although SROs are not government agencies and they will not have direct access to the BO IT system under the rule, they may receive BOI through re-disclosure and will be subject to the same security and confidentiality requirements as other regulatory agencies under the rule. As discussed further in section III.C.iv.a, FinCEN intends to provide access to BOI as an initial matter only to financial institutions that are ‘‘covered financial institutions’’ as defined in 31 CFR 1010.230. Assuming that all such financial institutions will access BOI, FinCEN estimates the number of affected financial institutions in Table 1.234 BILLING CODE 4810–02–P 232 This includes the six Federal functional regulators. The remaining 57 entities are State regulators that supervise banks, securities dealers, and other entities that currently have customer due diligence obligations under FinCEN regulations. FinCEN did not include State regulatory agencies that have active access to BSA data but do not regulate entities with FinCEN customer due diligence obligations, such as State gaming authorities or State tax authorities. 233 FinCEN included two SROs in the NPRM but added an additional SRO based on a comment. 234 To reiterate a point made on this subject in section III.C.iv.b.1 above, this rule does not create an obligation for financial institutions to access BOI. However, for FinCEN’s own regulatory compliance purposes, it is necessary to make assumptions about the number of financial institutions that will choose to do so, and FinCEN wishes to avoid inadvertently underestimating that number. E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations 88789 Table I-Affected Financial Institutions Financial Institution Type Banks, savings associations, thrifts, trust companies 1 Credit unions2 Brokers or dealers in securities3 Mutual funds 4 Futures commission merchants and introducing brokers in commodities5 Total Count Small Count 5,001 3,673 4,787 3,538 4,297 6 3,450 6 1,378 1,012 1,341 6 938 6 15,716 13,699 6 All counts are from Q2 2023 FFIEC Call Report data, available at https://cdr.ffiec.gov/public/pws/downloadbulkdata.aspx. Data for institutions that are not insured, are insured under non-FDIC deposit insurance regimes, or do not have a Federal functional regulator are from the FDIC's Research Information System, available at https://www.fdic.gov/foia/ris/. 2 Credit union data are from the NCUA for Q2 2023, available at https://www.ncua.gov/analysis/credit-unioncorporate-call-report-data. 3 According to the SEC, the number of brokers or dealers in securities for the fiscal year 2022 is 3,538. See Securities and Exchange Commission, Fiscal Year 2024 Congressional Budget Justification, p. 32, https ://www.sec.gov/files/fy-2024-congressional-budget-justification_fmal-3-10.pdf. 4 According to the SEC, as of December 2022 (including filings made through Jan 20, 2023) there are 1,378 open-end registered investment companies that report on Form N-CEN. 5 There are 60 futures commission merchants as of July 31, 2023, according to the CFTC website. See Commodity Futures Trading Commission, Financial Data for FCMs, https://www.cftc.gov/MarketReports/fmancialfcmdata/index.htm. According to CFTC, there are 952 introducing brokers in commodities as of October 5, 2023. 6 The source of all small counts in this table is a FinCEN analysis described in the text below Table 1. 1 ddrumheller on DSK120RN23PROD with RULES3 Totaling these estimates results in 15,716 financial institutions that may access BOI pursuant to the rule. Of these financial institutions, 13,699 are small entities. To identify whether a financial institution is small, FinCEN uses the Small Business Administration’s (SBA) latest annual size standards for small entities in a given industry.235 FinCEN also uses the U.S. Census Bureau’s publicly available 2017 Statistics of U.S. Businesses survey data (Census survey 235 The SBA currently defines small entity size standards for affected financial institutions as follows: less than $850 million in total assets for commercial banks, savings institutions, and credit unions; less than $47 million in annual receipts for trust companies; less than $47 million in annual receipts for broker-dealers; less than $47 million in annual receipts for portfolio management; less than $40 million in annual receipts for open-end investment funds; and less than $47 million in annual receipts for futures commission merchants and introducing brokers in commodities. See U.S. Small Business Administration’s Table of Size Standards, available athttps://www.sba.gov/sites/ sbagov/files/2023-03/Table%20of%20 Size%20Standards_ Effective%20March%2017%2C%202023%20%281 %29%20%281%29_0.pdf. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 data).236 FinCEN applies SBA size standards to the corresponding industry’s receipts in the 2017 Census survey data and determines what proportion of a given industry is deemed small, on average. FinCEN considers a financial institution to be small if it has total annual receipts less than the annual SBA small entity size standard for the FI’s industry. FinCEN applies these estimated proportions to FinCEN’s current financial institution counts for brokers or dealers in securities, mutual funds, and futures commission merchants and introducing brokers in commodities to determine the proportion of current small financial institutions in those industries. FinCEN does not apply population proportions to banks or credit unions. Because data 236 See U.S. Census Bureau, U.S. & states, NAICS, detailed employment sizes (U.S., 6-digit and states, NAICS sectors) (2017), available at https:// www.census.gov/data/tables/2017/econ/susb/2017susb-annual.html. The Census survey documents the number of firms and establishments, employment numbers, and annual payroll by State, industry, and enterprise every year. Receipts data, which FinCEN uses as a proxy for revenues, is available only once every five years, with 2017 being the most recent survey year with receipt data. PO 00000 Frm 00059 Fmt 4701 Sfmt 4700 accessed through FFIEC and NCUA Call Report data provides information about asset size for banks, trusts, savings and loans, credit unions, etc., FinCEN is able to directly determine how many banks and credit unions are small by SBA size standards. 237 Because the Call Report data does not include institutions that 237 Consistent with the SBA’s General Principles of Affiliation, 13 CFR 121.103(a), FinCEN aggregates the assets of affiliated financial institutions using FFIEC financial data reported by bank holding companies on forms Y–9C, Y–9LP, and Y–9SP (available at https://www.ffiec.gov/npw/Financial Report/FinancialDataDownload) and ownership data (available at https://www.ffiec.gov/npw/ FinancialReport/DataDownload) when determining if an institution should be classified as small. FinCEN uses four quarters of data reported by holding companies, banks, and credit unions because a ‘‘financial institution’s assets are determined by averaging the assets reported on its four quarterly financial statements for the preceding year.’’ See U.S. Small Business Administration’s Table of Size Standards, p. 38 n.8, available at https://www.sba.gov/sites/sbagov/files/2023-03/ Table%20of%20Size%20Standards_ Effective%20March%2017%2C%202023%20%281 %29%20%281%29_0.pdf. FinCEN recognizes that using SBA size standards to identify small credit unions differs from the size standards applied by the NCUA. However, for consistency in this analysis, FinCEN applies the SBA-defined size standards. E:\FR\FM\22DER3.SGM 22DER3 ER22DE23.000</GPH> BILLING CODE 4810–02–C 88790 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations are not insured, are insured under nonFDIC deposit insurance regimes, or that do not have a Federal financial regulator, FinCEN assumes that all such entities listed in the FDIC’s Research Information System data are small, unless they are controlled by a holding proposed rule, as summarized in Table 1. Table 2 summarizes the counts of entities by category that will have access to BOI data. company that does not meet the SBA’s definition of a small entity, and includes them in the count of small banks. Using this methodology and data from the FFIEC and the NCUA, approximately 13,699 small financial institutions could be affected by the Table 2-Affected Entities ddrumheller on DSK120RN23PROD with RULES3 As shown in Table 2, FinCEN anticipates that as many as 16,141 different domestic agencies and financial institutions could elect to access BOI. Of these, FinCEN believes the only entity category that will have small entities affected is financial institutions.238 f. Detailed Discussion of Costs The rule imposes requirements on domestic agencies, foreign requesters, and financial institutions. To estimate costs, FinCEN assigns an hourly burden to each requirement and uses an estimated wage rate to determine the per entity cost of that requirement. Where appropriate, FinCEN varies the hourly burden and wage according to the entity type and the size of the entity. To estimate total costs, FinCEN multiplies the per entity costs by the number of entities. In this analysis, FinCEN uses an estimated compensation rate of approximately $110 per hour for Federal agencies and foreign requesters, approximately $80 per hour for State, local, and Tribal agencies, and approximately $106 per hour for financial institutions. This is based on occupational wage data from the U.S. Bureau of Labor Statistics (BLS).239 The 238 FinCEN provides more detail about this conclusion in the Regulatory Flexibility Act analysis. 239 See U.S. Bureau of Labor Statistics, National Occupational Employment and Wage Estimates (May 2022), available at https://www.bls.gov/oes/ current/oessrci.htm. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 Count Small Count 0 0 NIA 0 13,699 13,699 most recent occupational wage data from the BLS corresponds to May 2022, released in May 2023. To obtain these three wage rates, FinCEN calculated the average reported hourly wages of six specific occupation codes assessed to be likely authorized recipients at Federal agencies, State, local, and Tribal agencies, and financial institutions.240 Included financial industries were identified at the most granular North American Industry Classification System (NAICS) code available and are the types of financial institutions that are subject to regulation under the BSA, even if these financial institutions are not entities that are affected by the rule, including: banks; casinos; money service businesses; brokers or dealers in securities; mutual funds; insurance companies; futures commission merchants and introducing brokers in commodities; dealers in precious 240 To estimate government hourly wages, FinCEN modifies the burden analysis in FinCEN’s publication ‘‘Renewal without Change of AntiMoney Laundering Programs for Certain Financial Institutions.’’ See 85 FR 49418 (Aug. 13, 2020). Specifically, FinCEN uses hourly wage data from the following six occupations to estimate an average hourly government employee wage: chief executives (i.e., agency heads), first-line supervisors of law enforcement workers, law enforcement workers, financial examiners, lawyers and judicial clerks, and computer and information systems managers. FinCEN uses hourly wage data for the following occupations to estimate an average hourly financial institution employee wage: chief executives, financial managers, compliance officers, and financial clerks. FinCEN also includes the hourly wages for lawyers and judicial clerks, as well as for computer and information systems managers. PO 00000 Frm 00060 Fmt 4701 Sfmt 4700 metals, precious stones, or jewels; operators of credit card systems; and loan or finance companies. This results in a Federal agency hourly wage estimate of $68.34; a State, local, and Tribal agency hourly wage estimate of $49.61; 241 and a financial institution hourly wage estimate of $74.86. Multiplying these hourly wage estimates by their corresponding benefits factor (1.61 242 for government agencies and 1.42 243 for private industry) produces fully loaded hourly compensation amounts of approximately $110 for 241 To estimate a single hourly wage estimate for State, local, and Tribal agencies, FinCEN calculated an average of the May 2022 mean hourly wage estimates for State government agencies and for local government agencies (($47.55 + $51.66)/2 = $49.61), as wages are available for both of these types of government workers in the BLS occupational wage data. BLS data does not include an estimate for Tribal government worker and thus FinCEN does not include a Tribal government worker wage estimate in this average. 242 The ratio between benefits and wages for State and local government workers is $21.91 (hourly benefits)/$35.69 (hourly wages) = 0.61, as of March 2023. The benefit factor is 1 plus the benefit/wages ratio, or 1.61. See U.S. Bureau of Labor Statistics, Employer Costs for Employee Compensation Historical Listing, available at https://www.bls.gov/ web/ecec/ececqrtn.pdf. The State and local government workers series data for March 2023 is available at https://www.bls.gov/web/ecec/ececgovernment-dataset.xlsx. FinCEN applies the same benefits factor to Federal workers. 243 The ratio between benefits and wages for private industry workers is $11.86 (hourly benefits)/ $28.37 (hourly wages) = 0.42, as of March 2023. The benefit factor is 1 plus the benefit/wages ratio, or 1.42. See U.S. Bureau of Labor Statistics, Employer Costs for Employee Compensation: Private industry dataset (Mar. 2023), available at https:// www.bls.gov/web/ecec/ecec-private-dataset.xlsx. E:\FR\FM\22DER3.SGM 22DER3 ER22DE23.001</GPH> Entity Type Federal agencies engaged in 201 national security, intelligence, or law enforcement activity, and Treasury offices State, local, and Tribal law 158 enforcement agencies Foreign requesters NIA Regulatory agencies 66 Financial Institutions 15,716 Total 16,141 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations Federal agencies, $80 for State, local, and Tribal agencies, and $106 per hour 88791 for financial institutions. These wage estimates are summarized in Table 3: Table 3-Fully Loaded Wage Estimates Entity Type Federal government agency 1 State government agency Local government agency Equal weighted average for State, local, and Tribal agencies2 FI Mean Hourly Wage $68.34 $47.55 $51.66 $49.61 Benefits Factor Fully Loaded Hourly Wage 1.61 $110 1.61 $77 1.61 $83 1.61 $80 $74.86 1.42 $106 1 FinCEN assumes the same hourly wage estimate for foreign requesters as for Federal agencies. 2 FinCEN calculates a simple average of the hourly wage estimate of State and local agencies. (BLS does not provide any estimates for Tribal agency wages.) Estimating the average State and local agency hourly wage using a value-weighted approached based on the likely proportion of State versus local agency participants using internal FinCEN BSA data resulted in a similar hourly wage estimate. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 administering access to authorized recipients. 1. Domestic Agencies Domestic agencies must meet multiple requirements to receive BOI. Whether the costs of these requirements are one-time, ongoing, or recurring, and whether the costs accrue on a perrecipient or per request basis varies from requirement to requirement. Additionally, some requirements are administrative and involve the creation of documents, while others involve IT. To estimate the costs for meeting these PO 00000 Frm 00061 Fmt 4701 Sfmt 4700 requirements, FinCEN consulted with multiple Federal agencies and utilized statistics regarding active entities with BSA data access. Requirements are summarized in Table 4, which is followed by more detailed analysis and cost estimates. Table 4 does not specifically reflect the requirement that domestic agencies shall limit, to the greatest extent practicable, the scope of BOI it seeks. However, FinCEN does not anticipate this limitation to impose meaningful costs, and thus there is no associated cost estimated for this requirement. E:\FR\FM\22DER3.SGM 22DER3 ER22DE23.002</GPH> ddrumheller on DSK120RN23PROD with RULES3 Each of the affected entities will have costs associated with the rule if it elects to access FinCEN BOI. The costs vary based on the access procedures for the authorized recipients. The costs also vary by institution size and investigation caseload, but for simplicity, FinCEN estimates an average impact by category of authorized recipient throughout the analysis. The rule requires different access procedures for domestic agencies, foreign requesters, and financial institutions. FinCEN will also incur costs for 88792 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations Table 4-Requirements for Domestic Agencies 1 2 3 4 5 6 7 ddrumheller on DSK120RN23PROD with RULES3 8 Requirement Enter into an agreement with FinCEN and establish standards and procedures Establish and maintain a secure system to store BOI Establish and maintain an auditable system of standardized records for requests Restrict access to appropriate persons within the agency, some of whom must undergo training Conduct an annual audit and cooperate with FinCEN' s annual audit Obtain certification of standards and procedures initially and then semiannually, by the head of the agency Provide initial and then an annual report on procedures Submit written certification for each request that it meets certain agency requirements Timin~ of Cost One-time Type of Cost Administrative Ongoing IT Ongoing IT Ongoing (Training cost is per recipient) Administrative Annual Administrative Semi-annual Administrative Annual Administrative Ongoing (Cost is per request) Administrative Enter Into an Agreement with FinCEN and Establish Standards and Procedures. For requirement #1, FinCEN assumes that domestic agencies will incur costs during the first year. In alignment with the feedback FinCEN received during outreach efforts, which is detailed in the NPRM, FinCEN assumes it will take a domestic agency, on average, between 15 and 300 business hours to complete this onetime task. Using an hourly wage estimate of $110 per hour for Federal agencies results in a one-time cost between approximately $1,650 and $33,000 per Federal agency ((15 hours × $110 per hour = $1,650) and (300 hours × $110 per hour = $33,000)). Using an hourly wage estimate of $80 per hour for State, local, and Tribal agencies results in a one-time cost between approximately $1,200 and $24,000 per State, local, and Tribal agency ((15 hours × $80 per hour = $1,200) and (300 hours × $80 per hour = $24,000)). To estimate aggregate costs, FinCEN multiplies these ranges by 207 total Federal agencies 244 and 215 State, local, and Tribal agencies,245 resulting in a total one-time cost between approximately $0.6 and $12 million ((207 Federal agencies × $1,650 per Federal agency + 215 State, local, and Tribal agencies × $1,200 per State, local, and Tribal agency = $599,550) and (207 Federal agencies × $33,000 per Federal agency + 215 State, local, and Tribal agencies × $24,000 per State, local, and Tribal agency = $11,991,000)). Establish and Maintain a Secure System to Store BOI. The cost of requirement #2 will vary depending on the existing IT infrastructure of the domestic agency. Some agencies will be able to build upon existing systems that generally meet the security and confidentiality requirements. Other agencies will need to create new systems. Consistent with feedback from agencies that is detailed in the NPRM, FinCEN expects that certain agencies (in particular, Federal agencies) will bear de minimis IT costs because Federal agencies already have secure systems and networks in place as well as sufficient storage capacity in accordance with Federal Information Security 244 This is 201 Federal law enforcement, national security, and intelligence agencies and agency subcomponents and six Federal regulators. 245 This is 158 State and local law enforcement agencies and 57 State regulators that supervise entities with customer due diligence requirements. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 PO 00000 Frm 00062 Fmt 4701 Sfmt 4700 Management Act (FISMA) standards.246 Therefore, FinCEN assumes a range of burden for requirement #2 in year 1 of de minimis to 300 hours, and an ongoing burden of de minimis to 4 hours. Using an hourly wage estimate of $110 per hour for Federal agencies results in an initial cost between approximately de minimis costs and $33,000 (300 hours × $110 per hour = $33,000), and $440 annually thereafter (4 hours × $110 per hour = $440) per Federal agency. Using an hourly wage estimate of $80 per hour for State, local, and Tribal agencies results in an initial cost between approximately de minimis costs and $24,000 (300 hours × $80 per hour = $24,000), and $320 annually thereafter (4 hours × $80 per hour = $320) per State, local, and Tribal agency. To estimate aggregate costs, FinCEN multiplies these ranges by 207 total Federal agencies, and 215 State, local, and Tribal agencies, resulting in a total year 1 cost between approximately 246 Under FISMA, Federal agencies need to provide information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by an agency. Federal agencies also need to comply with the information security standards and guidelines developed by NIST. 44 U.S.C. 3553. E:\FR\FM\22DER3.SGM 22DER3 ER22DE23.003</GPH> # ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations de minimis and $12.0 million (207 Federal agencies × $33,000 per Federal agency + 215 State, local, and Tribal agencies × $24,000 per State, local, and Tribal agency = $11,991,000). The ongoing annual cost will be between approximately de minimis and $.2 million (207 Federal agencies × $440 per Federal agency + 215 State, local, and Tribal agencies × $320 per State, local, and Tribal agency = $159,880). Establish and Maintain an Auditable System of Standardized Records for Requests. As with requirement #2, the ongoing IT costs from requirement #3 will vary depending on the existing IT infrastructure of the domestic agency. FinCEN again expects that certain agencies (in particular, Federal agencies) will bear de minimis IT costs because Federal agencies already have secure systems and networks in place as well as sufficient storage capacity in accordance with FISMA standards. Based on this expectation and agency feedback explained in the NPRM, FinCEN assumes a range of burden for requirement #3 in year 1 of de minimis to 200 hours, and an ongoing burden of de minimis to 20 hours. Using an hourly wage estimate of $110 per hour for Federal agencies results in an initial cost between approximately de minimis costs and $22,000 (200 hours × $110 per hour = $22,000), and $2,200 annually thereafter (20 hours × $110 per hour = $2,200) per Federal agency. Using an hourly wage estimate of $80 per hour for State, local, and Tribal agencies results in an initial cost between approximately de minimis costs and $16,000 (200 hours × $80 per hour = $16,000), and $1,600 annually thereafter (20 hours × $80 per hour = $1,600) per State, local, and Tribal agency. To estimate aggregate costs, FinCEN multiplies these ranges by 207 total Federal agencies, and 215 State, local, and Tribal agencies, resulting in a total year 1 cost between approximately de minimis and $8.0 million (207 Federal agencies × $22,000 per Federal agency + 215 State, local, and Tribal agencies × $16,000 per State, local, and Tribal agency = $7,994,000). The ongoing annual cost will between approximately de minimis and $.8 million (207 Federal agencies × $2,200 per Federal agency + 215 State, local, and Tribal agencies × $1,600 per State, local, and Tribal agency = $799,400). Restrict Access to Appropriate Persons Within the Agency, Some of Whom Must Undergo Training. FinCEN assumes that to comply with this requirement, agencies will provide training to certain employees that receive BOI access. The number of authorized recipients that have BOI VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 access at a given agency will vary. Using the active entities with access to BSA data as of June 2023 as a proxy, and consistent with information provided by a number of agencies, FinCEN anticipates that each Federal agency could have anywhere between approximately 1 and 1,900 recipients of BOI data while each State, local, and Tribal agency could have anywhere between 1 and 80 recipients of BOI.247 To estimate the cost of this training, FinCEN assumes that each employee that accesses BOI data will undergo 1 hour of training per year. Using an hourly wage estimate of $110 per hour for Federal agencies results in an annual cost between approximately $110 and $209,000 (1 employee × 1 hour × $110 per hour = $110) and (1,900 employees × 1 hour × $110 per hour = $209,000)) per Federal agency. Using an hourly wage estimate of $80 per hour for State, local, and Tribal agencies results in an annual cost between approximately $80 and $6,400 (1 employee × 1 hour × $80 per hour = $80) and (80 employees × 1 hour × $80 per hour = $6,400)) per State, local, and Tribal agency. To estimate the aggregate annual costs, FinCEN uses aggregate user counts of active BSA data users based on internal FinCEN data from June 2023, which provides a more reasonable estimate of the likely number of authorized recipients than assuming the previously estimated ranges will apply to each domestic agency. Therefore, based on internal data, FinCEN expects that approximately 12,000 Federal employees and 2,000 employees of State, local, and Tribal agencies will undergo annual training to access BOI data.248 This results in an aggregate annual training cost of approximately $1.5 million ((12,000 Federal employees × 1 hour × $110 per hour) + (2,000 State, local, and Tribal employees × 1 hour × $80 per hour) = $1,480,000). Conduct an Annual Audit and Cooperate with FinCEN’s Annual Audit; Initially and then Semi-Annually Certify Standards and Procedures by the Head 247 The range provided is an estimate of the lowest and highest number of users for Federal agencies and for State and local agencies respectively as of a given date in June 2023 with access to BSA data through FinCEN’s database. 248 These estimates are based on the number of users that directly access BSA data through FinCEN’s internal system; there are a limited number of other ways that users may access BSA data, which are not accounted for here. Furthermore, while FinCEN does not incorporate an anticipated growth rate into the estimate of BOI authorized recipients throughout the 10-year time horizon of this analysis, the number of BOI authorized recipients could increase significantly after the first fully operational year of the BOI reporting requirements as awareness of the ability to access and utility of accessing BOI increases. PO 00000 Frm 00063 Fmt 4701 Sfmt 4700 88793 of the Agency; Annually Provide a Report on Procedures. Requirements #5–7 are administrative costs that a domestic agency will incur on an annual or semi-annual basis. Specifically, they require an agency to: (1) conduct an annual audit and cooperate with FinCEN’s annual audit; (2) certify standards and procedures by the head of the agency semi-annually; and (3) provide an annual report on procedures to FinCEN. Based on feedback from outreach as explained in the NPRM, FinCEN assumes it will take a given agency between 10 hours and 160 hours per year to meet these three requirements. Using an hourly wage estimate of $110 per hour for Federal agencies results in annual costs between approximately $1,100 and $17,600 per Federal agency ((10 hours × $110 per hour = $1,100) and (160 hours × $110 per hour = $17,600)). Using an hourly wage estimate of $80 per hour for State, local, and Tribal agencies results in annual costs between approximately $800 and $12,800 per State, local, and Tribal agency ((10 hours × $80 per hour = $800) and (160 hours × $80 per hour = $12,800)). To estimate annual aggregate costs, FinCEN multiplies these ranges by 207 total Federal agencies and 215 State, local, and Tribal agencies, resulting in a total annual cost between approximately $.4 million and $6.4 million ((207 Federal agencies × $1,100 per Federal agency + 215 State, local, and Tribal agencies × $800 per State, local, and Tribal agency = $399,700) and (207 Federal agencies × $17,600 per Federal agency + 215 State, local, and Tribal agencies × $12,800 per State, local, and Tribal agency = $6,395,200)). Submit Written Certification for Each Request that it Meets Certain Agency Requirements. Finally, for requirement #8, domestic agencies are required to submit a written certification for each request for BOI. The written certification will be in the form and manner prescribed by FinCEN. This certification will be submitted to FinCEN via an electronic form. The number of requests for BOI submitted to FinCEN by domestic agencies in any given year will vary. FinCEN assumes that submitting a request to FinCEN for BOI will take one employee approximately 15 minutes, or 0.25 hours, per request. This is based on FinCEN’s experience with submitting requests for BSA data in FinCEN Query, which similarly require a written description for a search request. Certification requirements vary by authorized recipient type under the rule. Federal and regulatory agencies must certify that their request is related E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 88794 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations to specific activities. State, local, and Tribal law enforcement agencies must certify that a court of competent jurisdiction, including any officer of such a court, has authorized the agency to seek the BOI in a criminal or civil investigation. FinCEN expects that requests submitted by State, local, and Tribal law enforcement agencies will take an additional 8 to 10 hours in year 1 and 6 to 8 hours in subsequent years to the due to the additional court authorization requirement. The hourly burden decline in subsequent years reflects FinCEN’s expectation that agencies (and courts) will improve their processes for meeting BOI request requirements. FinCEN expects many agencies will access BOI repeatedly year after year as they do with BSA data. For purposes of estimating the cost of these additional hours of burden, FinCEN applies the hourly wage estimate for State, local, and Tribal employees and assumes that this cost will be incurred by the State, local or Tribal law enforcement agency. In practice, employees within the court system may also incur costs related to this requirement. However, FinCEN has not estimated the burden that may be imposed on such entities because of the lack of relevant data and because such burden will vary depending on how courts choose to authorize BOI requests. Using an hourly wage estimate of $110 per hour for Federal employees results in a per request cost of approximately $28 per Federal agency (0.25 hours × $110 per hour = $27.50). Using an hourly wage estimate of $80 per hour for State, local, and Tribal employees results in a per request cost of approximately $20 per State and local regulator (0.25 hours × $80 per hour = $20), between approximately $660 and $820 per State, local, and Tribal law enforcement agency in year 1 ((8.25 hours × $80 per hour = $660) and (10.25 hours × $80 per hour = $820)) and $500 and $660 in subsequent years ((6.25 hours × $80 per hour = $500) and (8.25 hours × $80 per hour = $660)). To estimate a per agency annual cost, FinCEN uses BSA data request statistics from recent years as a proxy. Using these data, FinCEN estimates that each Federal agency could submit between 1 and 350,000 requests for BOI annually while each State, local, and Tribal agency could submit between 1 and 23,000 requests for BOI annually.249 Therefore, the estimated annual cost is between $28 and $9.8 million (($28 per request × 1 request) and ($28 per request × 350,000 requests = $9,800,000)) per Federal agency. The annual cost is between $20 and $.5 million (($20 per request × 1 request) and ($20 per request × 23,000 requests = $460,000)) per State and local regulator. For State, local, and Tribal law enforcement agencies, the annual cost is between $660 and $18.9 million in year 1 (($660 per request × 1 request = $660) and ($820 per request × 23,000 requests = $18,860,000)) and $500 and $15.2 million in subsequent years (($500 per request × 1 request = $500) and ($660 per request × 23,000 requests = $15,180,000)). Using FinCEN’s internal BSA request data as a proxy, FinCEN anticipates that Federal agencies could submit as many as 2 million total BOI requests annually and that State, local, and Tribal agencies could submit as many as 230,000 total BOI requests annually.250 The internal number of BSA requests provides a more reasonable estimate of the likely number of aggregate requests than assuming the previously estimated ranges will apply to each domestic agency. This results in aggregate costs in year 1 between $187.6 and $219.6 million ((2 million Federal requests × $28 per request + 30,000 State and local regulatory requests × $20 per request + 200,000 State, local, and Tribal law enforcement requests × $660 per request = $187,600,000) and (2 million Federal requests × $28 per request + 30,000 State and local regulatory requests × $30 per request + 200,000 State, local, and Tribal law enforcement requests × $820 per request = $219,600,000)). In subsequent years, the aggregate annual costs range between $155.6 million and $187.6 million ((2 million Federal requests × $28 per request + 30,000 State and local regulatory requests × $20 per request + 200,000 State, local, and Tribal law enforcement requests × $500 per request = $155,600,000) and ((2 million Federal requests × $28 per request + 30,000 State and local regulatory requests × $20 per request + 200,000 State, local, and Tribal law enforcement requests × $660 per request = $187,600,000)). Totaling the estimated costs for requirements #1–8, the estimated average per agency cost in year 1 is between $2,888 and $10.1 million per Federal agency, between $2,100 and $.5 million per State and local regulator, between $2,740 and $18.9 million per State, local, and Tribal law enforcement agency, and between $2,783 to $662,500 249 The range is an estimate of the lowest and highest number of BSA data requests received through FinCEN’s database from Federal agencies and for State and local agencies respectively during recent years. 250 Of the 230,000 anticipated total annual State, local, and Tribal BOI requests, approximately 30,000 are expected from State regulators and approximately 200,000 from State, local, and Tribal law enforcement agencies. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 PO 00000 Frm 00064 Fmt 4701 Sfmt 4700 per SRO.251 The estimated average per agency cost each year after the first year is between $1,238 and $10 million per Federal agency, between $900 and $.5 million per State and local regulator, between $1,380 and $15.2 million per State, local, and Tribal law enforcement agency, and between $1,193 to $662,500 per SRO. The total estimated aggregate cost to domestic agencies in year 1 is between $190.1 million and $260.2 million, and then between $157.5 million and $197.2 million each year thereafter. Federal agencies may incur costs related to submitting requests on behalf of foreign requesters. These costs are estimated in the next section. Federal agencies may also bear costs related to enforcement in cases of unauthorized disclosure and use of BOI; however, these costs have not been estimated in this analysis, as the level of compliance with the rule is unknown. 2. Foreign Requesters Foreign requesters must meet multiple requirements to receive BOI. FinCEN does not have an estimate of the number of foreign requesters that may elect to request and access BOI, or which requesters will do so under an applicable international treaty, agreement, or convention, or through another channel available under the rule. Foreign requesters that request and receive BOI under an applicable international treaty, agreement, or convention do not have certain requirements under the rule, given that such requesters are governed by standards and procedures under the applicable international treaty, agreement, or convention. However, FinCEN does not differentiate between types of foreign requesters in this analysis, given the lack of data. Though FinCEN is unable to estimate aggregate costs on foreign requesters given the lack of data on the number of foreign requesters that may access BOI, FinCEN provides partial cost estimates of the requirements on a foreign requester. Requirements are summarized in Table 5, which is followed by a more detailed analysis and cost estimates. Table 5 does not specifically reflect the requirement that a foreign requester shall limit, to the greatest extent practicable, the scope of BOI it seeks. However, FinCEN does not expect this 251 To calculate total costs to SROs, FinCEN calculated a ratio that applied the estimated costs to State regulators (which have access requirements similar to SROs) to the wage rate estimated herein for financial institutions, since SROs are private organizations. As noted previously, SROs will not have direct access to the BO IT system, but may receive BOI through re-disclosure. E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations limitation to impose meaningful costs, 88795 and thus there is no associated cost estimated for this requirement. Table 5-Requirements for Foreign Requesters 1 2 3 ddrumheller on DSK120RN23PROD with RULES3 4 Requirement Establish standards and procedures Maintain a secure system to store BOI Restrict access to appropriate persons, all of whom must undergo training Provide information for each request to an intermediary Federal agency Timin~ of Cost One-time Ongoing Ongoing per requester Ongoing per request Type of Cost Administrative IT Administrative Administrative Establish Standards and Procedures. For requirement #1, FinCEN assumes that foreign requesters will incur costs during the first year. FinCEN assumes it will take a foreign requester, on average, between one and two full business weeks (or, between 40 and 80 business hours) to establish standards and procedures. This estimate is a FinCEN assumption based on its experience coordinating with foreign partners. Using an hourly wage estimate of $110 per hour for Federal agencies, which FinCEN assumes is a comparable hourly wage estimate for foreign requesters, FinCEN estimates this one-time cost will be between approximately $4,400 and $8,800 per foreign requester ((40 hours × $110 per hour) and (80 hours × $110 per hour)). Foreign requesters that request and receive BOI under an applicable international treaty, agreement, or convention do not have this requirement under the rule, given that such requesters are governed by standards and procedures under the applicable international treaty, agreement, or convention. However, FinCEN does not differentiate between types of foreign requesters in this analysis, given the lack of data. Maintain a Secure System to Store BOI. For requirement #2, the cost of the ongoing IT requirement will vary depending on the existing infrastructure of the foreign requester. FinCEN believes that foreign requesters already have secure systems and networks in place as well as sufficient storage capacity, given their ongoing coordination with the U.S. government on a variety of matters, which likely adhere to applicable data security standards. Therefore, FinCEN assumes de minimis IT costs. Foreign requesters that request and receive BOI under an applicable international treaty, agreement, or convention do not have this requirement under the rule, given that such requesters are governed by security standards under the applicable international treaty, agreement, or convention. However, FinCEN does not differentiate between types of foreign requesters in this analysis, given the lack of data. Restrict Access to Appropriate Persons, Who Will Undergo Training. For requirement #3, FinCEN assumes that each foreign requester that accesses BOI data will undergo 1 hour of training per year; FinCEN does not impose specific requirements on the content or structure of this training. Using an estimated hourly wage amount of $110, this results in an annual training cost of approximately $110 per foreign requester. Provide Information for Each Request to an Intermediary Federal Agency. For requirement #4, FinCEN assumes that providing information for a BOI request to an intermediary Federal agency will take one foreign requester approximately 45 minutes, or 0.75 hours, per request. This estimate is based on FinCEN’s assumption that a request for BOI submitted directly by a Federal agency on its own behalf will take approximately 15 minutes. Given the additional information required for a foreign-initiated request, FinCEN triples that estimate for foreign requests. Using an hourly wage estimate of $110 per hour, this will result in a per request cost of approximately $83 per foreign requester (0.75 hours × $110 per hour = $83). Based on feedback from agencies, FinCEN believes that the total number of foreign requests will range between approximately 200 and 900 per year.252 This results in an aggregate annual cost to foreign requesters between approximately $16,600 and $74,700 ((200 requests × $83 per request = $16,600) and (900 requests × $83 per request = $74,700)). FinCEN also assumes that Federal agencies that submit requests on behalf of foreign requesters to FinCEN will incur additional costs; FinCEN itself expects to incur costs from the submission of such requests. Therefore, FinCEN estimates that processing BOI requests on behalf of foreign requesters require approximately two hours of one Federal employee’s time, resulting in a cost per request of approximately $220 (2 hours × $110 per hour). This results in a total annual cost to Federal agencies between approximately $44,000 and $198,000 ((200 requests × 2 hours × $110 per hour = $44,000) and (900 requests × 2 hours × $110 per hour = $198,000)). 252 FinCEN recognizes that the number of BOI requests from foreign requesters may be higher, as no such U.S. beneficial ownership IT system currently exists. The existence of a centralized U.S. BOI source may in fact result in a higher number of annual requests by foreign requesters. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 PO 00000 Frm 00065 Fmt 4701 Sfmt 4700 3. Financial Institutions Financial institutions must meet multiple requirements to access BOI. Requirements are summarized in Table 6, which is followed by a more detailed analysis and cost estimates. It should be noted that Table 6 includes a training requirement. FinCEN assumes authorized recipients of BOI at financial institutions will undergo training in order to comply with the safeguards in the rule. Additionally, FinCEN anticipates that access to the BO IT system will be conditioned on recipients of BOI undergoing training. E:\FR\FM\22DER3.SGM 22DER3 ER22DE23.004</GPH> # 88796 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations Table 6-Requirements for Financial Institutions 1 2 3 4 ddrumheller on DSK120RN23PROD with RULES3 5 6 7 Requirement Develop and implement administrative and physical safeguards Develop and implement technical safeguards Obtain and document customer consent Submit certification for each request that it meets certain requirements Undergo training Geographic restrictions Notification of information demand Develop and Implement Administrative and Physical Safeguards. For requirement #1, FinCEN estimates an average burden per financial institution between 120 and 240 hours to develop and implement administrative and physical safeguards. This estimate increased from the NPRM based on comments that stated that estimate was too low, and those that noted that audit and legal review will be included in the burden for developing and implementing these safeguards. Using an hourly wage estimate of $106 per hour for financial institutions, FinCEN estimates this one-time cost will be between approximately $12,720 and $25,440 per financial institution. To estimate aggregate costs, FinCEN multiplies this range by 15,716 total financial institutions resulting in a total cost between approximately $199.9 and $399.8. million (($12,720 per financial institution × 15,716 financial institutions = $199,907,520) and ($25,440 per financial institution × 15,716 financial institutions = $399,815,040)). Develop and Implement Technical Safeguards. For requirement #2, the cost of the ongoing IT requirement will vary depending on the existing infrastructure of the financial institution. FinCEN believes that most financial institutions already have secure systems and networks in place as well as sufficient storage capacity, given existing requirements with regard to protection of customers’ nonpublic personal information.253 Therefore, FinCEN assumes de minimis IT costs. 253 As noted in the rule, financial institutions may have established information procedures to satisfy the requirements of section 501 of the GrammLeach-Bliley Act, and applicable regulations issued thereunder, with regard to the protection of customers’ nonpublic personal information. If a financial institution is not subject to section 501 of the Gramm-Leach-Bliley Act, such institutions may VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 Timing of Cost One-time Type of Cost Administrative Ongoing IT Ongoing Ongoing per request Administrative Administrative Ongoing per recipient Administrative Ongoing Administrative/IT Ongoing per demand Administrative Obtain and Document Customer Consent. For requirement #3, FinCEN estimates that establishing processes to obtain and document customer consent will require between 50 and 70 hours of burden per financial institution. This estimate includes burden of drafting new language regarding customer consent for inclusion in financial institution documents, legal review of the language, and testing to integrate changes into IT systems. This estimate incorporates feedback from commenters that the NPRM estimate was too low and that it does incorporate the full range of activity necessary to complete this requirement. In addition, based on commenter feedback, FinCEN estimates an ongoing annual burden between 10 and 20 hours per financial institution to maintain records of customer consent. Using an hourly wage estimate of $106 per hour for financial institutions, FinCEN estimates the one-time cost is between approximately $5,300 to $7,420 per financial institution in year 1 and between $1,060 to $2,120 in ongoing costs each year thereafter. To estimate aggregate costs, FinCEN multiplies this estimate by 15,716 total financial institutions, resulting in a total cost between approximately $83.3 and $116.6 million in year 1 (($5,300 per financial institution × 15,716 financial institutions = $83,294,800) and ($7,420 per financial institution × 15,716 financial institutions = $116,612,720)) and $16.7 and $33.3 million in ongoing years (($1,060 per financial institution × 15,716 financial institutions = $16,658,960) and ($2,120 per financial institution × 15,716 financial institutions = $33,317,920)). be required, recommended, or authorized under applicable Federal or State law to have similar information procedures with regard to protection of customer information. PO 00000 Frm 00066 Fmt 4701 Sfmt 4700 Submit Certification for Each Request that it Meets Certain Requirements. For requirement #4, the certifications are submitted in the form and manner prescribed by FinCEN via an electronic form. FinCEN estimates that submitting a request to FinCEN for BOI will take one employee approximately 15 minutes, or 0.25 hours, per request.254 For purposes of this analysis, FinCEN assumes a range of approximately 5 million to 6 million total requests from financial institutions per year. The minimum amount assumes that the number of BOI requests from financial institutions each year equals the number of new entities that qualify as ‘‘reporting company’’ required to submit BOI. As estimated in the Reporting Rule’s RIA, this is approximately 5 million entities annually.255 The maximum amount assumes that financial institutions request BOI for each new legal entity customer at the time of account opening, in alignment with the 2016 CDD Rule,256 resulting in approximately 6 million entities.257 Therefore, the 254 FinCEN anticipates that financial institutions will also be able to request BOI through an Application Programming Interface (API) which will make this process less burdensome. 255 In the Reporting Rule’s RIA, the analysis assumes 13.1 percent growth in new entities from 2020 through 2024, and then a stable same number of approximately 5 million new entities each year thereafter through 2033. 256 The CTA requires that the 2016 CDD Rule be revised given FinCEN’s BOI reporting and access requirements. Therefore, this estimate and assumption may change after that revision. 257 The 2016 CDD Rule estimated that each financial institution with customer due diligence requirements will open, on average, 1.5 new legal entity accounts per business day. The rule also assumed there are 250 business days per year. Therefore, FinCEN estimates that financial institutions would need to conduct customer due diligence requirements for a minimum of approximately 6 million legal entities per year (15,716 financial institutions × 1.5 accounts per day × 250 business days per year = 5,893,500 new legal entity accounts opened per year). E:\FR\FM\22DER3.SGM 22DER3 ER22DE23.005</GPH> # ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations estimated aggregate annual cost of this requirement is between approximately $132.5 and $156.2 million ((5 million total requests × 0.25 hours per request × $106 per hour = $132,500,000) and (5,893,500 total requests × 0.25 hours per request × $106 per hour = $156,177,750)). The per institution annual cost of requirement #4 is between approximately $8,431 and $9,938 (($132,500,000/15,716 financial institutions) and ($156,177,750/15,716 financial institutions)). Undergo Training. Requirement #5 pertains to training for individuals that access BOI. FinCEN assumes authorized recipients of BOI at financial institutions will undergo training in order to comply with the safeguards in the rule. To estimate the cost of this training, FinCEN assumes a range of authorized recipients per financial institution. FinCEN believes a range is appropriate given the variation in institution size, complexity, and business models across the 15,716 financial institutions. Based on information provided by comments, FinCEN assumes 4 to 5 employees per small financial institution and 25 to 30 employees per large financial institution will undergo annual BOI training. This estimate differs from the NPRM because FinCEN integrated feedback from commenters that stated the NPRM estimate was too low. Using an hourly wage rate of $106 per hour, and assuming each authorized recipient has one hour of training each year, FinCEN estimates a per institution annual training cost between approximately $424 and $3,180 ((4 employees × 1 hour × $106 per hour = $424) and (30 employees × 1 hour × $106 per hour = $3,180)). To estimate aggregate costs, FinCEN uses SBA size standards and identifies approximately 13,699 small financial institutions and 2,017 large financial institutions (15,716 total financial institutions ¥13,699 small financial institutions). This results in an estimated minimum average annual perinstitution cost of $710 ((13,699 small institutions × 4 employees × $106 per hour + 2,017 large institutions × 25 employees × $106 per hour)/15,716 total financial institutions) and a maximum average annual cost of $870 ((13,699 small institutions × 5 employees × $106 per hour + 2,017 large institutions × 30 employees × $106 per hour)/15,716 total financial institutions). The estimated aggregate training cost is between approximately $11.2 and $13.7 million per year ((13,699 small institutions × 4 employees × 1 training hour per person × $106 per hour + 2,017 large institutions × 25 employees × 1 hour × VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 $106 per hour = $11,153,426) and (13,699 small institutions × 5 employees × 1 hour × $106 per hour + 2,017 large institutions × 30 employees × 1 hour × $106 per hour = $13,674,530)). Geographic Restrictions. Requirement #6 pertains to the final rule’s inclusion of certain geographic restrictions for financial institutions on the use and storage of BOI. The proposed rule restricted this use and storage to within the United States; the final rule does not include this limitation, but instead states that BOI cannot be made available or stored in specific jurisdictions. Commenters expressed concern the geographic restrictions in the proposed rule would conflict with existing IT systems and information handling procedures but did not provide quantitative feedback regarding additional burden specific to the geographic restriction.258 The final rule allows greater flexibility regarding geographic access in only requiring financial institutions to restrict access for select jurisdictions, lowering the burden of this requirement. Because financial institutions already face restrictions to operating in those jurisdictions, FinCEN expects this limitation to impose de minimis costs. Notification of Information Demand. Requirement #7 obligates financial institutions to notify FinCEN within three business days if they receive a subpoena or legal demand from a foreign government for BOI obtained from FinCEN. FinCEN expects financial institutions to receive zero information demand requests and thus assumes de minimis costs. Foreign governments should request BOI through the available government channels rather than by demanding information from financial institutions; this requirement intends to ensure that foreign governments leverage the proper BOI request channels. Together, the estimated average cost per financial institution for completing the 7 requirements in Table 6 in year 1 is between approximately $27,161 and $43,668, and between approximately $10,201 and $12,928 each year thereafter. The estimated aggregate costs from requirements #1–7 for financial institutions are between approximately 258 One commenter estimated it would cost between $1 million and $3 million to develop new systems or adapt existing systems to comply with the various aspects of the proposed rule, including preventing BOI obtained from FinCEN from ‘‘flowing’’ into other financial institution monitoring systems and to affiliates outside of the United States. This commenter, however, did not indicate how much of this estimated $1–3 million in costs was attributable to the geographic restriction as opposed to other aspects of the proposed rule. PO 00000 Frm 00067 Fmt 4701 Sfmt 4700 88797 $426.9 and $686.3 million in the first year, and then between approximately $160.3 and $203.2 million each year thereafter. 4. FinCEN In addition to the costs of accessing BOI data as a domestic agency, FinCEN will incur costs from managing the access of other authorized recipients. To administer BOI access, FinCEN will develop training materials and agreements with domestic agencies; conduct ongoing outreach with authorized recipients on the access requirements and respond to inquiries and notifications from authorized recipients; conduct audits of authorized responsibilities; develop procedures to review authorized recipients’ standards and procedures, and requests as needed; and potentially reject requests or suspend access if requirements are not met. FinCEN currently administers access to the FinCEN Query system, which involves similar considerations; therefore, FinCEN will build on its experience to administer BOI access. FinCEN will also incur an initial cost in setting up internal processes and procedures for administering BOI access.259 FinCEN retains its $10 million annual personnel cost estimate from the NPRM. In addition, FinCEN has determined the volume of activity associated with managing access to BOI requires contract staff to support this new program, which FinCEN estimates will cost approximately $3 million annually. Therefore, FinCEN’s estimated annual costs are $13 million. g. Detailed Discussion of Benefits The rule is expected to yield benefits for authorized recipients. Currently, authorized recipients may obtain BOI through a variety of means; however, the rule will put in place a centralized system that, by virtue of providing more direct access to the information, is expected to reduce related search costs. FinCEN has quantitatively estimated some such benefits in this analysis. The rule will also have non-quantifiable benefits to authorized recipients of BOI and to society more widely. This rule will facilitate U.S. national security, intelligence, and law enforcement activity by providing access to BOI which, as noted in the Reporting Rule’s RIA, will make these activities more effective and efficient. These activities will be more effective and efficient because the improved ownership 259 FinCEN also is developing the BO IT system that will allow for the varying types of access. The costs associated with developing and maintaining this IT system are addressed in the Reporting Rule’s RIA. E:\FR\FM\22DER3.SGM 22DER3 88798 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 transparency will enhance Federal agencies’ ability to investigate, prosecute, and disrupt the financing of terrorism, other transnational security threats, and other types of domestic and transnational financial crimes. Additionally, Treasury anticipates that it will gain efficiencies in its efforts to identify the ownership of legal entities, resulting in improved analysis, investigations, and policy decisions on a variety of subjects. The Internal Revenue Service will be able to obtain access to BOI for tax administration purposes, which may provide benefits for tax compliance. Federal regulators may also obtain benefits by accessing BOI in civil law enforcement matters. Similarly, the rule is expected to facilitate and make more efficient investigations by State, local, and Tribal law enforcement agencies. Access to BOI through FinCEN is expected to obviate the need for such agencies to spend additional time and resources identifying BOI using other, potentially costlier, methods. Foreign requesters may also reap similar benefits. While FinCEN further expects that financial institutions could also benefit from gaining access to key information (including potentially additional beneficial owners, for their customer due diligence processes), given the pending revisions to the CDD Rule, FinCEN is not quantifying expected benefits for financial institutions at this time. FinCEN anticipates that the benefits to financial institutions in meeting their customer due diligence obligations will be discussed in that rulemaking. Additionally, that rulemaking will consider costs and benefits to regulatory agencies that supervise financial institutions’ compliance with customer due diligence requirements. This rule’s estimates of benefits to domestic agencies are in alignment with feedback FinCEN has received from a number of agencies as part of the outreach efforts FinCEN conducted in formulating the rule. This feedback on qualitative and quantitative benefits of accessing BOI is summarized in the NPRM. Based on this feedback, FinCEN anticipates a potential quantifiable benefit range attributable to efficiency gains of between 300 and 20,000 hours VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 annually, per domestic agency.260 This is equivalent to a per Federal agency dollar savings between $33,000 and $2.2 million ((300 hours × $110 per hour = $33,000) and (20,000 hours × $110 per hour = $2,200,000)) and a per State, local, and Tribal agency dollar savings between $24,000 and $1.6 million ((300 hours × $80 per hour = $24,000 and 20,000 hours × $80 per hour = $1,600,000)), depending on the number and complexity of the investigations. The minimum dollar value of the benefits of the rule implied by these assumptions in year 1 is $10.6 million ((207 Federal agencies × 300 hours per agency × $110 per hour) + (158 State, local, and Tribal law enforcement agencies × 300 hours per agency × $80 per hour) = $10,623,000). The maximum estimated aggregate annual quantified benefit is $708.2 million ((207 Federal agencies × 20,000 hours per agency × $110 per hour) + (158 State, local, and Tribal law enforcement agencies × 20,000 hours per agency × $80 per hour) = 708,200,000). These estimates only pertain to quantifiable benefits in the form of enhanced BOI search efficiency; agencies can also gain other benefits from accessing BOI, such as investigative law enforcement value, that are not quantified in this analysis. Therefore, FinCEN believes the benefits can be greater than the cost savings attributable to enhanced search efficiency estimated here. FinCEN assumes that no Federal agency or State, local or Tribal law enforcement agency will access BOI unless the benefits of doing so are at least equal to the costs, given that BOI access is optional for these agencies. In cases where quantifiable costs exceed quantified benefits, but a Federal agency or State, local or Tribal law enforcement agency elects to access BOI, certain nonquantifiable benefits must exist that outweigh the quantified net cost. FinCEN takes these kinds of nonquantifiable benefits into consideration, 260 Regarding Federal regulators, FinCEN assumes that the benefit would relate to civil law enforcement activities rather than examination activities. The estimated direct benefits from reduced investigation time and resources does not account for any potential benefits in the form of efficiency gains to financial institutions that access BOI. Any potential benefits to financial institutions for accessing BOI will be accounted for in the forthcoming CDD Rule revision. PO 00000 Frm 00068 Fmt 4701 Sfmt 4700 as well as the quantifiable benefits estimated in the analysis. In addition to the direct benefits that will accrue to agencies, such as saving time, accessing BOI will lead to other secondary benefits, as discussed in the Reporting Rule’s RIA.261 BOI will also further the missions of the agencies to combat crime, as well as contribute to national security, intelligence, and law enforcement, and other activities. Therefore, the expected benefits to agencies of accessing BOI are more than just the efficiency gains with respect to search costs; FinCEN expects more streamlined access to BOI will lead to more effective and efficient investigations. Enabling effective and efficient investigations has the additional secondary benefit of making it more difficult to launder money through shell companies and other entities, in turn strengthening national security and enhancing financial system transparency and integrity. Barriers to money laundering encourage a more secure economy and can generate more economic activity when businesses have more trust in the legitimacy of new business partners. Finally, the sharing of BOI with foreign partners, subject to appropriate protocols consistent with the CTA, may further transnational investigations, tax enforcement, and the identification of national and international security threats. These secondary benefits are not accounted for in this analysis since they are accounted for in the Reporting Rule RIA. However, these benefits cannot come to fruition without authorized recipients gaining access to BOI, as implemented by this rule. Therefore, the benefits between the Reporting Rule and this rule are inextricably linked. h. Overall Impact Overall, FinCEN estimates the potential quantifiable impact of the rule will be between $78.2 million in quantifiable net benefits and $949.2 million in net costs in the first year of the rule, and then from $377.3 million in quantifiable net benefits to $403.0 million in net costs on an ongoing annual basis. Table 7 summarizes the estimated aggregate yearly impact of the rule. 261 See E:\FR\FM\22DER3.SGM 87 FR 59579–59580 (Sept. 30, 2022). 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations 88799 Table 7-Aggregate Yearly Impact of the Rule (Dollars in millions) oreign requester costs inancial institution costs Total net cost $0.02 to $0.07 $0.02 to $0.07 $426.9 to $686.3 $160.4 to $203.2 $13 $13 $630.0 to $959.8 $330.9 to $413.6 -[10.6 to $708.2] -[$10.6 to $708.2] - $78.2 to $949.2 - $377.3 to $403.0 This estimate includes aggregate annual costs to Federal agencies engaged in law enforcement, national security, and intelligence activities, offices of the U.S. Department of the Treasury including FinCEN, State, local, and Tribal law enforcement agencies, and both Federal and State regulators. Costs to SROs are also included in this aggregation. This estimate includes the additional aggregate annual costs between approximately $44,000 and $198,000 to ederal agencies from submitting and coordinating BOI requests on behalf of foreign partners. This includes only costs to FinCEN associated with managing BOI access. Costs to FinCEN as an authorized ecipient of BOI are included in the domestic agencies estimates. The estimated, quantifiable, aggregate annual benefits of the rule, which only reflect potential quantifiable benefits to agencies, will be between approximately $10.6 and $708.2 million. Likewise, FinCEN expects that the aggregate annual quantifiable costs of the rule will be somewhere between approximately $630.0 and $959.8 million in year 1, and between approximately $330.9 and $413.6 million each year thereafter. FinCEN believes that, in practice, entities will choose to access BOI only if the benefits to the entity’s operational needs, which includes both quantifiable and non-quantifiable benefits, outweigh the costs associated with the requirements for accessing BOI. This analysis assumes financial institutions can choose whether or not to access BOI. The question of whether financial institutions are required to access BOI as part of their CDD Rule obligations will be addressed in FinCEN’s forthcoming revisions to the 2016 CDD Rule. For other users, there are and will be no requirements to access BOI. Using the maximum net cost impact estimates from Table 7 as an upper bound of the impact of this rule, FinCEN determines the present value over a 10-year horizon of approximately $4 billion at the three percent discount VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 rate and approximately $3.3 billion at the seven percent discount rate. B. Final Regulatory Flexibility Act Analysis When an agency issues a rule proposal, the Regulatory Flexibility Act (RFA) requires the agency to either provide an IRFA or, in lieu of preparing an analysis, to certify that the proposed rule is not expected to have a significant economic impact on a substantial number of small entities.262 When FinCEN issued its NPRM, FinCEN believed that the proposed rule would have a significant economic impact on a substantial number of small entities, and provided an IRFA.263 FinCEN received numerous comments related to the RIA. Some of the comments related to the RIA were from small entities and associations representing small entities. FinCEN has discussed those comments relating to specific provisions in the proposed rule in section III above, and those relating to the RIA in section V.A. above. The RFA requires each Final Regulatory Flexibility Analysis (FRFA) to contain: • A succinct statement of the need for, and objectives of, the rule; 262 5 U.S.C. 601–612. FR 77445–77447. 263 87 PO 00000 Frm 00069 Fmt 4701 • A summary of the significant issues raised by the public comments in response to the IRFA, a summary of the assessment of the agency of such issues, and a statement of any changes made in the proposed rule as a result of such comments; • A description of and an estimate of the number of small entities to which the proposed rule would apply; • A description of the projected reporting, recordkeeping, and other compliance requirements of the proposed rule, including an estimate of the classes of small entities which will be subject to the requirement and the type of professional skills necessary for the preparation of the report or record; and • A description of the steps the agency has taken to minimize the significant economic impact on small entities consistent with the stated objectives of applicable statutes, including a statement of the factual, policy, and legal reasons for selecting the alternative adopted in the final rule and why each one of the other significant alternatives to the rule considered by the agency which affect the impact on small entities was rejected.264 264 5 Sfmt 4700 E:\FR\FM\22DER3.SGM U.S.C. 604(a). 22DER3 ER22DE23.006</GPH> ddrumheller on DSK120RN23PROD with RULES3 1 88800 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations i. Statement of the Reasons for, and Objectives of, the Rule The rule is necessary to implement section 6403 of the CTA. The purpose of the rule is to implement the disclosure requirements of section 6403 and to establish appropriate protocols to protect the security and confidentiality of the BOI. ddrumheller on DSK120RN23PROD with RULES3 ii. A Summary of the Significant Issues Raised by the Public Comments in Response to the IRFA, a Summary of the Assessment of the Agency of Such Issues, and a Statement of Any Changes Made in the Proposed Rule as a Result of Such Comments FinCEN has carefully considered the comments received in response to the NPRM. Section III provides a general overview of the comments and discusses the significant issues raised by comments. In addition, section V.A includes a discussion of the comments received with respect to the preliminary RIA and IRFA, including those with respect to the estimated cost that the rule will impose on financial institutions, which will include small entities. FinCEN has considered the comments received from small entities and from associations representing them, regardless of whether the comments referred to the IRFA. Commenters expressed concern about the costs that the rule’s requirements for BOI access would impose on financial institutions, which include small entities. FinCEN considered the burden and costs of the specific requirements throughout the final rule and has adjusted the analysis appropriately. Many comments were critical of FinCEN’s interpretation of ‘‘customer due diligence requirements under applicable law’’ in the proposed rule and the limited use of BOI by financial institutions that this definition would require. Some comments argued that if financial institutions could only use BOI reported to FinCEN to comply with the 31 CFR 1010.230 instead of the broader purposes, this would add burdens to financial institutions. Commenters noted that financial institutions already use BOI obtained from their customers for broad purposes. Commenters explained that if an financial institution is limited to using BOI obtained from FinCEN merely for purposes of compliance with 31 CFR 1010.230, then the financial institution would need to create a ‘‘firewall’’ between the BOI obtained from FinCEN and the BOI that an financial institution obtains directly from its legal entity customers, so that the financial institution could still use the BOI it VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 obtained directly from customers in the range of ways to which it has become accustomed. This firewalling would be a significant additional burden, according to these commenters. Several commenters claimed that if banks can only use BOI from FinCEN for compliance with 31 CFR 1010.230, this would create duplicative requirements for financial institutions. The final rule revises the proposed rule’s definition of ‘‘customer due diligence requirements under applicable law,’’ which was limited to the requirements under 31 CFR 1010.230, to allow the use of BOI more broadly to counter money laundering and the financing of terrorism, as well as to comply with certain other measures that safeguard national security. This change reflects FinCEN’s conclusion that the phrase should encompass a financial institution’s AML/CFT obligations under the BSA, including suspicious activity monitoring and SAR filing, as well as related activities such as sanctions screening, anti-fraud, and anti-bribery controls and other activities pursuant to the financial institution’s legal requirements for AML/CFT. FinCEN found persuasive comments that argued that if BOI from FinCEN could only be used for compliance with 31 CFR 1010.230 instead of the broader purposes for which financial institutions are already using BOI for, this would add burdens to financial institutions that would not be justified by the potential gains in protecting the security and confidentiality of BOI. Commenters expressed concern that the proposed rule’s geographic restrictions limiting access to BOI to within the United States would conflict with existing IT systems and information handling processes but did not provide quantitative feedback regarding additional burden.265 The final rule allows greater flexibility regarding geographic access in only requiring financial institutions to restrict access for select jurisdictions in which financial institutions already face restrictions, lowering the likelihood a financial institution will be burdened by this requirement. Comments also suggested options to decrease burden for financial 265 One commenter estimated it would cost between $1 million and $3 million to develop new systems or adapt existing systems to comply with the various aspects of the proposed rule, including preventing BOI obtained from FinCEN from ‘‘flowing’’ into other financial institution monitoring systems and to affiliates outside of the United States. This commenter, however, did not indicate how much of this estimated $1–3 million in costs was attributable to the geographic restriction as opposed to other aspects of the proposed rule. PO 00000 Frm 00070 Fmt 4701 Sfmt 4700 institutions through technological means. A commenter requested that financial institutions submit required certifications and access BOI on a bulk, automated basis. This commenter noted that if access to the BO IT system requires manual submissions on a customer-by-customer basis, this would be unnecessarily cumbersome and would adversely impact the ability of financial institutions to use the information effectively and efficiently for illicit finance risk management. FinCEN agrees with these comments and notes that financial institutions will have the ability to submit search requests through an automated process, lessening costs associated with manual searches by financial institutions. FinCEN expects that financial institutions will use Application Programming Interfaces (APIs) to access BOI, and that the BO IT system will accommodate the use of APIs for this purpose (including the submission of required certifications). In addition, more specific information regarding the estimated costs for small entities resulting from the final rule is set forth in section V.B.v below, and other steps FinCEN has taken to minimize the economic impact of the rule on small entities are set forth in section V.B.vi below. iii. The Response of the Agency to a Comment Filed by the Chief Counsel for Advocacy of the Small Business Administration in Response to the Proposed Rule, and a Detailed Statement of Any Change Made to the Proposed Rule in the Final Rule as a Result of the Comment The Chief Counsel for Advocacy of the Small Business Administration (‘‘Advocacy’’) filed a comment to the NPRM on February 14, 2023, that acknowledges that the proposed rule will be economically burdensome for small businesses. Advocacy notes that FinCEN prepared an IRFA for the NPRM. Advocacy urged FinCEN to clarify certain provisions of the proposed rule because small entities claimed the proposed rule was unclear. For example, the IRFA stated that the proposed rule’s requirements to access BOI would not be mandatory (because accessing BOI reported to FinCEN is not itself currently mandatory), but small entity groups have stated that the rule itself is unclear as to whether the requirements of the rulemaking are mandatory. Lack of clarity could lead to small entities incurring unnecessary costs in trying to comply with the rulemaking. There are also concerns E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations about the scope of the proposed rulemaking. FinCEN clarified with Advocacy that the phrase ‘‘scope of the proposed rulemaking’’ refers to the scope of authorized users that will be permitted access to BOI and the permitted uses of that information. Section III.C.iv.a.1 above clarifies that the types of financial institutions that FinCEN will under its discretionary authority permit to access BOI will initially be those that are ‘‘covered financial institutions’’ under the 2016 CDD Rule. Section III.C.iv.a.2 clarifies the scope of permitted uses for BOI by those financial institutions. Advocacy also encourages FinCEN to provide a clear compliance guide for this rulemaking, and references a similar request in Advocacy’s February 4, 2022 comment letter to the Reporting Rule. Section 212 of the Small Business Regulatory Enforcement Fairness Act (SBREFA) requires agencies to provide a compliance guide for each rule (or related series of rules) that requires a final regulatory flexibility analysis.266 Agencies are required to publish the guides with publication of the final rule, post them to websites, distribute them to industry contacts, and report annually to Congress.267 FinCEN anticipates issuing a Small Entity Compliance Guide, pursuant to section 212 of SBREFA, in order to assist small entities in complying with the BOI access requirements. ddrumheller on DSK120RN23PROD with RULES3 iv. Description and Estimate of the Number of Small Entities to Which the Rule Will Apply To assess the number of small entities affected by the rule, FinCEN separately considered whether any small businesses, small organizations, or small governmental jurisdictions, as defined by the RFA, will be impacted. FinCEN concludes that a substantial number of small businesses will be significantly impacted by the rule, which is consistent with the IRFA. In defining ‘‘small business,’’ the RFA points to the definition of ‘‘small business concern’’ from the Small Business Act.268 This small business definition is based on size standards (either average annual receipts or number of employees) matched to industries.269 Assuming maximum non266 Small Business Regulatory Enforcement Fairness Act of 1996, Public Law 104–121, 212, 110 Stat. 857, 858 (1996). 267 The Small Business and Work Opportunity Tax Act of 2007 added these additional requirements for agency compliance to SBREFA. See Small Business and Work Opportunity Tax Act of 2007, Public Law 110–28, 121 Stat. 190 (2007). 268 5 U.S.C. 601(3). 269 See U.S. Small Business Administration, Table of Small Business Size Standards Matched to North VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 mandated participation by small financial institutions, the rule will affect approximately all 13,699 small financial institutions. All of these small financial institutions will have a significant economic impact in the first year of implementation, which FinCEN believes meets the threshold for a substantial number. Therefore, FinCEN concludes the rule will have a significant economic impact on a substantial number of small entities. FinCEN assumes the economic impact on an individual small entity is significant if the total estimated impact in a given year is greater than 1 percent of the small entity’s total receipts for that year. FinCEN estimates the cost for small financial institutions to comply with the sections of the rule addressing BOI access will be between approximately $26,875 and $43,328 in year 1, and approximately $9,915 and $12,588 annually in subsequent years.270 FinCEN then compares these per financial institution cost estimates to the average total receipts for the smallest size category for each type of financial institution from the 2017 Census survey data, adjusted for inflation.271 The analysis indicates that, even when considering the minimum year 1 impact of $26,875, the smallest entities of all types of financial institutions will incur an economic impact that exceeds 1 percent of receipts for that industry. Therefore, FinCEN expects that the rule will have American Industry Classification System Codes (Mar. 17, 2023), available at https://www.sba.gov/ sites/sbagov/files/2023-03/ Table%20of%20Size%20Standards_ Effective%20March%2017%2C%202023 %20%281%29%20%281%29_0.pdf. 270 The minimum and maximum costs for small entities can be determined by using $424 (4 employee × $106 per hour) as the minimum cost for training and using $530 (5 employees × $106 per hour) as the maximum cost for training. 271 FinCEN inflation adjusted the 2017 Census survey data using Implicit Price Deflators for Gross Domestic Product quarterly data from the U.S. Bureau of Economic Analysis, available at https:// apps.bea.gov/iTable/?reqid=19&step=2& isuri=1&categories= survey#eyJhcHBpZCI6MTksInN0ZXBz IjpbMSwyLDMsM10sImRhdGEiOltbIkNhd GVnb3JpZXMiLCJTdXJ2ZXkiXSxbIk5JUE FfVGFibGVfTGlzdCIsIjEzIl0s WyJGaXJzdF9ZZWFyIiwi MTk5NSJdLFsiTGFzdF9ZZW FyIiwiMjAyMiJdLFsiU2Nhb GUiLCIwIl0sWyJTZXJpZXMiLCJBIl1dfQ==. FinCEN estimated an inflation factor of approximately 1.18 (the gross domestic product deflator in 2017 is 107.749, while in 2022 it was 127.224; hence, the inflation factor is 127.224/107.749= 1.18). FinCEN then applied this inflation adjustment factor of 1.18 to the 1 percent of average annual receipts in the 2017 Census survey data for each financial industry affected by this proposed rule to estimate the latest inflation-adjusted dollar value threshold of 1 percent of annual receipts. PO 00000 Frm 00071 Fmt 4701 Sfmt 4700 88801 a significant economic impact on a substantial number of small entities. In defining ‘‘small organization,’’ the RFA generally defines it as any not-forprofit enterprise that is independently owned and operated and is not dominant in its field.272 FinCEN assesses that the rule will not affect ‘‘small organizations’’ as defined by the RFA. The RFA generally defines ‘‘small governmental jurisdiction[s]’’ as governments of cities, counties, towns, townships, villages, school districts, or special districts, with a population of less than 50,000.273 While State, local, and Tribal government agencies may be affected by the rule, FinCEN does not believe that government agencies of jurisdictions with a population of less than 50,000 will be included in such agencies.274 Therefore, no ‘‘small governmental jurisdictions’’ are expected to be affected. v. Description of the Projected Reporting, Recordkeeping, and Other Compliance Requirements of the Rule, Including an Estimate of the Classes of Small Entities Which Will Be Subject to the Requirements and the Type of Professional Skills Necessary for the Preparation of the Report or Record Under the rule, accessing BOI is not currently mandatory; therefore, the rule will not impose requirements in the strictest sense.275 However, the rule will require those that elect to access BOI to establish standards and procedures or safeguards, and to comply with other requirements. In particular, financial institutions will be required to develop and implement administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, and integrity of BOI. Financial institutions will also be required to obtain and document customer consent to access their BOI, as well as maintain a record of such consent for five years after it was last relied upon, which may require updates to existing policies and procedures. Financial institutions will also be required to comply with certain geographic restrictions and notify FinCEN if they receive an information demand from a foreign government. The rule will also require those that access BOI provide a certification for each BOI 272 5 U.S.C. 601(4). U.S.C. 601(5). 274 FinCEN made this assumption in the NPRM and requested public comment; it did not receive any comments that addressed this specific point. 275 FinCEN anticipates considering whether to require financial institutions to access BOI reported to FinCEN in the future, potentially as part of its revisions to the 2016 CDD Rule. 273 5 E:\FR\FM\22DER3.SGM 22DER3 88802 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 request, in the form and manner prescribed by FinCEN. FinCEN intends to provide additional detail regarding the form and manner of BOI requests for all categories of authorized recipients through specific instructions and guidance as it continues developing the BO IT system. To the extent required by the PRA, FinCEN will publish for notice and comment any proposed information collection associated with BOI requests. Small entities affected by the rule, which FinCEN assesses to be small financial institutions, will be required to comply with these requirements if they access BOI. FinCEN assumes that the professional expertise needed to comply with such requirements already exists at small financial institutions with customer due diligence obligations. vi. Description of the Steps the Agency Has Taken To Minimize the Significant Economic Impact on Small Entities Consistent With the Stated Objectives of Applicable Statutes, Including a Statement of the Factual, Policy, and Legal Reasons for Selecting the Alternative Adopted in the Final Rule and Why Each One of the Other Significant Alternatives to the Rule Considered by the Agency Which Affect the Impact on the Small Entities Was Rejected The steps FinCEN has taken to minimize the significant economic impact on small entities and the factual, policy, and legal reasons for selecting the final rule are described throughout section III. This section of the FRFA includes one of the alternative scenarios considered in the RIA. The rule is statutorily mandated, and therefore FinCEN has limited ability to implement alternatives. However, FinCEN considered the following significant alternative which affected the impact on small entities. The sources and analysis underlying the burden and cost estimates cited in this alternative are explained in the RIA. FinCEN considered altering the customer consent requirement for financial institutions. Under the final rule, financial institutions are required to obtain and document customer consent once for a given customer. FinCEN considered an alternative approach in which FinCEN would directly obtain the reporting company’s consent. Under this scenario, financial institutions would not need to spend time and resources on drafting or modifying customer consent forms, ensuring legal compliance, and testing the forms which FinCEN expects to require approximately 50 to 70 hours in year 1 and 10 to 20 hours in subsequent years for ongoing forms maintenance. VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 Using an hourly wage estimate of $106 per hour for financial institutions, FinCEN estimates this would result in an initial savings per financial institution of approximately $5,300 to $7,420 in year 1 and $1,060 to $2,120 in subsequent years. FinCEN estimates an aggregate savings of $83.3 to $116.6 million in year 1 and $16.7 to $33.3 million in subsequent years. To estimate aggregate savings under this scenario, FinCEN multiplies the yearly savings by the number of financial institutions (e.g., $5,300 per financial institution × 15,716 financial institutions = $83,294,800). The cost savings for small financial institutions under this scenario would be approximately $72.6 million ($5,300 per financial institution × 13,699 small financial institutions = $72,604,700). Though this alternative results in a savings to financial institutions, including small entities, FinCEN believes that financial institutions are better positioned to obtain consent—and to track consent revocation—given their direct customer relationships and ability to leverage existing onboarding and account maintenance processes, as also discussed in sections III.E.ii.d and V.A.i.a above. Therefore, FinCEN decided not to adopt this alternative. C. Unfunded Mandates Reform Act Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 104–4 (Unfunded Mandates Reform Act) requires that an agency prepare a budgetary impact statement before promulgating a rule that includes a Federal mandate that may result in expenditure by State, local, and Tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year, adjusted for inflation. FinCEN believes that the RIA provides the analysis required by the Unfunded Mandates Reform Act. D. Paperwork Reduction Act The new reporting and recordkeeping requirements contained in this rule (31 CFR 1010.955) have been approved by OMB in accordance with the Paperwork Reduction Act of 1995 (PRA), 44 U.S.C. 3501 et seq., under control number 1506–0077. The PRA imposes certain requirements on Federal agencies in connection with their conducting or sponsoring any collection of information as defined by the PRA. Under the PRA, an agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a valid OMB control number. As discussed in the RIA, FinCEN revised estimates for the requirements PO 00000 Frm 00072 Fmt 4701 Sfmt 4700 based on comments received in the NPRM and updates to the final rule and underlying data sources. All revisions to the estimates are explained in the RIA. Reporting and Recordkeeping Requirements: The rule requires State, local, and Tribal agencies and financial institutions that access BOI to conduct the following activities: establish standards and procedures, and develop and implement safeguards. FinCEN assumes authorized recipients of BOI at financial institutions will undergo annual training in order to comply with the safeguards in the rule. Financial institutions are also required to obtain and document customer consent, maintaining a record of such consent for five years after it was last relied upon, which may require updates to existing processes and creation of consent forms. The rule also requires State, local, and Tribal agencies and financial institutions that access BOI to provide a certification for each BOI request. FinCEN intends to provide additional detail regarding the form and manner of BOI requests for all categories of authorized users through specific instructions and guidance as it continues developing the BO IT system. To the extent required by the PRA, FinCEN will publish for notice and comment any proposed information collection associated with BOI requests. The rule also requires financial institutions to comply with certain geographic restrictions and notify FinCEN if they receive an information demand from a foreign government for BOI. In addition, the rule requires State, local, and Tribal agencies to establish and maintain a secure system to store BOI, as well as an auditable system of standardized records for requests, conduct an annual audit, certify standards and procedures by the agency head semi-annually, and provide an annual report on procedures, resulting in additional recordkeeping and reporting requirements. Finally, the rule requires that SROs follow the same security and confidentiality requirements outlined herein for State, local, and Tribal agencies, if they obtain BOI through re-disclosure by a Federal functional regulator or financial institution. OMB Control Number: 1506–0077. Frequency: As required; varies depending on the requirement. Description of Affected Public: State, local and Tribal agencies, SROs, and financial institutions with customer due diligence obligations, as defined in the rule. While others from Federal and foreign requesters are able to access BOI after meeting specific requirements, FinCEN does not include them in the E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations PRA analysis because the regulations implementing the PRA define ‘‘person’’ as an individual, partnership, association, corporation (including operations of government-owned contractor-operated facilities), business trust, or legal representative, an organized group of individuals, a State, territorial, tribal, or local government or branch thereof, or a political subdivision of a State, territory, Tribal, or local government or a branch of a political subdivision.276 For foreign requesters in particular, FinCEN assumes that such requests will be made at the national level. Estimated Number of Respondents: 15,934 entities. This total is composed of an estimated 215 State, local, and Tribal agencies, of which 158 are State, local, and Tribal law enforcement agencies and 57 are State regulatory agencies, 3 SROs, and 15,716 financial institutions.277 While the requirements in the rule are only imposed on those that optionally access BOI, for purposes of PRA burden analysis FinCEN assumes maximum participation from State, local, and Tribal agencies, SROs, and financial institutions. Estimated Total Annual Reporting and Recordkeeping Burden: FinCEN estimates that during year 1 the annual hourly burden will be 8,743,781 hours. In year 2 and onward, FinCEN estimates that the annual hourly burden will be 3,616,964 hours. The annual estimated burden hours for State, local, and Tribal entities as well as SROs is 2,268,789 hours in the first year, and 1,699,612 276 See 5 CFR 1320.3(k). Table 1 for the types of financial institutions covered by this notice. ddrumheller on DSK120RN23PROD with RULES3 277 See VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 hours in year 2 and onward. As shown in Table 8, the hourly burden in year 1 for State, local, and Tribal entities and SROs includes the hourly burden associated with the following requirements in the rule: enter into an agreement with FinCEN and establish standards and procedures (Action B); establish a secure system to store BOI (Action D); establish and maintain an auditable system of standardized records for requests (Action E); submit written certification for each request that it meets certain requirements (Action G); restrict access to appropriate persons within the entity (Action H); conduct an annual audit and cooperate with FinCEN’s annual audit (Action I); obtain certification of standards and procedures, initially and then semiannually, by the head of the entity (Action J); and provide annual reports on procedures (Action K). The hourly burden in year 2 and onward for State, local, and Tribal entities and SROs is associated with the same requirements as year 1, with the exception of Action B because FinCEN expects this action will result in costs for these entities in year 1 only. The annual estimated hourly burden for financial institutions is 6,474,992 hours in the first year and 1,917,352 hours in year 2 and onward. The hourly burden for financial institutions in year 1 is associated with the following: develop and implement administrative and physical safeguards (Action A); develop and implement technical safeguards (Action C); obtain and document customer consent (Action F); submit certification for each request that it meets certain requirements (Action PO 00000 Frm 00073 Fmt 4701 Sfmt 4700 88803 G); undergo training (Action H); comply with certain geographic restrictions (Action L); and notify FinCEN if they receive an information demand from a foreign government (Action M). The hourly burden in year 2 and onward for financial institutions is associated only with the requirements for Actions F, G and H because FinCEN expects the other actions will result in costs for these entities in year 1 only. Annual estimated burden declines in year 2 and onward because State, local, and Tribal agencies, SROs, and financial institutions no longer need to complete Actions A and B, and have a lower hourly burden for Actions E and F. State, local, and Tribal law enforcement agencies have a lower hourly burden for Action G. Table 8 lists the type of entity, the number of entities, the hours per entity, and the total hourly burden by action. For Actions A, B, C, D, E, F, I, J, K, L, and M the hours per entity are the maximum of the range estimated in the cost analysis of the RIA. For Action G and H, the hours per entity calculations are specified in footnotes to Table 8. Total annual hourly burden is calculated by multiplying the number of entities by the hours per entity for each action. In each subsequent year after initial implementation, FinCEN estimates that the total hourly annual burden is 3,616,964. This results in a 5year average burden estimate of approximately 4,642,327 hours.278 BILLING CODE 4810–02–P 278 The 5-year average equals the sum of (Year 1 burden hours of 8,743,781 + Year 2 burden hours of 3,616,964 + Year 3 burden hours of 3,616,964 + Year 4 burden hours of 3,616,964 + Year 5 burden hours of 3,616,964) divided by 5. E:\FR\FM\22DER3.SGM 22DER3 88804 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations Table 8-Annual Hourly Burden Associated with Rule Requirements Financial institutions 15,716 240 in Year 1; 0 in Years 2+ 300 in Year 1; 0 in Years 2+ 3,771,840 in Year 1; 0 in Years 2+ B. Enter into an agreement with FinCEN and establish standards and procedures State, local, and Tribal agencies and SROs 218 C. Develop and implement technical safeguards Financial institutions 15,716 0 in Year 1; 0 in Years 2+ 0 in Year 1; 0 in Years 2+ State, local, and Tribal agencies and SROs State, local, and Tribal agencies and SROs 218 300 in Year 1; 4 in Years 2+ 65,400 in Year 1; 872 in Years 2+ 218 200 in Year 1; 20 in Years 2+ 43,600 in Year 1; 4,360 in Years 2+ F. Obtain and document customer consent Financial institutions 15,716 1,100,120 in Year 1; 314,320 in Years 2+ G. Submit certification for each request that it meets certain requirements 1 Financial institutions 15,716 70 in Year 1; 20 in Years 2+ 94 in Year 1; 94 in Years 2+ D. Establish a secure system to store BOI ddrumheller on DSK120RN23PROD with RULES3 E. Establish and maintain an auditable system of standardized records for requests VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 PO 00000 Frm 00074 Fmt 4701 Sfmt 4725 E:\FR\FM\22DER3.SGM 65,400 in Year 1; 0 in Years 2+ 1,474,161 in Year 1; 1,474,161 in Years 2+ 22DER3 ER22DE23.007</GPH> A. Develop and implement administrative and Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations H. Restrict access to appropriate persons within the entity, which specifies that appropriate persons will undergo trainin 3 I. Conduct an annual audit and cooperate with FinCEN' s annual audit J. Obtain certification of standards and procedures initially and then semi-annually, by the head of the enti K. Provide initial and then an annual report on procedures 158 12,975 in Year l; 10,443 in Years 2+ 2,050,003 in Year 1; 1,649,994 in Years 2+ State regulatory agencies and SROs Financial institutions 60 125 in Year 1; 125 in Years 2+ 7,500 in Year 1; 7,500 in Years 2+ 15,716 8 in Year 1; 8 in Years 2+ 128,871 in Year 1; 128,871 in Years 2+ State, local, and Tribal agencies and SROs 218 9 in Year 1, 9 in Years 2+ 2,006 in Year 1; 2,006 in Years 2+ State, local, and Tribal agencies and SROs State, local, and Tribal agencies and SROs 218 160 in Year 1; 160 in Years 2+ 34,880 in Year 1; 34,880 in Years 2+ 218 Included in I. Included in I. 218 Included in I. Included in I. 15,716 0 in Year 1; 0 in Years 2+ 0 in Year 1; 0 in Years 2+ 15,716 0 in Year 1; 0 in Years 2+ 0 in Year 1; 0 in Years 2+ State, local, and Tribal agencies and SROs Financial institutions L. Comply with certain eo ra hie restrictions M. Notify FinCEN of information demand from foreign overnment ddrumheller on DSK120RN23PROD with RULES3 State, local, and Tribal law enforcement Financial institutions 8,743,781 in Year 1; 3,616,964 in Years 2+ Total Annual Hourly Burden VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 PO 00000 Frm 00075 Fmt 4701 Sfmt 4725 E:\FR\FM\22DER3.SGM 22DER3 ER22DE23.008</GPH> G. Submit written certification for each request that it meets certain requirements, including court authorization G. Submit written certification for each request that it meets certain re uirements H. Undergo training2 88805 88806 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations 1 For all types of entity, the hours per entity for Action G is the per entity share of the aggregate burden estimated in the RIA. 2 For financial institutions, the hours per entity for Action H equals the weighted average of the large and small financial institutions' maximum burden estimated in the RIA. 3 For State, local, and Tribal agencies and SROs, the hours per entity for Action H equals the per entity share of the a e ate burden. Estimated Total Annual Reporting and Recordkeeping Cost: As describd in Table 3, FinCEN calculated the fully loaded hourly wage for each type of affected entity type. Using these estimated wages, the total cost of the annual bureden in year 1 is $868,200,270. In year 2 and onward, FinCEN estimates that the total cost of the annual burden is $339,309,502, owing to Actions A and B only imposing burens in year 1, Actions D and E having lower annual per entity burdens, and Actions G having lower burden per request for State, local and Tribal law enforcement agencies. The annual estimated cost for State, local, and Tribal agencies and SROs is $181,851,118 in the first and $13,070,190 in year 2 and onward. The annual estimated cost for financial institutions is $686,349,152 in the first year and $203,239,312 in year 2 and onward. The 5-year average annual cost estimate is $445,087,656.279 279 The 5-year average equals the sum of (year 1 costs of $868,200,270 + Year 2 costs of VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 Financial institutions $106 3,771,840 in Year 1; 0 in Years 2+ $399,815,040 in Year 1; $0 in Years 2+ State, local, and Tribal agencies $80 65,400 in Year 1; 0 in Years 2+ $5,232,000 in Year 1; $0 in Years 2+ $339,309,502 + Year 3 costs of $339,309,502 + Year PO 00000 Frm 00076 Fmt 4701 Sfmt 4725 4 costs of $339,309,502 + Year 5 costs of $339,309,502) divided by 5. E:\FR\FM\22DER3.SGM 22DER3 ER22DE23.009</GPH> ddrumheller on DSK120RN23PROD with RULES3 A. Develop and implement administrative and uards B. Enter into an agreement with FinCEN and establish standards and procedures ER22DE23.010</GPH> Table 9 - Annual Cost Associated with Rule Requirements C. Develop and implement technical safeguards Financial institutions $106 0inYearl;0in Years 2+ $0 in Year 1; $0 in Years 2+ D. Establish a secure system to store BOI State, local, and Tribal agencies $80 65,400 in Year 1; 872 in Years 2+ $5,232,000 in Year 1; $69,760 in Years 2+ E. Establish and maintain an auditable system of standardized records for requests State, local, and Tribal agencies $80 43,600 in Year 1; 4,360 in Years 2+ $3,488,000 in Year 1; $348,800 in Years 2+ F. Obtain and document customer consent Financial institutions $106 1,100,120 in Year 1; 314,320 in Years 2+ $116,612,720 in Year 1; $33,317,920 in Years 2+ G. Submit certification for each request that it meets certain requirements Financial institutions $106 1,474,161 in Year 1; 1,474,161 in Years 2+ $156,261,066 in Year 1; $156,261,066 in Years 2+ G. Submit written certification for each request that it meets certain requirements, including court authorization G. Submit written certification for each request that it meets certain requirements State, local, and Tribal law enforcement $80 2,050,003 in Year 1; 1,649,994 in Years 2+ $164,000,240 in Year 1; $131,999,520 in Years 2+ State regulatory agencies $80 7,500 in Year 1; 7,500 in Years 2+ $600,000 in Year 1; $600,000 in Years 2+ H. Undergo training Financial institutions $106 128,871 in Year 1; 128,871 in Years 2+ $13,660,326 in Year 1; $13,660,326 in Years 2+ H. Restrict access to appropriate persons within the agency, which specifies that appropriate persons will under o trainin State, local, and Tribal agencies $80 2,006 in Year 1; 2,006 in Years 2+ $160,480 in Year 1; $160,480 in Years 2+ VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 PO 00000 Frm 00077 Fmt 4701 Sfmt 4725 E:\FR\FM\22DER3.SGM 22DER3 88807 ER22DE23.011</GPH> ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations 88808 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations I. Conduct an annual audit and cooperate with FinCEN' s annual audit J. Obtain certification of standards and procedures initially and then semi-annually, by the head of the enti K. Provide initial and then an annual report on rocedures L. Comply with certain eo ra hie restrictions M. Notify FinCEN of information demand from foreign overnment Actions B, D, E, G, H, I-K State, local, and Tribal agencies $80 34,880 in Year 1; 34,880 in Years 2+ $2,790,400 in Year 1; $2,790,400 in Years 2+ State, local, and Tribal agencies $80 Included in I. Included in I. State, local, and Tribal a encies Financial institutions Financial institutions $80 Included in I. Included in I. $106 0 in Year 1; 0 in Years 2+ 0 in Year 1; 0 in Years 2+ $0 in Year 1; $0 in Years 2+ $0 in Year 1; $0 in Years 2+ SRO $106 3,283 in Year 1; 955 in Years 2+ $347,998 in Year 1; $101,230 in Years 2+ $106 $ 868,200,270 in Year 1; $339,309,502 in Years 2+ Total Annual Cost ddrumheller on DSK120RN23PROD with RULES3 E. Congressional Review Act Pursuant to Subtitle E of the Small Business Regulatory Enforcement and Fairness Act of 1996 (also known as the Congressional Review Act or CRA)), OMB’s Office of Information and Regulatory Affairs has determined that this action meets the criteria set forth in 5 U.S.C. 804(2).280 List of Subjects in 31 CFR Part 1010 Administrative practice and procedure, Aliens, Authority delegations (Government agencies), Banks and banking, Brokers, Business and industry, Commodity futures, Currency, Citizenship and naturalization, Electronic filing, Federal savings associations, Federal-States relations, Federally recognized tribes, 280 5 U.S.C. 804(2) et seq. VerDate Sep<11>2014 19:26 Dec 21, 2023 Jkt 262001 Foreign persons, Holding companies, Indian law, Indians, Insurance companies, Investment advisers, Investment companies, Investigations, Law enforcement, Penalties, Reporting and recordkeeping requirements, Small businesses, Securities, Terrorism, Tribal government, Time. Authority and Issuance For the reasons set forth in the preamble, the U.S. Department of the Treasury and Financial Crimes Enforcement Network amend 31 CFR part 1010 as follows: PART 1010—GENERAL PROVISIONS 1. The authority citation for part 1010 continues to read as follows: ■ Authority: 12 U.S.C. 1829b and 1951– 1959; 31 U.S.C. 5311–5314 and 5316–5336; title III, sec. 314, Pub. L. 107–56, 115 Stat. PO 00000 Frm 00078 Fmt 4701 Sfmt 4700 307; sec. 2006, Pub. L. 114–41, 129 Stat. 458– 459; sec. 701, Pub. L. 114–74, 129 Stat. 599. 2. In § 1010.950, revise the section heading and paragraph (a) to read as follows: ■ § 1010.950 general. Availability of information— (a) The Secretary has the discretion to disclose information reported under this chapter, other than information reported pursuant to § 1010.380, for any reason consistent with the purposes of the Bank Secrecy Act, including those set forth in paragraphs (b) through (d) of this section. FinCEN may disclose information reported pursuant to § 1010.380 only as set forth in § 1010.955, and paragraphs (b) through (f) of this section shall not apply to the disclosure of such information. * * * * * ■ 3. Add § 1010.955 to read as follows: E:\FR\FM\22DER3.SGM 22DER3 ER22DE23.012</GPH> BILLING CODE 4810–02–C Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 § 1010.955 Availability of beneficial ownership information reported under this part. (a) Prohibition on disclosure. Except as authorized in paragraphs (b), (c), and (d) of this section, information reported to FinCEN pursuant to § 1010.380 is confidential and shall not be disclosed by any individual who receives such information as— (1) An officer, employee, contractor, or agent of the United States; (2) An officer, employee, contractor, or agent of any State, local, or Tribal agency; or (3) A director, officer, employee, contractor, or agent of any financial institution. (b) Disclosure of information by FinCEN—(1) Disclosure to Federal agencies for use in furtherance of national security, intelligence, or law enforcement activity. Upon receipt of a request from a Federal agency engaged in national security, intelligence, or law enforcement activity for information reported pursuant to § 1010.380 to be used in furtherance of such activity, FinCEN may disclose such information to such agency. For purposes of this paragraph (b)(1)— (i) National security activity means activity pertaining to the national defense or foreign relations of the United States, as well as activity to protect against threats to the safety and security of the United States; (ii) Intelligence activity means all activities conducted by elements of the United States Intelligence Community that are authorized pursuant to Executive Order 12333, as amended, or any succeeding executive order; and (iii) Law enforcement activity means investigative and enforcement activities relating to civil or criminal violations of law. Such activity does not include the routine supervision or examination of a financial institution by a Federal regulatory agency with authority described in paragraph (b)(4)(ii)(A) of this section. (2) Disclosure to State, local, and Tribal law enforcement agencies for use in criminal or civil investigations. Upon receipt of a request from a State, local, or Tribal law enforcement agency for information reported pursuant to § 1010.380 to be used in a criminal or civil investigation, FinCEN may disclose such information to such agency if a court of competent jurisdiction has authorized the agency to seek the information in a criminal or civil investigation. For purposes of this section— (i) A court of competent jurisdiction is any court with jurisdiction over the investigation for which a State, local, or VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 Tribal law enforcement agency requests information under this paragraph. (ii) A State, local, or Tribal law enforcement agency is an agency of a State, local, or Tribal government that is authorized by law to engage in the investigation or enforcement of civil or criminal violations of law. (3) Disclosure for use in furtherance of foreign national security, intelligence, or law enforcement activity. Upon receipt of a request for information reported pursuant to § 1010.380 from a Federal agency on behalf of a law enforcement agency, prosecutor, or judge of another country, or on behalf of a foreign central authority or foreign competent authority (or like designation) under an applicable international treaty, agreement, or convention, FinCEN may disclose such information to such Federal agency for transmission to the foreign law enforcement agency, prosecutor, judge, foreign central authority, or foreign competent authority who initiated the request, provided that: (i) The request is for assistance in a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the foreign country; and (ii) The request is: (A) Made under an international treaty, agreement, or convention; or (B) Made, when no such treaty, agreement, or convention is available, as an official request by a law enforcement, judicial, or prosecutorial authority of a foreign country determined by FinCEN, with the concurrence of the Secretary of State and in consultation with the Attorney General or other agencies as necessary and appropriate, to be a trusted foreign country. (iii) For purposes of this paragraph (b)(3), a national security activity authorized under the laws of a foreign country is an activity pertaining to the national defense or foreign relations of a country other than the United States, as well as activity to protect against threats to the safety and security of that country. (iv) For purposes of this paragraph (b)(3), an intelligence activity authorized under the laws of a foreign country is an activity conducted by a foreign government agency that is authorized under a foreign legal authority comparable to Executive Order 12333 that is applicable to the agency. (4) Disclosure to facilitate compliance with customer due diligence requirements—(i) Financial institutions. Upon receipt of a request from a financial institution subject to customer due diligence requirements under PO 00000 Frm 00079 Fmt 4701 Sfmt 4700 88809 applicable law for information reported pursuant to § 1010.380 to be used in facilitating compliance with such requirements, FinCEN may disclose the information to the financial institution for that use, provided that the reporting company that reported the information to FinCEN consents to such disclosure. For purposes of this paragraph, customer due diligence requirements under applicable law mean any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer. (ii) Regulatory agencies. Upon receipt of a request by a Federal functional regulator or other appropriate regulatory agency, FinCEN shall disclose to such agency any information disclosed to a financial institution pursuant to paragraph (b)(4)(i) of this section if the agency— (A) Is authorized by law to assess, supervise, enforce, or otherwise determine the compliance of such financial institution with customer due diligence requirements under applicable law; (B) Will use the information solely for the purpose of conducting the assessment, supervision, or authorized investigation or activity described in paragraph (b)(4)(ii)(A) of this section; and (C) Has entered into an agreement with FinCEN providing for appropriate protocols governing the safekeeping of the information. (5) Disclosure to officers or employees of the Department of the Treasury. Consistent with procedures and safeguards established by the Secretary— (i) Information reported pursuant to § 1010.380 shall be accessible for inspection or disclosure to officers and employees of the Department of the Treasury whose official duties the Secretary determines require such inspection or disclosure. (ii) Officers and employees of the Department of the Treasury may obtain information reported pursuant to § 1010.380 for tax administration as defined in 26 U.S.C. 6103(b)(4). (c) Use of information—(1) Use of information by authorized recipients. Except as permitted under paragraph (c)(2) of this section, any person who receives information disclosed by FinCEN under paragraph (b) of this section shall not further disclose such information to any other person, and E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 88810 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations shall use such information only for the particular purpose or activity for which such information was disclosed. A Federal agency that receives information pursuant to paragraph (b)(3) of this section shall only use it to facilitate a response to a request for assistance pursuant to that paragraph. (2) Disclosure of information by authorized recipients. (i) Any officer, employee, contractor, or agent of a requesting agency who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(1) or (2) or (b)(4)(ii) of this section may disclose such information to another officer, employee, contractor, or agent of the same requesting agency for the particular purpose or activity for which such information was requested, consistent with the requirements of paragraph (d)(1)(i)(F) of this section, as applicable. Any officer, employee, contractor, or agent of the U.S. Department of the Treasury who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(5) of this section may disclose such information to another Treasury officer, employee, contractor, or agent for the particular purpose or activity for which such information was requested consistent with internal Treasury policies, procedures, orders or directives. (ii) Any director, officer, employee, contractor, or agent of a financial institution who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(4)(i) of this section may disclose such information to another director, officer, employee, contractor, or agent of the same financial institution for the particular purpose or activity for which such information was requested, consistent with the requirements of paragraph (d)(2) of this section. (iii) Any director, officer, employee, contractor, or agent of a financial institution that receives information disclosed by FinCEN pursuant to paragraph (b)(4)(i) of this section may disclose such information to the financial institution’s Federal functional regulator, a self-regulatory organization that is registered with or designated by a Federal functional regulator pursuant to Federal statute, or other appropriate regulatory agency, provided that the Federal functional regulator, selfregulatory organization, or other appropriate regulatory agency meets the requirements identified in paragraphs (b)(4)(ii)(A) through (C) of this section. A financial institution may rely on a Federal functional regulator, selfregulatory organization, or other appropriate regulatory agency’s VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 representation that it meets the requirements. (iv) Any officer, employee, contractor, or agent of a Federal functional regulator that receives information disclosed by FinCEN pursuant to paragraph (b)(4)(ii) of this section may disclose such information to a selfregulatory organization that is registered with or designated by the Federal functional regulator, provided that the self-regulatory organization meets the requirements of paragraphs (b)(4)(ii)(A) through (C) of this section. (v) Any officer, employee, contractor, or agent of a Federal agency that receives information from FinCEN pursuant to a request made under paragraph (b)(3) of this section may disclose such information to the foreign person on whose behalf the Federal agency made the request. (vi) Any officer, employee, contractor, or agent of a Federal agency engaged in a national security, intelligence, or law enforcement activity, or any officer, employee, contractor, or agent of a State, local, or Tribal law enforcement agency, may disclose information reported pursuant to § 1010.380 that it has obtained directly from FinCEN pursuant to a request under paragraph (b)(1) or (2) of this section to a court of competent jurisdiction or parties to a civil or criminal proceeding. (vii) Any officer, employee, contractor, or agent of a requesting agency who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(1), (b)(4)(ii), or (b)(5) of this section may disclose such information to any officer, employee, contractor, or agent of the United States Department of Justice for purposes of making a referral to the Department of Justice or for use in litigation related to the activity for which the requesting agency requested the information. (viii) Any officer, employee, contractor, or agent of a State, local, or Tribal law enforcement agency who receives information disclosed by FinCEN pursuant to a request under paragraph (b)(2) of this section may disclose such information to any officer, employee, contractor, or agent of another State, local, or Tribal agency for purposes of making a referral for possible prosecution by that agency, or for use in litigation related to the activity for which the requesting agency requested the information. (ix) A law enforcement agency, prosecutor, judge, foreign central authority, or foreign competent authority of another country that receives information from a Federal agency pursuant to a request under PO 00000 Frm 00080 Fmt 4701 Sfmt 4700 paragraph (b)(3)(ii)(A) of this section may disclose and use such information consistent with the international treaty, agreement, or convention under which the request was made. (x) FinCEN may by prior written authorization, or by protocols or guidance that FinCEN may issue, authorize persons to disclose information obtained pursuant to paragraph (b) of this section in furtherance of a purpose or activity described in that paragraph. (d) Security and confidentiality requirements—(1) Security and confidentiality requirements for domestic agencies—(i) General requirements. To receive information under paragraph (b)(1), (2), or (3) or (b)(4)(ii) of this section, a Federal, State, local, or Tribal agency shall satisfy the following requirements: (A) Agreement. The agency shall enter into an agreement with FinCEN specifying the standards, procedures, and systems to be maintained by the agency, and any other requirements FinCEN may specify, to protect the security and confidentiality of such information. Agreements shall include, at a minimum, descriptions of the information to which an agency will have access, specific limitations on electronic access to that information, discretionary conditions of access, requirements and limitations related to re-disclosure, audit and inspection requirements, and security plans outlining requirements and standards for personnel security, physical security, and computer security. (B) Standards and procedures. The agency shall establish standards and procedures to protect the security and confidentiality of such information, including procedures for training agency personnel on the appropriate handling and safeguarding of such information. The head of the agency, on a non-delegable basis, shall approve these standards and procedures. (C) Initial report and certification. The agency shall provide FinCEN a report that describes the standards and procedures established pursuant to paragraph (d)(1)(i)(B) of this section and that includes a certification by the head of the agency, on a non-delegable basis, that the standards and procedures implement the requirements of this paragraph (d)(1). (D) Secure system for beneficial ownership information storage. The agency shall, to the satisfaction of the Secretary, establish and maintain a secure system in which such information shall be stored. (E) Auditability. The agency shall establish and maintain a permanent, E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations auditable system of standardized records for requests pursuant to paragraph (b) of this section, including, for each request, the date of the request, the name of the individual who makes the request, the reason for the request, any disclosure of such information made by or to the requesting agency, and information or references to such information sufficient to reconstruct the reasons for the request. (F) Restrictions on personnel access to information. The agency shall restrict access to information obtained from FinCEN pursuant to this section to personnel— (1) Who are directly engaged in the activity for which the information was requested; (2) Whose duties or responsibilities require such access; (3) Who have received training pursuant to paragraph (d)(1)(i)(B) of this section or have obtained the information requested directly from persons who both received such training and received the information directly from FinCEN; (4) Who use appropriate identity verification mechanisms to obtain access to the information; and (5) Who are authorized by agreement between the agency and FinCEN to access the information. (G) Audit requirements. The agency shall: (1) Conduct an annual audit to verify that information obtained from FinCEN pursuant to this section has been accessed and used appropriately and in accordance with the standards and procedures established pursuant to paragraph (d)(1)(i)(B) of this section; (2) Provide the results of that audit to FinCEN upon request; and (3) Cooperate with FinCEN’s annual audit of the adherence of agencies to the requirements established under this paragraph to ensure that agencies are requesting and using the information obtained under this section appropriately, including by promptly providing any information FinCEN requests in support of its annual audit. (H) Semi-annual certification. The head of the agency, on a non-delegable basis, shall certify to FinCEN semiannually that the agency’s standards and procedures established pursuant to paragraph (d)(1)(i)(B) of this section are in compliance with the requirements of this paragraph (d)(1). One of the semiannual certifications may be included in the annual report required under paragraph (d)(1)(i)(I) of this section. (I) Annual report on procedures. The agency shall provide FinCEN a report annually that describes the standards and procedures that the agency uses to VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 ensure the security and confidentiality of any information received pursuant to paragraph (b) of this section. (ii) Requirements for requests for disclosure. A Federal, State, local, or Tribal agency that makes a request under paragraph (b)(1), (2), or (3) or (b)(4)(ii) of this section shall satisfy the following requirements in connection with each request that it makes and in connection with all such information it receives. (A) Minimization. The requesting agency shall limit, to the greatest extent practicable, the scope of such information it seeks, consistent with the agency’s purposes for seeking such information. (B) Certifications and other requirements. (1) The head of a Federal agency that makes a request under paragraph (b)(1) of this section or their designee shall make a written certification to FinCEN, in the form and manner as FinCEN shall prescribe, that: (i) The agency is engaged in a national security, intelligence, or law enforcement activity; and (ii) The information requested is for use in furtherance of such activity, setting forth specific reasons why the requested information is relevant to the activity. (2) The head of a State, local, or Tribal agency, or their designee, who makes a request under paragraph (b)(2) of this section shall submit to FinCEN a written certification, in the form and manner as FinCEN shall prescribe, that: (i) A court of competent jurisdiction has authorized the agency to seek the information in a criminal or civil investigation; and (ii) The requested information is relevant to the criminal or civil investigation, setting forth a description of the information the court has authorized the agency to seek. (3) The head of a Federal agency, or their designee, who makes a request under paragraph (b)(3)(ii)(A) of this section shall: (i) Retain for the agency’s records the request for information under the applicable international treaty, agreement, or convention; (ii) Submit to FinCEN, in the form and manner as FinCEN shall prescribe: the name, title, agency, and country of the foreign person on whose behalf the Federal agency is making the request; the title of the international treaty, agreement, or convention under which the request is being made; and a certification that the requested information is for use in furtherance of a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized PO 00000 Frm 00081 Fmt 4701 Sfmt 4700 88811 under the laws of the relevant foreign country. (4) The head of a Federal agency, or their designee, who makes a request under paragraph (b)(3)(ii)(B) of this section shall submit to FinCEN, in the form and manner as FinCEN shall prescribe: (i) A written explanation of the specific purpose for which the foreign person is seeking information under paragraph (b)(3)(ii)(B) of this section, along with an accompanying certification that the information is for use in furtherance of a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the relevant foreign country and that the foreign person seeking information under paragraph (b)(3)(ii)(B) has been informed that the information may only be used only for the particular purpose or activity for which it is requested and must be handled consistent with the requirements of paragraph (d)(3) of this section; (ii) The name, title, agency, and country of the foreign person on whose behalf the Federal agency is making the request; and (iii) Any other information that FinCEN requests in order to evaluate the request. (5) The head of a Federal functional regulator or other appropriate regulatory agency, or their designee, who makes a request under paragraph (b)(4)(ii) of this section shall make a written certification to FinCEN, in the form and manner as FinCEN shall prescribe, that: (i) The agency is authorized by law to assess, supervise, enforce, or otherwise determine the compliance of a relevant financial institution with customer due diligence requirements under applicable law; and (ii) The agency will use the information solely for the purpose of conducting the assessment, supervision, or authorized investigation or activity described in paragraph (b)(4)(ii)(A) of this section. (2) Security and confidentiality requirements for financial institutions. To receive information under paragraph (b)(4)(i) of this section, a financial institution shall satisfy the following requirements: (i) Geographic restrictions on information. The financial institution shall not make information obtained from FinCEN under paragraph (b)(4)(i) of this section available to persons physically located in, and shall not store such information in, any of the following jurisdictions: (A) The People’s Republic of China; (B) The Russian Federation; or E:\FR\FM\22DER3.SGM 22DER3 ddrumheller on DSK120RN23PROD with RULES3 88812 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations (C) A jurisdiction: (1) That is a state sponsor of terrorism, as determined by the U.S. Department of State; (2) That is the subject of comprehensive financial and economic sanctions imposed by the Federal Government, i.e., is a jurisdiction with a government whose property and interests in property within U.S. jurisdiction are blocked pursuant to U.S. sanctions authorities, or a jurisdiction subject to broad-based prohibitions on transactions by U.S. persons involving that jurisdiction, such as prohibitions on importing or exporting goods, services, or technology to the jurisdiction or dealing in goods or services originating from the jurisdiction, pursuant to U.S. sanctions authorities; or (3) To which the Secretary has determined that allowing information obtained from FinCEN under paragraph (b)(4)(i) of this section to be made available would undermine the enforcement of the requirements of paragraph (d)(2) of this section or the national security of the United States. (ii) Safeguards. The financial institution shall develop and implement administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, and integrity of such information. These shall include: (A) Information procedures. The financial institution shall: (1) Apply such information procedures as the institution has established to satisfy the requirements of section 501 of the Gramm-LeachBliley Act (15 U.S.C. 6801 et seq.), and applicable regulations issued thereunder, with regard to the protection of its customers’ nonpublic personal information, modified as needed to account for any unique requirements imposed under this section; or (2) If the institution is not subject to section 501 of the Gramm-Leach-Bliley Act, apply such information procedures with regard to the protection of its customers’ nonpublic personal information as are required, recommended, or authorized under applicable law and are at least as protective of the security and confidentiality of customer information as procedures that satisfy the standards of section 501 of the Gramm-LeachBliley Act. (B) Notification of information demand. The financial institution shall notify FinCEN within three business days of receipt of any foreign government subpoena or legal demand under which the financial institution VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 would have to disclose any information the financial institution has received pursuant to a request under paragraph (b)(4)(i) of this section. (iii) Consent to obtain information. Before making a request for information regarding a reporting company under paragraph (b)(4)(i) of this section, the financial institution shall obtain and document the consent of the reporting company to request such information. The documentation of the reporting company’s consent shall be maintained for 5 years after it is last relied upon in connection with a request for information under paragraph (b)(4)(i) of this section. (iv) Certification. For each request for information regarding a reporting company under paragraph (b)(4)(i) of this section, the financial institution shall make a certification to FinCEN in such form and manner as FinCEN shall prescribe that the financial institution: (A) Is requesting the information to facilitate its compliance with customer due diligence requirements under applicable law; (B) Has obtained and documented the consent of the reporting company to request the information from FinCEN; and (C) Has fulfilled all other requirements of paragraph (d)(2) of this section. (3) Security and confidentiality requirements for foreign recipients of information. (i) To receive information under paragraph (b)(3)(ii)(A) of this section, a foreign person on whose behalf a Federal agency made the request under that paragraph shall comply with all applicable handling, disclosure, and use requirements of the international treaty, agreement, or convention under which the request was made. (ii) To receive information under paragraph (b)(3)(ii)(B) of this section, a foreign person on whose behalf a Federal agency made the request under that paragraph shall ensure that the following requirements are satisfied: (A) Standards and procedures. A foreign person who receives information pursuant to paragraph (b)(3)(ii)(B) of this section shall establish standards and procedures to protect the security and confidentiality of such information, including procedures for training personnel who will have access to it on the appropriate handling and safeguarding of such information. (B) Secure system for beneficial ownership information storage. Such information shall be maintained in a secure system that complies with the security standards the foreign person PO 00000 Frm 00082 Fmt 4701 Sfmt 4700 applies to the most sensitive unclassified information it handles. (C) Minimization. To the greatest extent practicable, the scope of information sought shall be limited, consistent with the purposes for seeking such information. (D) Restrictions on personnel access to information. Access to such information shall be limited to persons— (1) Who are directly engaged in the activity described in paragraph (b)(3) of this section for which the information was requested; (2) Whose duties or responsibilities require such access; and (3) Who have undergone training on the appropriate handling and safeguarding of information obtained pursuant to this section. (e) Administration of requests—(1) Form and manner of requests. Requests for information under paragraph (b) of this section shall be submitted to FinCEN in such form and manner as FinCEN shall prescribe. (2) Rejection of requests. (i) FinCEN will reject a request under paragraph (b)(4) of this section, and may reject any other request made pursuant to this section, if such request is not submitted in the form and manner prescribed by FinCEN. (ii) FinCEN may reject any request, or otherwise decline to disclose any information in response to a request made under this section, if FinCEN, in its sole discretion, finds that, with respect to the request: (A) The requester has failed to meet any requirement of this section; (B) The information is being requested for an unlawful purpose; or (C) Other good cause exists to deny the request. (3) Suspension of access. (i) FinCEN may permanently debar or temporarily suspend, for any period of time, any individual requester or requesting entity from receiving or accessing information under paragraph (b) of this section if FinCEN, in its sole discretion, finds that: (A) The individual requester or requesting entity has failed to meet any requirement of this section; (B) The individual requester or requesting entity has requested information for an unlawful purpose; or (C) Other good cause exists for such debarment or suspension. (ii) FinCEN may reinstate the access of any individual requester or requesting entity that has been suspended or debarred under this paragraph (e)(3) upon satisfaction of any terms or conditions that FinCEN deems appropriate. E:\FR\FM\22DER3.SGM 22DER3 Federal Register / Vol. 88, No. 245 / Friday, December 22, 2023 / Rules and Regulations ddrumheller on DSK120RN23PROD with RULES3 (f) Violations—(1) Unauthorized disclosure or use. Except as authorized by this section, it shall be unlawful for any person to knowingly disclose, or knowingly use, the beneficial ownership information obtained by the person, directly or indirectly, through: VerDate Sep<11>2014 19:01 Dec 21, 2023 Jkt 262001 (i) A report submitted to FinCEN under § 1010.380; or (ii) A disclosure made by FinCEN pursuant to paragraph (b) of this section. (2) For purposes of paragraph (f)(1) of this section, unauthorized use shall include accessing information without authorization, and shall include any PO 00000 Frm 00083 Fmt 4701 Sfmt 9990 88813 violation of the requirements described in paragraph (d) of this section in connection with any access. Andrea M. Gacki, Director, Financial Crimes Enforcement Network. [FR Doc. 2023–27973 Filed 12–21–23; 8:45 am] BILLING CODE 4810–02–P E:\FR\FM\22DER3.SGM 22DER3

Agencies

[Federal Register Volume 88, Number 245 (Friday, December 22, 2023)]
[Rules and Regulations]
[Pages 88732-88813]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-27973]



[[Page 88731]]

Vol. 88

Friday,

No. 245

December 22, 2023

Part III





Department of the Treasury





-----------------------------------------------------------------------





Financial Crimes Enforcement Network





-----------------------------------------------------------------------





31 CFR Part 1010





Beneficial Ownership Information Access and Safeguards; Final Rule

Federal Register / Vol. 88 , No. 245 / Friday, December 22, 2023 / 
Rules and Regulations

[[Page 88732]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Financial Crimes Enforcement Network

31 CFR Part 1010

RIN 1506-AB59


Beneficial Ownership Information Access and Safeguards

AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: FinCEN is promulgating regulations regarding access by 
authorized recipients to beneficial ownership information (BOI) that 
will be reported to FinCEN pursuant to section 6403 of the Corporate 
Transparency Act (CTA), enacted into law as part of the Anti-Money 
Laundering Act of 2020 (AML Act), which is itself part of the National 
Defense Authorization Act for Fiscal Year 2021 (NDAA). The regulations 
implement the strict protocols required by the CTA to protect sensitive 
personally identifiable information (PII) reported to FinCEN and 
establish the circumstances in which specified recipients have access 
to BOI, along with data protection protocols and oversight mechanisms 
applicable to each recipient category. The disclosure of BOI to 
authorized recipients in accordance with appropriate protocols and 
oversight will help law enforcement and national security agencies 
prevent and combat money laundering, terrorist financing, tax fraud, 
and other illicit activity, as well as protect national security.

DATES: These rules are effective February 20, 2024.

FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section 
at 1-800-767-2825 or electronically at [email protected].

SUPPLEMENTARY INFORMATION:

I. Introduction

    This final rule implements the beneficial ownership information 
(BOI) access and safeguard provisions in the Corporate Transparency Act 
(CTA).\1\ The rule balances the statutory requirement to create a 
database of BOI that is highly useful to authorized BOI recipients, 
with the requirement to safeguard BOI from unauthorized use. This final 
rule reflects FinCEN's understanding of the critical need for the 
highest standard of security and confidentiality protocols to maintain 
confidence in the U.S. Government's ability to protect sensitive 
information while achieving the objective of the CTA noted above--
establishing a database of BOI that will be highly useful in combatting 
illicit finance and the abuse of shell and front companies by 
criminals, corrupt officials, and other bad actors.
---------------------------------------------------------------------------

    \1\ The CTA is Title LXIV of the William M. (Mac) Thornberry 
National Defense Authorization Act for Fiscal Year 2021, Public Law 
116-283 (Jan. 1, 2021) (the NDAA). Division F of the NDAA is the 
Anti-Money Laundering Act of 2020 (AML Act), which includes the CTA. 
Section 6403 of the CTA, among other things, amends the Bank Secrecy 
Act (BSA) by adding a new section 5336, Beneficial Ownership 
Information Reporting Requirements, to Subchapter II of Chapter 53 
of Title 31, United States Code.
---------------------------------------------------------------------------

    Specifically, this final rule implements the provisions in the CTA, 
codified at 31 U.S.C. 5336(c), that authorize certain recipients to 
receive disclosures of identifying information associated with 
reporting companies, their beneficial owners, and their company 
applicants (together, BOI). The CTA requires reporting companies to 
report BOI to FinCEN pursuant to 31 U.S.C. 5336(b). This rule reflects 
FinCEN's careful consideration of public comments, including those 
received in response to (1) an advance notice of proposed rulemaking 
(ANPRM) \2\ on the implementation of the CTA, (2) an NPRM regarding BOI 
reporting requirements (Reporting NPRM),\3\ and (3) an NPRM regarding 
BOI access and safeguards (Access NPRM).\4\
---------------------------------------------------------------------------

    \2\ 86 FR 17557 (Apr. 5, 2021).
    \3\ 86 FR 69920 (Dec. 8, 2021).
    \4\ 87 FR 77404 (Dec. 16, 2022).
---------------------------------------------------------------------------

    As Congress explained in the CTA, ``malign actors seek to conceal 
their ownership of corporations, limited liability companies, or other 
similar entities in the United States to facilitate illicit activity, 
including money laundering, the financing of terrorism, proliferation 
financing, serious tax fraud, human and drug trafficking, 
counterfeiting, piracy, securities fraud, financial fraud, and acts of 
foreign corruption, harming the national security interests of the 
United States and allies of the United States.'' \5\ Access by 
authorized recipients to BOI reported under the CTA would significantly 
aid efforts to protect U.S. national security and safeguard the U.S. 
financial system from such illicit use. It would impede illicit actors' 
ability to use legal entities to conceal proceeds from criminal acts 
that undermine U.S. national security and foreign policy interests, 
such as corruption, human trafficking, drug and arms trafficking, and 
terrorist financing. BOI can also add critical data to financial 
analyses in activities the CTA contemplates, including tax 
investigations. It can also provide essential information to the 
intelligence and national security professionals who work to prevent 
terrorists, proliferators, and those who seek to undermine our 
democratic institutions or threaten other core U.S. interests from 
raising, hiding, or moving money in the United States through anonymous 
shell or front companies.\6\
---------------------------------------------------------------------------

    \5\ CTA, section 6402(3).
    \6\ A front company generates legitimate business proceeds to 
commingle with illicit earnings. See U.S. Department of the 
Treasury, National Money Laundering Risk Assessment (2018), p. 29, 
available at https://home.treasury.gov/system/files/136/2018NMLRA_12-18.pdf.
---------------------------------------------------------------------------

    The United States currently does not have a centralized or complete 
store of information about who owns and operates legal entities within 
the United States. The beneficial ownership data available to law 
enforcement and national security agencies are generally limited to 
certain commercial databases and the information collected by financial 
institutions on legal entity accounts pursuant to their Customer Due 
Diligence (CDD) or broader Customer Identification Program (CIP) 
obligations, some of which has been included in Suspicious Activity 
Reports (SARs) or provided to law enforcement in response to judicial 
process.\7\ As set out in detail in the Notice of Proposed Rulemaking 
regarding BOI reporting requirements \8\ and the BOI reporting final 
rule,\9\ U.S. law enforcement officials and the Financial Action Task 
Force (FATF),\10\ among others, have for years noted how the lack of 
timely access to accurate and adequate BOI by law enforcement and other 
authorized

[[Page 88733]]

recipients remained a significant gap in the United States' anti-money 
laundering/countering the financing of terrorism (AML/CFT) and 
countering the financing of proliferation (CFP) framework. Broadly, and 
critically, BOI can identify linkages between potential illicit actors 
and opaque business entities, including shell companies. Furthermore, 
comparing BOI reported pursuant to the CTA against data collected under 
the Bank Secrecy Act (BSA) and other relevant government data is 
expected to significantly further efforts to identify illicit actors 
and combat their financial activities.
---------------------------------------------------------------------------

    \7\ See, e.g., 31 CFR 1010.230. Even then, any BOI a financial 
institution collects is not systematically reported to any central 
repository.
    \8\ Supra note 3, 86 FR at 69923-69924.
    \9\ 87 FR 59498, 59506 (Sept. 30, 2022).
    \10\ The FATF, of which the United States is a founding member, 
is an international, inter-governmental task force whose purpose is 
the development and promotion of international standards and the 
effective implementation of legal, regulatory, and operational 
measures to combat money laundering, terrorist financing, the 
financing of weapons proliferation, and other related threats to the 
integrity of the international financial system. The FATF assesses 
over 200 jurisdictions against its minimum standards for beneficial 
ownership transparency. Among other things, it has established 
standards on transparency and beneficial ownership of legal persons, 
to deter and prevent the misuse of corporate vehicles. See FATF 
Recommendation 24, Transparency and Beneficial Ownership of Legal 
Persons, The FATF Recommendations: International Standards on 
Combating Money Laundering and the Financing of Terrorism and 
Proliferation (updated Oct. 2020), available at https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html; FATF Guidance, Transparency and Beneficial 
Ownership, Part III (Oct. 2014), available at https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-transparency-beneficial-ownership.pdf.
---------------------------------------------------------------------------

    At the same time, however, FinCEN recognizes that BOI is sensitive 
information. This final rule reflects FinCEN's commitment to creating a 
highly useful database for authorized BOI recipients while protecting 
this sensitive information from unauthorized disclosure. To this end, 
the final rule aims to ensure that: (1) only authorized recipients have 
access to BOI; (2) authorized recipients use that BOI only for purposes 
permitted by the CTA; and (3) authorized recipients re-disclose BOI 
only in ways that balance protection of the security and 
confidentiality of the BOI with furtherance of the CTA's objective of 
making BOI available to a range of users for purposes specified in the 
CTA. The final rule also provides a robust framework to ensure that BOI 
reported to FinCEN, and received by authorized recipients, is subject 
to strict cybersecurity controls, confidentiality protections and 
restrictions, and robust audit and oversight measures. Coincident with 
the protocols described in this final rule, FinCEN continues to work to 
develop a secure, nonpublic database in which to store BOI, using 
rigorous information security methods and controls typically used in 
the Federal government to protect nonclassified yet sensitive 
information systems at the highest security level. Against this 
backdrop and consistent with the CTA, FinCEN will permit certain 
Federal, State,\11\ local, and Tribal officials, as well as foreign 
officials acting through a Federal agency, to obtain BOI for use in 
furtherance of statutorily authorized activities such as those related 
to national security, intelligence, and law enforcement. Financial 
institutions with customer due diligence requirements under applicable 
law will have access to BOI to facilitate compliance with those 
requirements, as will the Federal functional regulators or other 
appropriate regulatory agencies that supervise or assess those 
financial institutions' compliance with such requirements.
---------------------------------------------------------------------------

    \11\ FinCEN will interpret the term ``State'' consistent with 
the definition of that term in the final Beneficial Ownership 
Information Reporting Requirements rule at 87 FR 59498 (Sep. 30, 
2022) (which defines the term ``State'' to mean ``any state of the 
United States, the District of Columbia, the Commonwealth of Puerto 
Rico, the Commonwealth of the Northern Mariana Islands, American 
Samoa, Guam, the United States Virgin Islands, and any other 
commonwealth, territory, or possession of the United States.'').
---------------------------------------------------------------------------

II. Background

A. Access to Beneficial Ownership Information

    For more than two decades, the U.S. government has been raising 
awareness about the misuse of legal entities by criminal actors for 
illicit ends.\12\ Recently, Secretary of the Treasury Janet L. Yellen 
affirmed that:
---------------------------------------------------------------------------

    \12\ See 87 FR 59501-59503 (Sept. 30, 2022).

    ``The United States has a unique obligation to tackle 
corruption. Corrupt actors from around the world continually attempt 
to exploit the vulnerabilities in the U.S. framework--for countering 
money laundering, terrorist financing, and other forms of illicit 
finance. . . . Just like legitimate investors, corrupt actors move 
their money through the United States to take advantage of the 
world's largest and most dynamic economy. They incorporate companies 
to benefit from our strong legal system, buy assets like real 
estate, and invest in our deep and liquid markets. . . . Unmasking 
shell corporations is the single most significant thing we can do to 
make our financial system inhospitable to corrupt actors. . . . The 
beneficial ownership database will deter dirty money from entering 
the U.S.--and give law enforcement and other partners the tools they 
need to follow the money when it does.'' \13\
---------------------------------------------------------------------------

    \13\ U.S. Department of the Treasury (Treasury), ``Remarks by 
Secretary Janet L. Yellen on Anti-Corruption as a Cornerstone of a 
Fair, Accountable, and Democratic Economy at the Summit for 
Democracy,'' (Mar. 28, 2023), available at https://home.treasury.gov/news/press-releases/jy1371.

    The Department of the Treasury (Treasury) has previously observed 
in its 2020 National Strategy for Combating Terrorist and other Illicit 
Financing (the 2020 Illicit Financing Strategy) that ``[m]isuse of 
legal entities to hide a criminal beneficial owner or illegal source of 
funds continues to be a common, if not the dominant, feature of illicit 
finance schemes, especially those involving money laundering, predicate 
offences, tax evasion, and proliferation financing. . . .'' \14\ The 
2020 Illicit Financing Strategy further noted a Treasury finding that, 
between 2016 and 2019, legal entities were used in a substantial 
proportion of adjudicated Internal Revenue Service (IRS) cases to 
perpetrate tax evasion and fraud.\15\ In a separate report, the Drug 
Enforcement Administration highlighted that drug trafficking 
organizations frequently use shell and front companies to commingle 
illicit drug proceeds with legitimate front company revenue to launder 
the illicit drug proceeds.\16\
---------------------------------------------------------------------------

    \14\ Treasury, National Strategy for Combating Terrorist and 
Other Illicit Financing (2020), p. 13, available at https://home.treasury.gov/system/files/136/National-Strategy-to-Counter-Illicit-Financev2.pdf. The 2022 National Strategy for Combating 
Terrorist and Other Illicit Financing noted that ``[t]he passage of 
the CTA was a critical step forward in closing a long-standing gap 
and strengthening the U.S. AML/CFT regime'' and that ``[a]ddressing 
the gap in collection at the time of entity formation is the most 
important AML/CFT regulatory action for the U.S. government.'' 
Treasury, National Strategy for Combating Terrorist and Other 
Illicit Financing (May 2022), p. 8, available at https://home.treasury.gov/system/files/136/2022-National-Strategy-for-Combating-Terrorist-and-Other-Illicit-Financing.pdf (``2022 Illicit 
Financing Strategy'').
    \15\ Id. at 14.
    \16\ Drug Enforcement Administration, 2020 Drug Enforcement 
Administration National Drug Threat Assessment (``DEA 2020 NDTA'') 
(2020), pp. 87-88, available at https://www.dea.gov/sites/default/files/2021-02/DIR-008-21%202020%20National%20Drug%20Threat%20Assessment_WEB.pdf.
---------------------------------------------------------------------------

    As Treasury stressed in its 2022 Illicit Financing Strategy, law 
enforcement's lack of access to uniform BOI hinders its ability to 
swiftly investigate those entities created and used to hide ownership 
for illicit purposes.\17\ Consequently, authorized recipients' access 
to BOI reported under the CTA will significantly aid efforts to protect 
U.S. national security; safeguard the U.S. financial system; and 
support U.S. foreign policy and other interests by providing a tool to 
counter corruption, human smuggling, drug and arms trafficking, 
terrorist financing, and other criminal acts. BOI can also add critical 
data to financial analyses in activities the CTA contemplates, 
including tax investigations. BOI can also provide essential 
information to the intelligence and national security professionals who 
work to prevent terrorists, proliferators, and those who seek to 
undermine our democratic institutions or threaten other core U.S. 
interests from raising, hiding, or moving money in the United States 
through anonymous shell or front companies.
---------------------------------------------------------------------------

    \17\ See Treasury, 2022 Illicit Financing Strategy, supra note 
3, p. 12.
---------------------------------------------------------------------------

    Entity formation and registration in the United States happen at 
the state and Tribal levels. Although state- and Tribal-level entity 
formation laws vary, most jurisdictions do not require the party 
forming an entity to identify its individual beneficial owners at or 
after the time of formation. Additionally, the vast majority of states 
require little to no contact information or other information about an 
entity's officers or others who

[[Page 88734]]

control it.\18\ Furthermore, although many financial institutions are 
required to collect certain beneficial ownership information pursuant 
to FinCEN's 2016 Customer Due Diligence Rule (2016 CDD Rule),\19\ and 
broader Customer Identification Program (CIP) obligations,\20\ that 
information is not systematically reported to a central repository.
---------------------------------------------------------------------------

    \18\ See CTA, section 6402(2) (``[M]ost or all States do not 
require information about the beneficial owners of corporations, 
limited liability companies, or other similar entities formed under 
the laws of the State''); U.S. Government Accountability Office, 
Company Formations: Minimal Ownership Information Is Collected and 
Available (Apr. 2006), available at https://www.gao.gov/assets/gao-06-376.pdf; see also, e.g., The National Association of Secretaries 
of State (NASS), NASS Summary of Information Collected by States 
(Jun. 2019), available at https://www.nass.org/sites/default/files/company%20formation/nass-business-entity-info-collected-june2019.pdf.
    \19\ Final Rule, Customer Due Diligence Requirements for 
Financial Institutions, 81 FR 29398-29402 (May 11, 2016); 31 CFR 
1010.230.
    \20\ See e.g., 31 CFR 1020.220.
---------------------------------------------------------------------------

    Identifying individual beneficial owners of legal entities in the 
United States therefore is often a significant challenge for law 
enforcement,\21\ and it represents a significant weakness in the United 
States' AML/CFT and CFP frameworks, as Treasury \22\ and the FATF \23\ 
have noted for some time. Currently, obtaining BOI through grand jury 
subpoenas and other means can involve considerable effort. Grand jury 
subpoenas, for example, require an underlying grand jury investigation 
into a possible violation of law. Furthermore, the law enforcement 
officer or investigator must work with a prosecutor's office, such as a 
U.S. Attorney's Office, to open a grand jury investigation, obtain the 
grand jury subpoena, and issue it on behalf of the grand jury. The 
investigator also needs to determine who should receive the subpoena 
and coordinate service, which creates additional complications in cases 
involving complicated corporate structuring. Sometimes this work is all 
for naught because the investigation involves an entity formed or 
registered in a jurisdiction that does not require BOI for formation or 
registration.
---------------------------------------------------------------------------

    \21\ In 2019, for example, Steven M. D'Antuono, Acting Deputy 
Assistant Director of the FBI's Criminal Investigative Division 
testified before Congress that ``[t]he process for the production of 
[beneficial ownership] records can be lengthy, anywhere from a few 
weeks to many years, and . . . can be extended drastically when it 
is necessary to obtain information from other countries . . . . [I]f 
an investigator obtains the ownership records, either from a 
domestic or foreign entity, the investigator may discover that the 
owner of the identified corporate entity is an additional corporate 
entity, necessitating the same process for the newly discovered 
corporate entity. Many professional launderers and others involved 
in illicit finance intentionally layer ownership and financial 
transactions in order to reduce transparency of transactions. As it 
stands, it is a facially effective way to delay an investigation.'' 
D'Antuono further acknowledged that these challenges may be even 
greater for State, local, and Tribal law enforcement agencies that 
may not have the same resources as their Federal counterparts to 
undertake long and costly investigations to identify beneficial 
owners. D'Antuono noted that requiring the disclosure of BOI by 
legal entities and the creation of a central BOI repository 
available to law enforcement and regulators could address these 
challenges. Federal Bureau of Investigation (FBI), Testimony of 
Steven M. D'Antuono, Section Chief, Criminal Investigative Division, 
``Combatting Illicit Financing by Anonymous Shell Companies'' (May 
21, 2019), available at https://www.fbi.gov/news/testimony/combating-illicit-financing-by-anonymous-shell-companies.
    \22\ Treasury, Treasury Announces Key Regulations and 
Legislation to Counter Money Laundering and Corruption, Combat Tax 
Evasion, May 5, 2016, available at https://home.treasury.gov/news/press-releases/jl0451.
    \23\ See FATF Recommendation 24, Transparency and Beneficial 
Ownership of Legal Persons, The FATF Recommendations: International 
Standards on Combating Money Laundering and the Financing of 
Terrorism and Proliferation (updated Oct. 2020), available at 
https://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html.
---------------------------------------------------------------------------

    FinCEN's existing regulatory tools help, but they provide only 
partial solutions. The 2016 CDD Rule, for example, requires that 
certain types of U.S. financial institutions identify and verify the 
beneficial owners of legal entity customers at the time of account 
opening.\24\ The information financial institutions must collect under 
the 2016 CDD Rule, however, is generally neither comprehensive nor 
reported to the U.S. government (nor to State, local, or Tribal 
governments), except when filed in suspicious activity reports (SARs) 
or in response to judicial process. Moreover, the 2016 CDD Rule applies 
only to legal entities that open accounts at certain U.S. financial 
institutions. Other FinCEN authorities--geographic targeting orders 
\25\ and the so-called ``311 measures'' (i.e., special measures imposed 
on foreign jurisdictions, foreign financial institutions, or 
international transactions of primary money laundering concern) \26\--
offer temporary and targeted tools. Neither provides law enforcement 
the ability to reliably, efficiently, and consistently identify new 
entities for investigation or follow investigatory leads.
---------------------------------------------------------------------------

    \24\ 31 CFR 1010.230(b)(1).
    \25\ 31 U.S.C. 5326(a); 31 CFR 1010.370.
    \26\ 31 U.S.C. 5318A, as added by section 311 of the USA PATRIOT 
Act (Pub. L. 107-56).
---------------------------------------------------------------------------

    This Final Rule will help to fill in these gaps while creating a 
framework to keep BOI secure and confidential.

B. The CTA

    The CTA is part of the AML Act, which is a part of the 2021 NDAA. 
The CTA added a new section, 31 U.S.C. 5336, to the BSA to enhance 
beneficial ownership transparency while minimizing the burden on the 
regulated community.\27\ This new section requires certain types of 
domestic and foreign entities, called ``reporting companies,'' to 
submit BOI to FinCEN.\28\ Specifically, reporting companies must submit 
to FinCEN, for each beneficial owner and each individual who files an 
application to form a domestic entity or register a foreign entity to 
do business in the United States (the ``company applicant''), four 
pieces of information: the individual's full legal name, date of birth, 
current residential or business street address, and either a unique 
identifying number from an acceptable identification document (e.g., a 
passport) or the individual's ``FinCEN identifier.'' \29\
---------------------------------------------------------------------------

    \27\ CTA, section 6403.
    \28\ 31 U.S.C. 5336(b)(1), (2). The CTA generally exempts from 
the reporting requirements banks and other entities that are already 
subject to significant regulatory regimes meant to expose their 
beneficial owners, among other purposes. See id. at 5336(a)(11)(B).
    \29\ Id. at 5336(b)(2).
---------------------------------------------------------------------------

    The CTA establishes that BOI is ``sensitive information.'' \30\ The 
statute treats it as such by limiting its access and use to specified 
parties for particular purposes.\31\ In particular, Congress authorized 
FinCEN to disclose BOI only to a statutorily defined group of 
governmental authorities and financial institutions, and only in 
defined circumstances. The CTA further provides that the Secretary of 
the Treasury (Secretary) must ``maintain [BOI] in a secure, nonpublic 
database, using information security methods and techniques that are 
appropriate to protect nonclassified information systems at the highest 
security level.'' \32\ As discussed in detail in section II.E, FinCEN 
is currently building the secure information technology (IT) system 
into which reporting companies will submit, and from which authorized 
recipients will generally obtain, BOI.
---------------------------------------------------------------------------

    \30\ CTA, section 6402(6).
    \31\ Id.
    \32\ CTA, section 6402(7)(A). While the statutory language seems 
to include a typographical error that refers to another provision 
(not related to BOI), it also seems clear that the object of 
protection in this case is BOI.
---------------------------------------------------------------------------

    In addition to setting out requirements and restrictions related to 
BOI reporting and access, the CTA requires that FinCEN revise the 2016 
CDD Rule within one year of the BOI reporting requirements taking 
effect. In particular, the CTA directs FinCEN to revise the 2016 CDD 
Rule to: (1) bring it into conformity with the AML Act as a whole, 
including the CTA; (2) account for financial institutions' access to 
BOI

[[Page 88735]]

reported to FinCEN ``in order to confirm the beneficial ownership 
information provided directly to the financial institutions'' for AML/
CFT and customer due diligence purposes; and (3) reduce unnecessary or 
duplicative burdens on financial institutions and legal entity 
customers.\33\ In carrying out these provisions, the CTA further 
requires FinCEN to rescind paragraphs (b) through (j) of 31 CFR 
1010.230.\34\
---------------------------------------------------------------------------

    \33\ CTA, section 6403(d)(1)(A)-(C).
    \34\ CTA, section 6403(d)(1)-(2). The CTA orders the rescission 
of paragraphs (b) through (j) directly (``the Secretary of the 
Treasury shall rescind paragraphs (b) through (j)'') and orders the 
retention of paragraph (a) by a negative rule of construction 
(``nothing in this section may be construed to authorize the 
Secretary of the Treasury to repeal . . . [31 CFR] 
1010.230(a)[.]''). The statute also provides a list of 
considerations to take into account when revising the 2016 CDD Rule. 
See generally CTA, section 6403(d)(3).
---------------------------------------------------------------------------

    FinCEN began implementing the CTA by publishing an ANPRM on April 
5, 2021.\35\ The ANPRM sought input on five open-ended categories of 
questions, including questions on clarifying key CTA definitions and on 
how FinCEN should implement CTA provisions governing FinCEN's 
maintenance and disclosure of BOI subject to appropriate access 
protocols. In response to the ANPRM, FinCEN received and considered 220 
comments from parties that included businesses, civil society 
organizations, trade associations, law firms, secretaries of state and 
other state officials, Indian Tribes, members of Congress, and private 
citizens.
---------------------------------------------------------------------------

    \35\ 86 FR 17557 (Apr. 5, 2021).
---------------------------------------------------------------------------

    FinCEN next published the Reporting NPRM on December 8, 2021.\36\ 
The Reporting NPRM described Treasury's efforts to address the lack of 
transparency in the ownership of certain legal entities, and proposed 
regulations specifying what BOI must be reported to FinCEN pursuant to 
CTA requirements, by whom, and when. These regulations also proposed 
processes for obtaining, updating, and using FinCEN identifiers. The 
Reporting NPRM included a 60-day comment period, which closed on 
February 7, 2022. FinCEN received over 240 comments on the Reporting 
NPRM.
---------------------------------------------------------------------------

    \36\ 86 FR 69920 (Dec. 8, 2021).
---------------------------------------------------------------------------

    After considering those comments, FinCEN published a final rule 
implementing the CTA's BOI reporting requirements on September 30, 2022 
(Reporting Rule).\37\ The Reporting Rule takes effect on January 1, 
2024, and is the first of three rulemakings required by the CTA. Under 
the Reporting Rule, reporting companies in existence before the 
effective date will have until January 1, 2025, to report.\38\ The 
Reporting Rule also provided that reporting companies created or 
registered to do business on or after January 1, 2024 would need to 
submit BOI to FinCEN within 30 days of receiving notice of a company's 
creation or registration.\39\ However, on November 30, 2023, FinCEN 
published a final rule to extend the timeframe for reporting companies 
created or registered on or after January 1, 2024, and before January 
1, 2025, to submit their initial BOI reports to FinCEN. Under this 
amendment to the Reporting Rule, reporting companies created or 
registered on or after January 1, 2024, and before January 1, 2025, 
will have 90 days to submit their initial BOI reports, instead of 30 
days. Reporting companies formed on or after January 1, 2025, will 
continue to be required to submit their initial BOI reports within 30 
days.
---------------------------------------------------------------------------

    \37\ 87 FR 59498 (Sept. 30, 2022).
    \38\ Reporting Rule, 31 CFR 1010.380(a)(1)(i)-(ii).
    \39\ Id. at 1010.380(a)(iii).
---------------------------------------------------------------------------

    The Reporting Rule also reserved for further consideration certain 
provisions concerning the use of FinCEN identifiers for entities.
    FinCEN next published the Access NPRM regarding the CTA's BOI 
access and safeguard provisions on December 16, 2022.\40\ The proposed 
regulations reflected information gleaned from over 30 outreach 
sessions with representatives from Federal agencies, state courts, 
state and local prosecutors' offices, Tribal governments, financial 
institutions, financial self-regulatory organizations (SROs), and 
government offices that had established beneficial ownership databases, 
as well as from comments to the prior CTA-related publications. The 
Access NPRM also included proposed amendments to the reporting 
regulations that would finalize the remaining Reporting Rule provisions 
concerning the use of FinCEN identifiers for entities. The comment 
period for the Access NPRM closed on February 14, 2023.
---------------------------------------------------------------------------

    \40\ 87 FR 77404 (Dec. 16, 2022).
---------------------------------------------------------------------------

    This final rule adopts, with modifications, the proposed 
regulations in the Access NPRM and is the second rulemaking required by 
the CTA. These final access and safeguard regulations (``Access Rule'') 
aim to ensure that: (1) only authorized recipients have access to BOI; 
(2) authorized recipients use that access only for purposes permitted 
by the CTA; and (3) authorized recipients only re-disclose BOI in ways 
that balance protecting its security and confidentiality with the CTA 
objective of making BOI available to a range of users for authorized 
purposes. The regulations also provide a robust framework to ensure 
that BOI reported to FinCEN, and received by authorized recipients, is 
subject to strict cybersecurity controls, confidentiality protections 
and restrictions, and robust audit and oversight measures.
    FinCEN will implement the CTA requirement to revise the 2016 CDD 
Rule through a future rulemaking process. That process will provide the 
public with an opportunity to comment on the effect of the final 
provisions of the BOI reporting and access rules on financial 
institutions' customer due diligence obligations.
    Finally, the CTA requires the Inspector General of the Department 
of the Treasury to provide public contact information to receive 
external comments or complaints regarding the BOI notification and 
collection process or regarding the accuracy, completeness, or 
timeliness of such information.\41\ Treasury's Office of Inspector 
General (``Treasury OIG'') has established the following email inbox to 
receive such comments or complaints: 
[email protected].
---------------------------------------------------------------------------

    \41\ See 31 U.S.C. 5336(h)(4).
---------------------------------------------------------------------------

C. The Access NPRM

    As noted above in section II.B, FinCEN published the Access NPRM on 
December 16, 2022. The NPRM had a 60-day comment period that closed on 
February 14, 2023. FinCEN received over 80 comments. The NPRM described 
who would be authorized to access BOI reported to FinCEN, how those 
parties could use the information, and how they would be required to 
safeguard it.
    The proposed regulations would amend 31 CFR 1010.950(a) to clarify 
that the disclosure of BOI would be governed by proposed 31 CFR 
1010.955, rather than 31 CFR 1010.950(a), which governs disclosure of 
other BSA information. The CTA specifies disclosure rules applicable to 
BOI that are distinct from BSA provisions authorizing disclosure of 
other BSA information.\42\
---------------------------------------------------------------------------

    \42\ See 31 U.S.C. 5336(c)(2), (5).
---------------------------------------------------------------------------

    The Access NPRM proposed to incorporate the CTA's general 
prohibition on the disclosure of BOI by individual recipients to others 
unless authorized to do so under the statute or its implementing 
regulations, with certain clarifications regarding the applicability 
and duration of that prohibition. The proposed regulations would 
authorize the disclosure and use of BOI to facilitate the purposes of 
the CTA, with FinCEN further proposing to retain the authority to 
permit in writing the re-disclosure of BOI in other circumstances.
    The proposed regulations included provisions that would address a 
range of

[[Page 88736]]

administrative matters, e.g., circumstances under which FinCEN could 
decline to provide requested BOI or debar or suspend an authorized 
recipient, and would incorporate CTA provisions that impose civil and 
criminal penalties for knowingly disclosing or knowingly using BOI in 
ways that were not authorized by the CTA. The proposed rule also would 
reinforce the security and confidentiality requirements of the CTA by 
making clear the range of actions that could constitute unauthorized 
disclosure and use.
    Finally, the Access NPRM made a new proposal regarding the use of 
FinCEN identifiers for entities, which was initially addressed in the 
Reporting NPRM and then deferred in the Final Reporting Rule. 
Specifically, the proposed regulations would clarify that a reporting 
company would be permitted to report the FinCEN identifier of an 
intermediate entity (i.e., an entity through which an individual 
beneficial owner exercises substantial control or owns ownership 
interests in a reporting company) in lieu of a beneficial owner's PII 
only when three criteria are met. Taken together, these requirements 
sought to avoid the use of FinCEN identifiers to obscure beneficial 
ownership in a reporting company when the entity's ownership structure 
involves multiple beneficial owners and intermediate entities. FinCEN 
published a final rule to implement these provisions regarding the use 
of FinCEN identifiers for entities on November 8, 2023.\43\
---------------------------------------------------------------------------

    \43\ 88 FR 76995 (Nov. 8, 2023).
---------------------------------------------------------------------------

    The Access NPRM, however, primarily focused on the scope of and 
requirements for access to and protection of BOI reported to FinCEN. 
The following subsections outline how the proposed regulations would 
apply to five categories of authorized recipients for which the CTA 
prescribes specific requirements with respect to access to and use of 
BOI.
i. Domestic Agencies
    The first category of BOI recipients authorized by the CTA consists 
of (1) Federal agencies engaged in national security, intelligence, or 
law enforcement activity if the requested BOI is for use in furtherance 
of such activity; \44\ and (2) State, local, and Tribal law enforcement 
agencies if ``a court of competent jurisdiction'' authorizes the law 
enforcement agency to seek the information in a criminal or civil 
investigation.\45\ Federal agency access to BOI would be contingent on 
the type of activity an agency engages in. In contrast, State, local, 
and Tribal access would be contingent on two conditions; (1) whether 
the recipient is a law enforcement agency, i.e., the type of agency; 
and (2) whether a State, local, or Tribal law enforcement agency 
receives authorization from a court of competent jurisdiction to 
request BOI from FinCEN.
---------------------------------------------------------------------------

    \44\ 31 U.S.C. 5336(c)(2)(B)(i)(I).
    \45\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------

    The Access NPRM proposed definitions for ``national security,'' 
``intelligence,'' and ``law enforcement'' activities in a manner 
consistent with the CTA. In particular, the Access NPRM proposed that 
``law enforcement'' include both criminal and civil investigations and 
actions, including actions to impose civil penalties, civil forfeiture 
actions, and civil enforcement through administrative proceedings. For 
access by State, local and Tribal law enforcement, the Access NPRM 
proposed to define ``court of competent jurisdiction'' as any court 
with jurisdiction over the criminal or civil investigation for which 
the State, local, or Tribal law enforcement agency requested BOI. The 
Access NPRM further proposed that the requisite court authorization 
would have to be in the form of a court order, with the understanding 
that the term ``order'' could encompass many authorization types issued 
by a range of court officers (i.e., individuals empowered to exercise a 
court's authority and issue authorizations on its behalf, excluding 
individual attorneys). The NPRM specifically sought feedback on the 
scope of this definition.
    The proposed regulations would also require all Federal agencies 
engaged in national security, intelligence, or law enforcement activity 
to provide a brief justification for each search for BOI in the FinCEN 
IT system and certify compliance with the applicable regulatory 
requirements. State, local, and Tribal law enforcement agencies would 
also have had to provide a brief justification for each search for BOI 
and submit copies of their court orders for FinCEN review. Upon meeting 
these requirements, both Federal agencies engaged in national security, 
intelligence, or law enforcement activity and State, local, and Tribal 
law enforcement agencies would have the ability to conduct searches for 
BOI in the beneficial ownership IT system (the ``BO IT system'') 
relevant to their investigation. The BO IT system would provide these 
users with both a reporting company's BOI at the time of the request as 
well as any previously submitted BOI.
    Furthermore, the Access NPRM proposed that Federal agencies engaged 
in a national security, intelligence, or law enforcement activity, as 
well as State, local, and Tribal law enforcement agencies, would be 
authorized to disclose BOI obtained directly from FinCEN to courts of 
competent jurisdiction or parties to a civil or criminal proceeding. 
This authorization would only apply to civil or criminal proceedings 
involving U.S. Federal, State, local, and Tribal laws. In the preamble 
to the Access NPRM, FinCEN explained that it envisioned agencies 
relying on this provision when, for example, a prosecutor would need to 
provide a criminal defendant with BOI in discovery or use it as 
evidence in a court proceeding or trial.\46\
---------------------------------------------------------------------------

    \46\ See CTA, section 6402(5)(D).
---------------------------------------------------------------------------

    The CTA prescribes a number of security and confidentiality 
requirements that the Secretary must impose on requesting Federal, 
State, local, and Tribal agencies and their heads. These include 
requirements for secure storage systems and access policies and 
procedures; personnel access controls; recordkeeping, reporting, and 
audit requirements; and written certifications. These requirements 
affirm the importance of the security and confidentiality protocols and 
the need for a high degree of accountability for the protection of BOI. 
The proposed regulations described how each requesting agency, before 
it could obtain BOI from FinCEN, would be required to enter into a 
memorandum of understanding (MOU) with FinCEN specifying the standards, 
procedures, and systems that the agency would be required to maintain 
to protect BOI, including security plans. FinCEN explained in the 
preamble to the Access NPRM that these requirements are extensive by 
necessity given the broad search functionality within the BO IT system 
that would be available to this category of authorized recipients.
ii. Foreign Requesters
    The second category consists of foreign law enforcement agencies, 
judges, prosecutors, central authorities, and competent authorities 
(``foreign requesters''), provided their requests come through an 
intermediary Federal agency, meet additional criteria, and are made 
either (1) under an international treaty, agreement, or convention; or 
(2) via a request made by law enforcement, judicial, or prosecutorial 
authorities in a trusted foreign country (when no international treaty, 
agreement, or convention is available).\47\
---------------------------------------------------------------------------

    \47\ See 31 U.S.C. 5336(c)(2)(B)(ii).

---------------------------------------------------------------------------

[[Page 88737]]

    FinCEN generally did not propose to identify in the Access NPRM any 
specific Federal agencies that would serve as intermediaries with 
foreign governments.\48\ FinCEN instead indicated that it would work 
with Federal agencies to identify those that are well positioned to be 
intermediaries, based on several factors, including: the level of 
engagement with foreign law enforcement agencies, judges, prosecutors, 
central authorities, or competent authorities; responsibility under 
international treaties, agreements, or conventions; and capacity to 
process requests for BOI while managing risks of unauthorized 
disclosure. The Access NPRM proposed to permit intermediary Federal 
agencies to use BOI obtained from FinCEN at the behest of a foreign 
requester only to facilitate a response to that foreign requester.
---------------------------------------------------------------------------

    \48\ Given its longstanding relationships and relevant 
experience as the financial intelligence unit of the United States, 
FinCEN proposed to directly receive, evaluate, and respond to 
requests for BOI from foreign financial intelligence units.
---------------------------------------------------------------------------

    With respect to the requirement that a foreign request be made 
under an ``international treaty, agreement, or convention,'' FinCEN 
explained that it understood those terms to cover a legally binding 
agreement governed by international law. FinCEN did not propose to 
identify specific countries it would treat as ``trusted'' in situations 
when no international treaty, agreement, or convention applied. The 
Access NPRM explained that to define ``trusted foreign country'' would 
have risked arbitrarily excluding foreign requesters with whom sharing 
BOI might be appropriate in some cases but not others. FinCEN instead 
proposed to conduct case-by-case assessments in consultation with 
relevant U.S. government agencies to determine whether to disclose BOI 
to a foreign requester in a particular instance.
    In the Access NPRM, FinCEN explained that it did not expect foreign 
requesters to have direct access to the BO IT system, but rather that 
intermediary Federal agencies would perform BOI searches in the system 
on a foreign requester's behalf. Before acting as intermediaries, 
Federal agencies would first have to fulfill several requirements, 
including: (1) ensuring that they have secure systems for BOI storage; 
(2) entering into MOUs with FinCEN outlining expectations and 
responsibilities; (3) incorporating the CTA foreign sharing 
requirements into evaluation criteria with which to review BOI requests 
from foreign requesters; (4) integrating the evaluation criteria into 
their existing information-sharing policies and procedures; (5) 
developing additional security protocols and systems as required under 
the CTA and this rule; and (6) ensuring that their personnel have 
sufficient training on BOI security and use requirements and 
restrictions.
    Under the Access NPRM, an intermediary Federal agency would be 
authorized to submit foreign requests for BOI to FinCEN only after 
meeting these requirements. Such requests would need to include certain 
information, including: (1) the names of both the individual within the 
intermediary Federal agency making the request and the individual 
affiliated with the foreign requester on whose behalf the request was 
being made; and (2) either the international treaty, agreement, or 
convention under which the request was being made, or a statement that 
no such instrument governs along with an explanation of the 
information's intended use. Intermediary Federal agencies would also 
need to certify that a request meets applicable eligibility criteria. 
After doing so, an intermediary Federal agency could then search for 
and retrieve requested BOI from the system and respond to the foreign 
requester in a manner consistent with either the international treaty, 
agreement, or convention, or the request from the trusted foreign 
country. Intermediary Federal agencies would be required to maintain 
records documenting specified elements of each search, both for the 
agency's own internal auditing and for FinCEN audits as required under 
the CTA.
    Recognizing the importance that all authorized BOI recipients--
including foreign requesters--take appropriate steps to keep BOI 
confidential and secure and to prevent misuse, FinCEN also proposed 
requiring foreign requesters to handle, disclose, and use BOI 
consistent with the requirements of the applicable international 
treaty, agreement, or convention under which it is requested. When no 
treaty, agreement, or convention applies, the Access NPRM proposed that 
the head of an intermediary Federal agency, acting on behalf of a 
foreign requester, or their designee, would need to submit to FinCEN a 
written explanation of the specific purpose for which the foreign 
requester is requesting BOI. The intermediary Federal agency in such 
cases would have also needed to provide FinCEN with a certification 
that the requested BOI would be: (1) used in furtherance of a law 
enforcement investigation or prosecution, or for a national security or 
intelligence activity that is authorized under the laws of the relevant 
foreign country; (2) only used for the particular purpose or activity 
for which it was requested; and (3) handled in accordance with 
specified security and confidentiality requirements. Under the proposed 
rule, the certification would reflect what the head of the intermediary 
Federal agency head or their designee understands to be the intended 
use for the BOI, rather than a guarantee from the intermediary Federal 
agency that the foreign requester would not use the information for 
unauthorized purposes. The Access NPRM further specified that FinCEN 
could request additional information from the requester to support 
FinCEN's evaluation of whether to disclose BOI to a foreign requester 
when the request is not pursuant to an international treaty, agreement, 
or convention.
iii. Financial Institutions With Customer Due Diligence Compliance 
Obligations Under Applicable Law
    The third authorized recipient category under the CTA is financial 
institutions that use BOI ``to facilitate compliance with customer due 
diligence requirements under applicable law.'' \49\ FinCEN proposed to 
define the term ``customer due diligence requirements under applicable 
law'' to mean FinCEN's customer due diligence regulations at 31 CFR 
1010.230, which require covered financial institutions to identify and 
verify beneficial owners of legal entity customers. FinCEN considered 
other approaches, but concluded that focusing on its 2016 CDD Rule 
alone would make this access category easier to administer, reduce 
uncertainty about which financial institutions could access BOI under 
the proposed rule, and better protect the security and confidentiality 
of sensitive BOI by limiting the circumstances under which financial 
institutions could access the information. There also did not appear to 
be any State, local, or Tribal customer due diligence requirements 
comparable in substance to FinCEN's 2016 CDD Rule.\50\
---------------------------------------------------------------------------

    \49\ 31 U.S.C. 5336(c)(2)(B)(iii).
    \50\ In the Access NPRM, FinCEN specifically asked commenters to 
identify any Federal, State, local, or Tribal law requirements 
comparable to the 2016 CDD Rule regarding financial institutions 
identifying and verifying beneficial owners of legal entity 
customers. FinCEN received no responses to that request.
---------------------------------------------------------------------------

    The CTA further requires that a reporting company's consent is 
necessary in order for a financial institution to obtain BOI from 
FinCEN. FinCEN proposed to make financial institutions responsible for 
obtaining this consent. That proposal reflected FinCEN's assessment 
that financial institutions are best positioned to obtain and manage 
consent through existing

[[Page 88738]]

processes and by virtue of having direct relationship with reporting 
companies as customers. Although certain certifications would be 
required, the Access NPRM did not propose that financial institutions 
submit proof of a reporting company's consent. FinCEN recognized that 
it would not have the capacity to review, verify, and store consent 
forms, and additional FinCEN involvement would create undue delays for 
the ability of financial institutions to onboard customers. FinCEN also 
explained that a financial institution's compliance with these 
requirements would be assessed by Federal functional regulators in the 
ordinary course during examinations, or by financial SROs during their 
routine BSA examinations.\51\
---------------------------------------------------------------------------

    \51\ The CTA requirements financial institutions must satisfy to 
qualify for BOI disclosure from FinCEN are part of the BSA, a 
statute enacted in pertinent part in Chapter X of the Code of 
Federal Regulations. FinCEN has delegated its authority to examine 
financial institutions for compliance with Chapter X to the Federal 
functional regulators. See 31 CFR 1010.810. Separately, the FBAs 
have their own authority to examine the financial institutions that 
they supervise for compliance with the BSA. See 12 U.S.C. 
1786(q)(2), 1818(s)(2).
---------------------------------------------------------------------------

    FinCEN described in the Access NPRM its plan to establish for 
financial institutions a more circumscribed BO IT system interface than 
would be available to most Federal agencies and State, local, and 
Tribal law enforcement agencies. This would be based on the defined 
purposes for which financial institutions can use BOI under the CTA and 
the proposed requirement that they obtain reporting company consent 
before requesting the information from FinCEN. The interface would 
require financial institutions to submit identifying information 
specific to a particular reporting company (for example, the company 
name and tax identification number). In return, the financial 
institution would receive an electronic transcript with that reporting 
company's BOI at the time of the request. The transcript would not 
include any previously submitted BOI for the reporting company.
    Although the CTA does not specifically address the safeguards that 
financial institutions must implement as a condition for requesting 
BOI, the CTA authorizes FinCEN to prescribe by regulation any other 
safeguards determined to be necessary or appropriate to protect the 
confidentiality of BOI.\52\ In exercising this authority, FinCEN 
proposed a principles-based approach by requiring that financial 
institutions develop and implement administrative, technical, and 
physical safeguards reasonably designed to protect BOI as a 
precondition for receiving the information. The proposed regulations 
would establish that the security and information handling procedures 
necessary to comply with section 501 of the Gramm-Leach-Bliley Act 
(Gramm-Leach-Bliley) \53\ and related regulations to protect nonpublic 
customer personal information, if applied to BOI under the control of 
the financial institution, would satisfy this requirement. Financial 
institutions not subject to regulations issued pursuant to section 501 
of Gramm-Leach-Bliley would be held to these same substantive standards 
under the proposed rules.
---------------------------------------------------------------------------

    \52\ 31 U.S.C. 5336(c)(3)(K).
    \53\ Public Law 106-102, 113 Stat. 1338, 1436-37 (1999).
---------------------------------------------------------------------------

    Subject to certain conditions, the Access NPRM proposed to 
authorize financial institutions to share BOI that they obtained from 
FinCEN for use in fulfilling customer due diligence obligations with: 
(1) their Federal functional regulators, (2) qualifying SROs, or (3) 
any other appropriate regulatory agency. FinCEN proposed this 
authorization for the sake of efficiency and to more easily provide 
regulators with a complete picture of how financial institutions are 
obtaining and using BOI for customer due diligence compliance, thereby 
supporting the aims and purposes of the CTA, as well as helping them 
detect compliance failures.
iv. Regulatory Agencies
    The fourth category of authorized recipient under the proposed 
regulations is Federal functional regulators and other appropriate 
regulatory agencies that (1) are authorized to assess, supervise, 
enforce, or otherwise determine financial institution compliance with 
customer due diligence requirements under applicable law; (2) use BOI 
solely to conduct an assessment, supervision, or authorized 
investigation or activity under 31 U.S.C. 5336(c)(2)(C)(i); and (3) 
enter into an agreement with FinCEN describing appropriate protocols 
for obtaining BOI.
    The proposed regulations also incorporated the CTA's limitation on 
the scope of access by these agencies. The CTA states that BOI that 
FinCEN discloses to financial institutions should ``also be available 
to [their qualifying regulators].'' \54\ The Access NPRM therefore 
proposed to allow only qualifying regulators to obtain from FinCEN BOI 
that financial institutions that they supervise for customer due 
diligence compliance had already obtained under the CTA and its 
implementing regulations. Obtaining BOI from FinCEN would require 
Federal functional regulators and other appropriate regulatory agencies 
to certify to FinCEN when requesting BOI that the agency (1) is 
authorized by law to assess, supervise, enforce, or otherwise determine 
the relevant financial institution's compliance with customer due 
diligence requirements under applicable law, and (2) would use the 
information solely for that activity.
---------------------------------------------------------------------------

    \54\ 31 U.S.C. 5336(c)(2)(C) (emphasis added).
---------------------------------------------------------------------------

    FinCEN made clear in the Access NPRM that it did not believe this 
customer due diligence-specific authorization was the exclusive means 
through which one of these regulators could obtain BOI. The access 
provision for Federal agencies engaged in national security, 
intelligence, or law enforcement activities focuses on activity 
categories, not agency types. To the extent that a Federal functional 
regulator, like the Securities and Exchange Commission (SEC), engages 
in civil law enforcement activities, agency officers, employees, 
contractors, and agents responsible for those activities could obtain 
BOI under the access provision for Federal law enforcement activity. 
The same principle applies to other agencies with both supervisory 
responsibility and authority to engage in other covered activity, 
including, potentially, State, local, and Tribal law enforcement 
agencies.
    In the Access NPRM, FinCEN clarified that it would adopt its 
existing regulatory definition of ``Federal functional regulators'' to 
minimize the risk of confusion.\55\ FinCEN did not propose to define 
``other appropriate regulatory agencies,'' because it assessed that the 
requirement that an agency be authorized by law to supervise financial 
institutions for customer due diligence compliance sufficiently 
circumscribed the category.
---------------------------------------------------------------------------

    \55\ Under this definition, the six Federal functional 
regulators that supervise financial institutions with customer due 
diligence obligations are the Board of Governors of the Federal 
Reserve System (FRB), the Office of the Comptroller of the Currency 
(OCC), the Federal Deposit Insurance Corporation (FDIC), the 
National Credit Union Administration (NCUA), the SEC, and the 
Commodity Futures Trading Commission (CFTC). See 31 CFR 1010.100(r).
---------------------------------------------------------------------------

    In the Access NPRM, FinCEN considered whether SROs registered with 
or designated by a Federal functional regulator pursuant to Federal 
statute \56\ (``qualifying SROs'') should qualify as ``other 
appropriate regulatory agencies.'' These organizations--like the 
Financial Industry Regulatory Authority (FINRA) or the National Futures 
Association (NFA)--are not traditionally

[[Page 88739]]

understood to be agencies of the U.S. government,\57\ but they do 
exercise self-regulatory authority within the framework of Federal law, 
and work under the supervision of Federal functional regulators to 
assess, supervise, and enforce financial institution compliance with, 
among other things, customer due diligence requirements.\58\ These 
qualifying SROs also are subject to extensive oversight by Federal 
agencies.\59\
---------------------------------------------------------------------------

    \56\ See, e.g., 7 U.S.C. 21; 15 U.S.C. 78o-3.
    \57\ See, e.g., In re William H. Murphy & Co., SEC Release No. 
34-90759, 2020 WL 7496228, *17 (Dec. 21, 2020) (explaining that 
FINRA ``is not a part of the government or otherwise a [S]tate 
actor'' to which constitutional requirements apply).
    \58\ See, e.g., FINRA Rule 3310(f); NFA Compliance Rule 2-
9(c)(5).
    \59\ See, e.g., Scottsdale Cap. Advisors Corp. v. FINRA, 844 
F.3d 414, 418 (4th Cir. 2016) (``Before any FINRA rule goes into 
effect, the SEC must approve the rule and specifically determine 
that it is consistent with the purposes of the Exchange Act. The SEC 
may also amend any existing rule to ensure it comports with the 
purposes and requirements of the Exchange Act.'' (citations 
omitted); Birkelbach v. SEC, 751 F.3d 472, 475 (7th Cir. 2014) (``A 
[FINRA] member can appeal the disposition of a FINRA disciplinary 
proceeding to the SEC, which performs a de novo review of the record 
and issues a decision of its own.'').
---------------------------------------------------------------------------

    FinCEN believed that qualifying SROs fulfill a critical role in 
overseeing participants in the financial services sector which 
justified their limited and derivative access to BOI: Without this 
level of access, qualifying SROs would not be able to effectively 
evaluate a financial institution's customer due diligence compliance. 
The CTA provides FinCEN broad discretion to specify the conditions 
under which authorized recipients of BOI may re-disclose that 
information to others. Consequently, the Access NPRM proposed to permit 
both financial institutions and Federal functional regulators to re-
disclose to qualifying SROs any BOI they obtained from FinCEN for use 
in complying with customer due diligence requirements under applicable 
law. A qualifying SRO would (1) need to satisfy the same three 
conditions applicable to Federal functional regulators and other 
appropriate regulatory agencies, and (2) be permitted to use the 
information for the limited purpose of examining compliance with 
applicable customer due diligence obligations.
    The Access NPRM further proposed that Federal functional regulators 
would also be permitted to disclose BOI to DOJ for purposes of making a 
referral to DOJ or for use in litigation related to the activity for 
which the requesting agency requested the information.
v. Department of the Treasury Access
    The CTA includes separate, Treasury-specific provisions for 
accessing BOI, tying the access to a Treasury officer's or employee's 
official duties requiring BOI inspection or disclosure,\60\ including 
for tax administration purposes.\61\ Proposed 31 CFR 1010.955(b)(5) 
tracked these authorizations, and provided that Treasury officers and 
employees may receive BOI where their official duties require such 
access, or for tax administration, consistent with procedures and 
safeguards established by the Director of FinCEN. The proposed 
regulations also clarified the term ``tax administration purposes'' by 
adding a reference to the definition of ``tax administration'' in the 
Internal Revenue Code.\62\
---------------------------------------------------------------------------

    \60\ See 31 U.S.C. 5336(c)(5)(A).
    \61\ See 31 U.S.C. 5336(c)(5)(B).
    \62\ 26 U.S.C. 6103(b)(4).
---------------------------------------------------------------------------

    The Access NPRM explained that FinCEN envisioned Treasury 
components having broad search functionality comparable to that of 
Federal agencies engaged in national security, intelligence, or law 
enforcement activity. This would include using BOI for enforcement 
actions, intelligence and analytical purposes, sanctions-related 
investigations, and identifying property blocked pursuant to sanctions, 
as well as for activities unique to Treasury, such as for tax 
administration and administration of the BOI framework, including 
audits, enforcement, and oversight. As with other Federal agencies 
requesting BOI for their own use, Treasury would also be permitted to 
disclose BOI for purposes of making a referral to DOJ or for use in 
litigation related to the activity for which Treasury officers, 
employees, contractors, or agents requested the information.
    The Access NPRM further explained that FinCEN expected to work with 
other Treasury components to establish internal policies and procedures 
governing Treasury access to BOI. FinCEN noted that it anticipated that 
the security and confidentiality protocols in those policies and 
procedures would include elements of the protocols described in 
proposed 31 CFR 1010.955(d)(1) as applicable to Treasury activities and 
organization. Furthermore, officers and employees identified as having 
duties potentially requiring access to BOI would receive training on, 
among other topics, determining when their duties require access to 
BOI, what they can do with the information, and how to handle and 
safeguard it. Their activities would also be subject to audit.

D. CTA Implementation Efforts

i. Beneficial Ownership IT System
    The CTA directs the Secretary to maintain BOI ``in a secure, 
nonpublic database, using information security methods and techniques 
that are appropriate to protect nonclassified information security 
systems at the highest security level . . . .'' \63\ FinCEN is 
implementing this requirement by developing a secure BO IT system to 
receive, store, and maintain BOI. Consistent with the CTA's requirement 
\64\ and FinCEN's recognition that BOI is sensitive information 
warranting stringent security, the system will be cloud-based and will 
meet the highest Federal Information Security Management Act (FISMA) 
\65\ level (FISMA High).\66\ A FISMA High rating indicates that losing 
the confidentiality, integrity, or availability of information within a 
system would have a severe or catastrophic adverse effect on the 
organization maintaining the system, including on organizational assets 
or individuals.\67\ The rating carries with it a requirement to 
implement certain baseline controls to protect the relevant 
information.\68\ System functionality will vary by recipient category 
consistent with statutory requirements, limitations on BOI disclosure, 
and FinCEN's objective of minimizing access to the data as much as 
practicable to minimize the risk of unauthorized disclosure. The target 
date for the system to begin accepting BOI reports is January 1, 2024, 
the same day on which the Reporting Rule takes effect.
---------------------------------------------------------------------------

    \63\ CTA, section 6402(7).
    \64\ 31 U.S.C. 5336(c)(8).
    \65\ 44 U.S.C. 3541 et seq.
    \66\ See U.S. Department of Commerce, Federal Information 
Processing Standards Publication: Standards for Security 
Categorization of Federal Information and Information Systems 
(``FIPS Pub 199'') (Feb. 2004), available at https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf.
    \67\ Id. at 3.
    \68\ Id.
---------------------------------------------------------------------------

ii. Additional CTA Implementation Efforts
    In addition to continuing development of the BO IT system, FinCEN 
is working across several other CTA implementation efforts. First, it 
is working intensively to develop guidance and other educational 
materials to ensure that small businesses have the information they 
need to comply and that reporting beneficial ownership information is 
as streamlined and straightforward as possible. On March 24, 2023, for 
example, FinCEN published its first set

[[Page 88740]]

of guidance materials to aid the public, and in particular the small 
business community, in understanding the BOI reporting requirements 
taking effect on January 1, 2024.\69\ That guidance, available on 
FinCEN's website, includes Frequently Asked Questions (FAQs), guidance 
on BOI filing dates, and informational videos.\70\ FinCEN published a 
Small Entity Compliance Guide on September 18, 2023, as well as 
additional guidance to address more complex topics around BOI 
reporting. FinCEN is also developing the infrastructure to respond to 
queries, conduct audit and oversight, and provide partner agencies and 
financial institutions with access to BOI.
---------------------------------------------------------------------------

    \69\ FinCEN, FinCEN Issues Initial Beneficial Ownership 
Information Reporting Guidance (Mar. 24, 2023), available at https://www.fincen.gov/news/news-releases/fincen-issues-initial-beneficial-ownership-information-reporting-guidance.
    \70\ FinCEN, Beneficial Ownership Information Reporting, 
available at https://www.fincen.gov/boi.
---------------------------------------------------------------------------

    FinCEN is particularly focused on providing helpful customer 
service to reporting companies in the first year and beyond as they 
file their BOI. FinCEN currently fields approximately 13,000 inquiries 
a year through its Regulatory Support Section, and approximately 70,000 
external technical inquiries a year through the IT Systems Helpdesk. 
FinCEN has estimated that there will be approximately 32 million 
reporting companies in Year 1 of the reporting requirement and 
approximately 5 million new reporting companies each year 
thereafter.\71\ Given the expected increase in incoming inquiries, 
FinCEN is working to stand up a dedicated beneficial ownership contact 
center to respond to inquiries about the beneficial ownership reporting 
requirements, and to provide assistance to users encountering technical 
issues with the BO IT system. FinCEN expects the contact center to 
begin operations prior to January 1, 2024.
---------------------------------------------------------------------------

    \71\ 87 FR 59498, 59549 (Sept. 30, 2022).
---------------------------------------------------------------------------

    FinCEN is also working to establish internal policies and 
procedures governing Treasury officer and employee access to BOI, as 
well as to draft and negotiate MOUs for access to BOI and related 
materials. In keeping with protocols described in this final rule, 
Federal, State, local and Tribal agencies outside of Treasury will be 
required to enter into MOUs with FinCEN specifying the standards, 
procedures, and systems they will be required to maintain to protect 
BOI. Agency MOUs will, among other things, memorialize and implement 
requirements regarding reports and certifications, periodic training of 
individual recipients of BOI, personnel access restrictions, re-
disclosure limitations, and access to audit and oversight mechanisms. 
MOUs will also include security plans covering topics related to 
personnel security (e.g., eligibility limitations, screening standards, 
and certification and notification requirements); physical security 
(i.e., system connections and use, conditions of access, and data 
maintenance); computer security (i.e., use and access policies, 
standards related to passwords, transmission, storage, and encryption); 
and inspections and compliance. Agencies will be able to rely on 
existing databases and related IT infrastructure to satisfy the 
requirement to ``establish and maintain'' secure systems in which to 
store BOI where those systems have appropriate security and 
confidentiality protocols, and FinCEN will engage with recipient 
agencies on these protocols during the MOU development process.
iii. Administration of Access to BOI
    For any given user agency, the administrative steps described in 
the preceding section will need to be completed before authorized users 
obtain access to the BO IT system. These steps will require resources 
to complete. Every Federal, State, local, and tribal user agency will 
need to enter into an MOU with FinCEN for access to the BO IT system 
and put in place the policies and procedures required under the final 
Access Rule and the MOU. FinCEN will also need to establish BO IT 
system individual user accounts for all personnel who are authorized to 
access the system at agencies and financial institutions.
    To smoothly manage the draw on resources that this process will 
demand, FinCEN will take a phased approach to providing access to the 
BO IT system. The first stage will be a pilot program for a handful of 
key Federal agency users starting in 2024, as required MOUs and 
policies and procedures are completed. The second stage will extend 
access to Treasury Department offices and certain Federal agencies 
engaged in law enforcement and national security activities that 
already have Bank Secrecy Act MOUs (e.g., FBI, IRS-CI, HSI, DEA, 
Federal banking agencies (FBAs)). Subsequent stages will extend access 
to additional Federal agencies engaged in law enforcement, national 
security, and intelligence activities, as well as key State, local, and 
Tribal law enforcement partners; to additional State, local, and Tribal 
law enforcement partners; in connection with foreign government 
requests; and finally, to financial institutions and their supervisors.
    FinCEN believes that starting with a small pilot program of users 
in 2024 will help test the system and ensure that any issues can be 
addressed before expanding access to other users. Making access more 
broadly available in the four subsequent stages outlined above will 
help ensure the orderly onboarding of authorized users and will space 
out the timing of the annual audits of agency users that FinCEN is 
required to conduct under the CTA. Additionally, there is a good reason 
for FinCEN's sequencing of access, making financial institutions and 
their supervisors the last category of users that will receive access 
to the BO IT system: FinCEN expects that the timing of their access 
will roughly coincide with the upcoming revision of FinCEN's 2016 CDD 
Rule. This will allow financial institutions to enjoy certain 
administrative efficiencies by bundling system and compliance changes. 
FinCEN anticipates providing additional information on the timing and 
details regarding this phased implementation approach in early 2024.

E. Comments Received

    In response to the NPRM, FinCEN received over 80 comments. 
Submissions came from a broad array of individuals and organizations, 
including members of Congress, the financial industry and related trade 
associations, groups representing small business interests, corporate 
transparency advocacy groups, law enforcement representatives, 
regulatory associations, legal associations, and other interested 
groups and individuals.
    In general, many commenters expressed support for the proposed 
regulations. These commenters agreed that the proposed regulations were 
a significant step forward in improving the ability of law enforcement 
and national security agencies to identify illicit actors hiding behind 
anonymous shell and front companies. One of the commenters stated that 
the proposed regulations would confer benefits to both the United 
States and its overseas partners and bring the United States in line 
with emerging global practices relating to beneficial ownership 
information reporting. These commenters viewed the proposed regulations 
as being consistent with the statutory text. They supported the 
approach taken to provide access to BOI to authorized recipients and 
were encouraged by the proposed limitations and security provisions to 
protect the BOI and prevent unauthorized disclosure. These commenters 
were

[[Page 88741]]

particularly supportive of the proposed regulations with respect to 
U.S. Federal agencies' access to the BOI database. Supportive 
commenters agreed that U.S. Federal agencies accessing the database for 
law enforcement, intelligence, and national security purposes should 
have broad access, and that foreign requesters should be able to 
request BOI for similar purposes.
    Other commenters expressed general opposition to the proposed 
regulations, arguing that the proposed regulations deviate from the CTA 
and congressional intent. These commenters argued that the proposed 
regulations, if finalized without significant changes, would impose 
unnecessary requirements, limitations, and burdens with respect to 
certain types of access. Commenters also argued that the proposed 
regulations would be too costly and burdensome for small businesses. In 
particular, commenters expressed concern over the access provisions 
relating to State, local, and Tribal law enforcement authorities and 
financial institutions. Some commenters stated that certain 
requirements for law enforcement access to BOI, such as the requirement 
to submit ``a copy of a court order'' and ``written justification'' in 
proposed 31 CFR 1010.955(d)(1)(ii)(B)(2), would create undue barriers 
for State, local and Tribal law enforcement and contradict the 
statutory text. Other commenters argued that the proposed restrictions 
on access by financial institutions and their regulators would 
significantly limit the utility of the database. These commenters 
argued that proposed regulations interpreted ``customer due diligence 
requirements under applicable law'' in 31 U.S.C. 5336(c)(2)(B)(iii) too 
narrowly and objected to the requirement that individuals with access 
to BOI be located in the United States (31 CFR 1010.955(c)(2)(ii)). 
These commenters suggested that FinCEN adopt a broader approach to 
financial institutions' access to BOI and asked for clarification on a 
number of related provisions, including, for example, expectations 
around customer consent, database usage, and discrepancy reporting. One 
commenter suggested that FinCEN withdraw the proposed regulations and 
engage with the financial services industry and small businesses to 
develop a new proposal to better achieve the objectives of the CTA and 
the AML Act.
    Many commenters, regardless of their overarching views, suggested 
specific modifications to the proposed regulations to enhance clarity, 
refine policy expectations, ensure technical accuracy, and improve 
implementation more broadly. Commenters sought clarification on 
specific definitions, use cases, technical requirements and processes, 
and database functionality, among other things. Several commenters 
advocated for providing certain additional categories of users access 
to BOI, while others shared views on the sensitivity of BOI. Several 
commenters emphasized their view that BOI needed to be verified and 
suggested ways to improve the quality of the database.
    Commenters also shared views on future revisions to the 2016 CDD 
Rule, highlighting the ways in which they anticipated the proposed 
regulations with respect to access would interact with the 2016 CDD 
Rule. Among other things, these commenters expressed concerns about 
potential inconsistencies between BOI in the database and the customer 
information that financial institutions maintain pursuant to customer 
due diligence obligations. Many of these commenters urged FinCEN to 
address these concerns before 2016 CDD Rule revisions are finalized; 
some suggested that these concerns be addressed as part of the final 
Access Rule. Several commenters expressed frustration over the 
sequencing of the CTA rulemakings, stating, for example, that it is 
difficult to provide meaningful comments on the proposed regulations 
given uncertainties about revisions to the 2016 CDD Rule.
    Commenters shared views on the proposed regulations on FinCEN 
identifiers for reporting companies. While some commenters were 
supportive of FinCEN's approach, others found the proposal complex and 
confusing. Whether or not generally supportive, commenters suggested 
specific modifications to the proposal and asked for clarification on 
the availability of the information underlying FinCEN identifiers. One 
commenter expressed generalized concern about the availability of 
FinCEN identifiers and their potential misuse.
    FinCEN also received comments on topics not directly related to the 
proposed regulations. Some of these comments focused on elements of the 
Reporting Rule, e.g., information to be reported, company applicants, 
enforcement mechanism, and the proposed BOI report form. Others 
identified typographical errors, offered specific recommendations with 
respect to MSBs and mutual funds, and urged FinCEN to take steps to 
prevent the creation of fraudulent FinCEN websites. One commenter 
suggested that FinCEN should be designated as part of the intelligence 
community, while another suggested that Congress should repeal the USA 
PATRIOT Act. Finally, one commenter highlighted that some individuals 
may feel discouraged from submitting comments on proposed regulations 
if their views do not align with those of their employer.
    FinCEN carefully reviewed and considered each comment submitted. 
Many specific proposals will be discussed in more detail in section III 
below. FinCEN's analysis and approach has been guided by the statutory 
text, including the statutory obligations to disclose BOI to authorized 
users for specified purposes while following strict security and 
confidentiality protocols and minimizing burdens on stakeholders.
    In implementing this final rule, FinCEN took into account the many 
comments and suggestions intended to clarify and refine the scope of 
the rule and to reduce burdens on authorized users to the greatest 
extent practicable. FinCEN further notes that implementation of the 
final rule will require additional engagement with stakeholders to 
ensure a clear understanding of the rule's requirements, including 
through additional guidance, FAQs, and help lines. FinCEN intends to 
work within Treasury and with interagency partners to inform these 
specific efforts and the broader implementation of this final rule.

III. Discussion of Final Rule

    This final rule builds on the Access NPRM and is the next step 
after the Reporting Rule in FinCEN's implementation of the CTA. The 
final rule aims to ensure that: (1) only authorized recipients have 
access to BOI; (2) authorized recipients use that access only for 
purposes permitted by the CTA; and (3) authorized recipients only re-
disclose BOI in ways that balance protecting its security and 
confidentiality with the CTA objective of making BOI available to users 
for a range of authorized purposes. The regulations also provide a 
robust framework to ensure that BOI reported to FinCEN, and received by 
authorized recipients, is subject to strict cybersecurity controls, 
confidentiality protections and restrictions, and robust audit and 
oversight measures.
    FinCEN is adopting the proposed rule largely as proposed, but with 
certain modifications that are responsive to comments received and 
intended to reduce barriers to the effective use of BOI, while 
maintaining appropriate protections for the information. Among other 
things, the final rule broadens the purposes for which financial 
institutions may use BOI, and

[[Page 88742]]

streamlines the requirements for State, local, and Tribal law 
enforcement access to BOI. FinCEN believes that these changes will help 
to ensure that the database is highly useful to relevant stakeholders 
who are authorized to access BOI. FinCEN has made certain other 
clarifying and technical revisions throughout the rule. We discuss 
specific comments, modifications, revisions, and the shape of the final 
rule section by section here.
    We discuss the elements of the final rule under seven headings: (A) 
availability of information--general; (B) prohibition on disclosure; 
(C) disclosure of information by FinCEN; (D) use of information; (E) 
security and confidentiality requirements; (F) administration of 
requests for information reported pursuant to 31 CFR 1010.380; and (G) 
violations. In addition, this section discusses general implementation 
efforts as they apply to the development of the IT system.

A. Availability of Information--General

    Proposed Rule. FinCEN proposed to amend 31 CFR 1010.950(a) to 
clarify that the disclosure of BOI would not be governed by Sec.  
1010.950(a) but instead by proposed 31 CFR 1010.955.
    Comments Received. FinCEN did not receive comments on this 
proposal.
    Final Rule. The final rule adopts the amendments to 31 CFR 
1010.950(a) as proposed. The amendments clarify that the disclosure of 
BOI is governed by a new provision, 31 CFR 1010.955, rather than 31 CFR 
1010.950(a). Section 1010.950(a) governs disclosure of other BSA 
information by Treasury and states that ``[t]he Secretary may within 
his discretion disclose information reported under this chapter for any 
reason consistent with the purposes of the Bank Secrecy Act, including 
those set forth in paragraphs (b) through (d) of this section.'' In 
contrast, the CTA authorizes FinCEN to disclose BOI only in limited and 
specified circumstances.\72\ As these CTA provisions are separate and 
distinct from provisions authorizing disclosure of other BSA 
information, distinct regulatory treatment is warranted.\73\
---------------------------------------------------------------------------

    \72\ See 31 U.S.C. 5336(c)(2), (5).
    \73\ See, e.g., 31 U.S.C. 5319.
---------------------------------------------------------------------------

B. Prohibition on Disclosure

    Proposed Rule. Proposed 31 CFR 1010.955(a) would implement the 
broad prohibition in the CTA on the disclosure of information reported 
to FinCEN pursuant to 31 CFR 1010.380, except as authorized under the 
proposed rule. Specifically, the CTA provides that, except as 
authorized by 31 U.S.C. 5336(c) and the protocols promulgated 
thereunder, BOI reported to FinCEN by reporting companies is 
confidential and shall not be disclosed by (1) an officer or employee 
of the United States, (2) an officer or employee of any State, local, 
or Tribal agency, or (3) an officer or employee of any financial 
institution or regulatory agency receiving information under this 
subsection of the CTA.\74\ The proposed rule adopted this broad 
prohibition on disclosure but extended it in two ways. First, it 
extended the prohibition to any of the officers or employees described 
in (1) through (3) above regardless of whether they continue to serve 
in the position through which they were authorized to receive BOI. 
Second, it extended the prohibition on disclosure to any individual who 
receives BOI as a contractor or agent of the United States; as a 
contractor or agent of a State, local, or Tribal agency; or as a member 
of the board of directors, contractor, or agent of a financial 
institution.
---------------------------------------------------------------------------

    \74\ See 31 U.S.C. 5336(c)(2)(A).
---------------------------------------------------------------------------

    Comments Received. One commenter supported the proposed extension 
of the prohibition on disclosure of BOI to contractors or agents of the 
United States and State, local or Tribal law enforcement agencies, and 
to contractors, agents, and directors of financial institutions. The 
commenter noted that this extension furthers the purpose of the CTA and 
would close potential loopholes around prohibited disclosures of BOI. 
Several commenters requested greater clarity on the prohibition on 
disclosure or further extension of the prohibition to additional 
individuals. One commenter opposed extending the prohibition to agents, 
contractors, and, in the case of financial institutions, directors, 
arguing that the existing prohibition in the statute was already overly 
protective of BOI. One commenter did not believe that the proposed rule 
adequately clarifies that the prohibition on disclosure covers 
individuals who receive BOI even after they leave the position in which 
they were authorized to receive the BOI. This commenter suggested that 
the rule should include language that explicitly addresses this 
scenario. This commenter also asked that the prohibition on disclosure 
explicitly extend to an officer, employee, contactor, or agent of 
foreign law enforcement agencies, foreign law enforcement agencies, 
foreign judges, foreign prosecutors, or other foreign authorities. 
Another commenter suggested adding a provision to prohibit disclosure 
by attorneys or parties who may receive BOI in the context of a civil 
or criminal proceeding. Another commenter suggested extending access 
requirements (which would include the prohibition on disclosure of BOI) 
to any individual under contract or under the remit of an entity 
authorized to access BOI (non-employee agents), such as consultants, 
auditors, and third-party service providers.
    Final Rule. The final rule adopts 31 CFR 1010.955(a) as proposed. 
FinCEN believes that the proposed rule, including the extension of the 
disclosure prohibition to certain specified individuals, is necessary 
to fully carry out the CTA's intent to protect sensitive BOI and 
prevent unauthorized disclosure of this information. FinCEN proposed 
these extensions pursuant to 31 U.S.C. 5336(c)(3)(K), which provides 
that ``the Secretary of the Treasury shall establish by regulation 
protocols described in [31 U.S.C. 5336(2)(A)] that . . . provide such 
other safeguards which the Secretary determines (and which the 
Secretary prescribes in regulations) to be necessary or appropriate to 
protect the confidentiality of the beneficial ownership information.'' 
Further, after considering the comments to this provision, FinCEN has 
concluded that this provision is sufficiently clear, in terms of the 
prohibition on disclosure applying to those individuals who leave a 
position in which they were previously authorized to receive BOI. The 
proposed rule stated that, except as authorized, BOI is confidential 
and ``shall not be disclosed by any individual who receives such 
information as'' an officer, employee, contractor, agent, or director. 
This prohibition means that individuals who receive BOI when acting in 
these specified roles cannot disclose BOI (except as authorized in the 
rule) regardless of whether they continue in or leave these roles.
    FinCEN has also determined not to add language extending the 
prohibition on disclosure to an officer, employee, contactor, or agent 
of foreign law enforcement agencies, foreign law enforcement agencies, 
foreign judges, foreign prosecutors, or other foreign authorities. 
FinCEN believes there are existing mechanisms in place under the CTA 
that would appropriately protect BOI in these circumstances. For 
example, in the context of foreign access to BOI through a request made 
under an international treaty, agreement, or convention, the handling 
and use of BOI would be governed by the disclosure and use provisions 
of the relevant international treaty, agreement, or

[[Page 88743]]

convention.\75\ As for trusted foreign countries, the CTA explicitly 
limits the use of BOI ``for any purpose other than the authorized 
investigation or national security or intelligence activity'' \76\ and 
proposed 31 CFR 1010.955(c)(2)(ix) (now renumbered as 31 CFR 
1010.955(c)(2)(x)) provided that ``any information disclosed by FinCEN 
under paragraph (b) of this section shall not be further disclosed to 
any other person for any purpose without the prior written consent of 
FinCEN, or as authorized by applicable protocols or guidance that 
FinCEN may issue.'' In the event of improper disclosure of BOI by a 
trusted foreign country, FinCEN would consider all available remedies 
including FinCEN's authority to reject a request for BOI or suspend a 
requesting party's access to such information.\77\
---------------------------------------------------------------------------

    \75\ See 31 U.S.C. 5336(c)(2)(B)(ii)(I)(aa).
    \76\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
    \77\ See proposed 31 CFR 1010.955(e)(3).
---------------------------------------------------------------------------

    FinCEN has also decided not to specifically extend the prohibition 
on disclosure to parties in a civil and criminal proceeding because it 
views this scenario as being covered by the regulations, specifically 
by the provision prohibiting redisclosure without the prior consent of 
FinCEN.\78\ FinCEN will consider, however, whether to issue guidance or 
FAQs to further address issues relating to public disclosure of BOI in 
civil or criminal proceedings. With respect to the commenter suggesting 
that FinCEN add language to specify that individuals under contract or 
under the remit of an entity authorized to access BOI (including 
consultants, auditors, and third-party service providers) are covered 
by the prohibition on disclosure, FinCEN believes that proposed 31 CFR 
1010.955(a) sufficiently covers these individuals as contractors or 
agents.
---------------------------------------------------------------------------

    \78\ 31 CFR 1010.955(c)(2)(ix).
---------------------------------------------------------------------------

C. Disclosure of Information by FinCEN

    As discussed in the proposed rule, the CTA authorizes FinCEN to 
disclose BOI to five categories of recipients. The first category 
consists of recipients in Federal, State, local and Tribal government 
agencies.\79\ Within this category, FinCEN may disclose BOI to Federal 
agencies engaged in national security, intelligence, or law enforcement 
activity if the requested BOI is for use in furtherance of such 
activity.\80\ FinCEN may also disclose BOI to State, local, and Tribal 
law enforcement agencies if ``a court of competent jurisdiction'' has 
authorized the law enforcement agency to seek the information in a 
criminal or civil investigation.\81\
---------------------------------------------------------------------------

    \79\ 31 U.S.C. 5336(c)(2)(B) and 31 U.S.C. 5336(c)(5).
    \80\ 31 U.S.C. 5336(c)(2)(B)(i)(I).
    \81\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------

    The second category consists of foreign law enforcement agencies, 
judges, prosecutors, central authorities, and competent authorities 
(``foreign requesters''), provided their requests come through an 
intermediary Federal agency, meet certain additional criteria, and are 
made either (1) under an international treaty, agreement, or 
convention, or (2) via a request made by law enforcement, judicial, or 
prosecutorial authorities in a trusted foreign country (when no 
international treaty, agreement, or convention is available).\82\
---------------------------------------------------------------------------

    \82\ 31 U.S.C. 5336(c)(2)(B)(ii).
---------------------------------------------------------------------------

    The third authorized recipient category are financial institutions 
using BOI to facilitate compliance with customer due diligence 
requirements under applicable law, provided the financial institution 
requesting the BOI has the relevant reporting company's consent for 
such disclosure.\83\
---------------------------------------------------------------------------

    \83\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------

    The fourth category is Federal functional regulators and other 
appropriate regulatory agencies acting in a supervisory capacity 
assessing financial institutions for compliance with customer due 
diligence requirements.\84\ These agencies may access the BOI 
information that financial institutions they supervise received from 
FinCEN.
---------------------------------------------------------------------------

    \84\ 31 U.S.C. 5336(c)(2)(B)(iv).
---------------------------------------------------------------------------

    The fifth and final category of authorized BOI recipients is the 
Treasury itself, for which the CTA provides access to BOI tied to an 
officer or employee's official duties requiring BOI inspection or 
disclosure, including for tax administration.\85\
---------------------------------------------------------------------------

    \85\ 31 U.S.C. 5336(c)(5).
---------------------------------------------------------------------------

i. Disclosure to Federal Agencies for Use in Furtherance of National 
Security, Intelligence, or Law Enforcement Activity
a. Definition of National Security Activity
    Proposed Rule. Proposed 31 CFR 1010.955(b)(1)(i) specified that 
national security activity includes activity pertaining to the national 
defense or foreign relations of the United States, as well as activity 
to protect against threats to the safety and security of the United 
States.
    Comments Received. Commenters generally provided broad support for 
the definition of national security activity in proposed 31 CFR 
1010.955(b)(1)(i), stating that the activity-based approach is 
reasonable, clear, and adequately justified. Some commenters expressed 
the view that the definition should not be further delimited or 
narrowed, as this may impede the intent of the CTA. One recommended 
that FinCEN clarify that the proposed definition is not meant to limit 
Congress's language identifying specific national security threats in 
the CTA's Sense-of-Congress provision.\86\ Another commenter suggested 
adding a reference in the preamble to the illicit finance strategy, as 
defined in the 2021 Memorandum on Establishing the Fight Against 
Corruption as a Core United States National Security Interest. One 
commenter urged FinCEN to include the words ``threats to'' before 
``national defense or foreign relations,'' and two commenters suggested 
substituting the word ``means'' for ``includes'' to clarify that the 
definition is finite. In particular, one of those two commenters noted 
that replacing ``includes'' with ``means'' would be consistent with the 
statute cited in support of the proposed regulation, 8 U.S.C. 
1189(d)(2), which provides that national security ``means'' the 
national defense, foreign relations, or economic interests of the 
United States.
---------------------------------------------------------------------------

    \86\ See CTA, section 6402(3).
---------------------------------------------------------------------------

    Final Rule. The final rule largely adopts the proposed rule, but 
substitutes ``means'' for ``includes'' in definition in the final rule. 
FinCEN agrees that changing ``includes'' to ``means'' will provide 
additional clarity while still retaining the approach described by the 
proposed rule that draws, in large part, from 8 U.S.C. 1189(d)(2). 
Section 1189(d)(2) defines ``national security'' for purposes of 
designating foreign terrorist organizations (FTOs) that threaten U.S. 
national security. As stated in the proposed rule, FinCEN believes this 
definition is appropriate for several reasons. First, the FTO statute 
covers a broad range of national security threats to the United States, 
including those with an economic dimension. That scope is consonant 
with the CTA's goal to combat national security threats that are 
financial in nature, such as money laundering, terrorist financing, 
counterfeiting, fraud, and foreign corruption.\87\ Second, the FTO 
statute arises in a related context insofar as it involves efforts to 
hinder illicit actors' economic activities. FinCEN does not intend this 
definition to exclude any national security threats that Congress 
identified in the CTA. FinCEN also notes that it will determine whether 
an agency's activities are ``national security activities'' that 
qualify the agency for

[[Page 88744]]

access to BOI during the process to establish a MOU governing access 
between the agency and FinCEN. Some undertakings, such as vetting 
potential recipients of foreign assistance and procurement contract 
awards, might constitute ``national security activities'' depending on 
the particular facts and circumstances, and therefore may be evaluated 
as part of that process. FinCEN declines to incorporate into the final 
rule reference to specific strategies to counter corruption or other 
types of specific national security threats. Acts of foreign corruption 
are specifically mentioned in the CTA as acts that harm the national 
security interests of the United States, and as discussed above, are 
already contemplated by the final rule. Referencing specific strategy 
documents is therefore unnecessary and could cause confusion.
---------------------------------------------------------------------------

    \87\ See CTA, section 6402(3)-(6).
---------------------------------------------------------------------------

b. Definition of Intelligence Activity
    Proposed Rule. Proposed 31 CFR 1010.955(b)(1)(ii) defines 
intelligence activity to include ``all activities conducted by elements 
of the United States Intelligence Community that are authorized 
pursuant to Executive Order 12333 (``E.O. 12333''), as amended, or any 
succeeding executive order.''
    Comments Received. A number of commenters supported the proposed 
rule's definition of ``intelligence activity,'' and noted the approach 
taken by FinCEN is reasonable. Some commenters expressed that the 
definition should not be further delimited or narrowed, as this may 
impede the intent of the CTA. Three commenters suggested that the use 
of the word ``includes'' was too broad, and it should be replaced with 
``means'' to clarify that the definition is finite. One commenter 
argued that ``includes'' implies that the proposed rule might allow 
sharing BOI under the intelligence activity provisions of 31 U.S.C. 
5336, outside of the authorization provided by E.O. 12333. This 
commenter also argued that the definition of ``intelligence activity'' 
in proposed 31 CFR 1010.955(b)(1)(ii) conflicts with proposed 31 CFR 
1010.955(b)(3)(i), which refers to disclosures of BOI by FinCEN to an 
intermediary Federal agency for transmission to a foreign agency for 
assistance in intelligence activity authorized under the laws of a 
foreign country. The commenter suggested that FinCEN should revise 
Sec.  1010.955(b)(1)(ii) to read ``(ii) intelligence activity, when 
used in this section in reference to an activity of the United States, 
means all activities that elements of the United States intelligence 
community are authorized to conduct pursuant to E.O. 12333, as amended, 
or any successor [E]xecutive order.'' A different commenter recommended 
that FinCEN make clear that E.O. 12333's limitation on the use of 
United States person information by the Intelligence Community would 
not constrain use of BOI, if the use was otherwise permitted by the 
CTA. One commenter, while concurring with the proposed rule as sensible 
and workable, suggested it should include a reference to the 2021 U.S. 
Strategy on Countering Corruption and its calls for increasing 
intelligence activity on corrupt actors and bolstering information 
sharing between the Intelligence Community and law enforcement.
    Final Rule. The final rule adopts the proposed rule with two 
clarifying edits. First, FinCEN adopts the recommendation to substitute 
``means'' for ``includes'' within the definition, in order to clarify 
that ``intelligence activity'' covers only those activities conducted 
by elements of the United States Intelligence Community that are 
authorized pursuant to E.O. 12333, as amended, or any succeeding 
executive order. Second, FinCEN agrees that the definition of 
``intelligence activity'' in proposed 31 CFR 1010.955(b)(1)(ii) was 
incompatible with the authorization for sharing of BOI with foreign 
requesters in proposed 31 CFR 1010.955(b)(3)(i), as it proposed to 
define intelligence activities throughout the rule exclusively by 
reference to U.S. legal authorities. The final rule corrects this 
mistake by inserting new 31 CFR 1010.955(b)(3)(iv), a definition of the 
term ``intelligence activity authorized under the laws of a foreign 
country'' that clearly relates such activity to foreign legal 
authorities that establish what constitute legally acceptable 
intelligence activities under the laws of another country, as E.O. 
12333 does for U.S. law.\88\
---------------------------------------------------------------------------

    \88\ FinCEN has addressed an analogous drafting problem in 
proposed 31 CFR 1010.955(b)(1)(i) with reference to the term 
``national security activity'' by defining the term ``national 
security activity authorized under the laws of a foreign country'' 
in new 31 CFR 1010.955(b)(3)(iii).
---------------------------------------------------------------------------

    FinCEN does not believe that additional clarifications are 
necessary regarding the scope of access to BOI by Federal agencies 
engaged in intelligence activity, to the extent the activity relates to 
United States persons. E.O. 12333 sets out the scope of authorized 
activity and, among other things, provides that agencies shall, 
consistent with the provisions of the Order, prepare and provide 
intelligence in a manner that ``allows the full and free exchange of 
information, consistent with applicable law and presidential 
guidance.'' Internal procedures established pursuant to the Order 
further govern the handling of information relating to U.S. persons. 
Finally, FinCEN declines to incorporate into the final rule reference 
to specific strategies to counter corruption or other national security 
threats, while noting that acts of foreign corruption are specifically 
mentioned in the CTA as acts that harm the national security interests 
of the United States.
c. Definition of Law Enforcement Activity
    Proposed Rule. Proposed 31 CFR 1010.955(b)(1)(iii) defined ``law 
enforcement activity'' to include ``investigative and enforcement 
activities relating to civil or criminal violations of law.'' The 
proposed rule specified that such activity does not include routine 
supervision or examination of a financial institution by a Federal 
regulatory agency with authority described in 31 CFR 
1010.955(b)(4)(ii)(A). The inclusion of both investigation and 
enforcement as ``law enforcement activity'' was based on FinCEN's view 
that it is consistent with the CTA to authorize Federal agencies to 
access BOI at all stages of the law enforcement process.
    Comments Received. Commenters generally agreed with the definition 
in 31 CFR 1010.955(b)(1)(iii), stating that the proposed rule is 
reasonable and workable. One commenter emphasized the need for law 
enforcement to have access to BOI during all stages of criminal or 
civil investigations. Two commenters suggested that the use of the word 
``includes'' was too broad, and it should be replaced with ``means'' to 
clarify that the definition is finite. Some commenters expressed that 
the definition should not be further delimited or narrowed, as this may 
impede the intent of the CTA. One commenter concurred with the 
exclusion of routine supervision and examination by Federal regulator 
agencies, as these activities are covered by a separate section of the 
CTA, and the proposed rule also recognizes that Federal functional 
regulators engage in law enforcement activities that will enable them 
to request BOI. However, two commenters took an opposite view, arguing 
that the proposed rule should be modified either at 31 CFR 
1010.955(b)(1) or 31 CFR 1010.955(b)(1)(iii) to explicitly include 
disclosure to Federal regulatory agencies for law enforcement purposes 
as a disclosure governed by 1010.955(b)(1). Another commenter supported 
the broad definition of law enforcement activity but sought an explicit 
extension of the definition to State, local, and Tribal authorities, as

[[Page 88745]]

well as the inclusion of specific exemplar criminal violations related 
to taxes, wages, theft, forgery, insurance fraud, and human 
trafficking.
    Final Rule. The final rule adopts the proposed rule with the 
exception of one clarifying edit. Specifically, FinCEN adopts the 
recommendation to substitute ``means'' for ``includes'' within the 
definition to further clarify the definition, while retaining the 
approach from the proposed rule. FinCEN also notes that it will 
determine whether an agency's activities are ``law enforcement 
activities'' qualifying it for access to BOI during the process to 
establish a MOU between the agency and FinCEN governing such access. 
FinCEN declines to incorporate into the final rule reference to 
specific criminal violations, as this is redundant considering the 
existing language regarding civil or criminal violations of law.
    Regarding the role of Federal regulatory agencies, FinCEN does not 
believe that a change to the proposed language is warranted. As stated 
in the proposed rule, the access provision for Federal agencies engaged 
in national security, intelligence, or law enforcement activities 
focuses on activity categories, not agency types. To the extent a 
Federal functional regulator engages in civil law enforcement 
activities, those activities would be covered by the law enforcement 
access provision.
ii. Disclosure to State, local, and Tribal Law Enforcement Agencies for 
Use in Criminal or Civil Investigations
a. A Court of Competent Jurisdiction
    Proposed Rule. The CTA permits FinCEN to disclose BOI upon receipt 
of a request, through appropriate protocols, ``from a State, local, or 
Tribal law enforcement agency, if a court of competent jurisdiction, 
including any officer of such a court, has authorized the law 
enforcement agency to seek the information in a criminal or civil 
investigation.'' \89\ Proposed 31 CFR 1010.955(b)(2) implements this 
provision and would allow FinCEN to disclose BOI to a State, local, or 
Tribal law enforcement agency that requests this information if a court 
of competent jurisdiction has authorized the agency's request for the 
BOI for use in a criminal or civil investigation. Proposed 31 CFR 
1010.955(b)(2)(i) further provided that a court of competent 
jurisdiction is ``any court'' with jurisdiction over the criminal or 
civil investigation for which a State, local, or Tribal agency requests 
BOI.
---------------------------------------------------------------------------

    \89\ 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------

    Comments Received. Commenters were generally supportive of the 
definition of the phrase ``court of competent jurisdiction'' in 
proposed 31 CFR 1010.955(b)(2)(i). These commenters noted that the 
proposed definition is flexible enough to encompass a wide variety of 
courts and will facilitate the ability of State, local, or Tribal law 
enforcement agencies to seek court authorization for the purpose of 
requesting BOI from FinCEN. Several commenters requested that FinCEN 
explicitly include administrative courts and adjudicatory bodies such 
as boards and commissions. One commenter noted that state and local 
governments allow civil law enforcement proceedings to occur in 
hearings before adjudicators that are independent of law enforcement, 
such as administrative law judges. Some commenters also recommended 
that ``court of competent jurisdiction'' should explicitly account for 
jurisdiction over an investigation or a ``case'' because BOI may be 
relevant to both.
    Final Rule. The final rule adopts 31 CFR 1010.955(b)(2)(i) as 
proposed. FinCEN agrees with the commenters who thought the level of 
clarity provided by this provision is sufficient to encompass the 
various types of courts and adjudicatory bodies that exist in State, 
local, and Tribal jurisdictions, including those which some commenters 
suggested that FinCEN explicitly reference. The reference in this 
provision to ``any court'' that has jurisdiction over an investigation 
provides broad and, in FinCEN's view, sufficiently clear applicability. 
As such, FinCEN believes it is unnecessary to list specific types of 
adjudicatory bodies that would qualify as a court of competent 
jurisdiction. Further, in response to the comments that requested that 
FinCEN clarify that a court of competent jurisdiction includes an 
adjudicative body with jurisdiction over both investigations and 
``cases'' (understood as ongoing civil or criminal court proceedings), 
FinCEN has followed the formulation in the CTA, which uses the term 
``criminal or civil investigation.'' \90\ However, FinCEN does not 
believe that this clause excludes State, local, or Tribal agencies from 
seeking a request for BOI as part of an ongoing ``case,'' whether that 
be a civil proceeding or a criminal prosecution following an initial 
investigation.
---------------------------------------------------------------------------

    \90\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------

b. State, Local, or Tribal Law Enforcement Agencies
    Proposed Rule. Proposed 31 CFR 1010.955(b)(2)(ii) defined a 
``State, local, or Tribal law enforcement agency'' as ``an agency of a 
State, local, or Tribal government that is authorized by law to engage 
in the investigation or enforcement of civil or criminal violations of 
law.'' The proposed rule defined this term in a manner similar to the 
proposed definition of ``law enforcement activity'' for Federal 
agencies to ensure consistency regardless of whether law enforcement 
activity occurs at the Federal, State, local, or Tribal, level.
    Comments Received. Several commenters argued that FinCEN should 
clarify in the final rule that State, local, and Tribal law enforcement 
agencies include various types of administrative and regulatory bodies 
covering a range of subject areas such as labor and employment, 
contracting, tax, unemployment insurance, and workers' compensation, 
among others. One commenter recommended that FinCEN amend 31 CFR 
1010.955(b)(2)(ii) to state that a State, local or Tribal law 
enforcement agency is one that is authorized by law to investigate or 
enforce civil, criminal, ``or administrative'' violations of law. Some 
commenters noted that many State, local, and Tribal regulatory agencies 
also have law enforcement functions insofar as they have the authority 
to both issue regulations and enforce compliance with regulations. One 
of these commenters believed that proposed 31 CFR 1010.955(b)(2)(ii) 
already covers these regulatory agencies. Finally, one commenter 
suggested that FinCEN clarify that local enforcement agencies include 
non-Federal agencies within the government of the District of Columbia.
    Final Rule. FinCEN is adopting 31 CFR 1010.955(b)(2)(ii) as 
proposed. FinCEN believes that this provision is adequately clear and 
sufficiently flexible to encompass the many varieties of State, local, 
and Tribal law enforcement agencies that engage in the investigation or 
enforcement of civil or criminal violations of law, including 
regulatory violations. As a result, it is not necessary, in FinCEN's 
view, to specifically list examples of State, local, and Tribal law 
enforcement agencies, as some commenters requested. Furthermore, in 
response to the commenter's request that the final rule explicitly 
include non-Federal agencies within the District of Columbia, FinCEN 
believes this is unnecessary because the

[[Page 88746]]

definition of ``State'' in the CTA includes the District of 
Columbia.\91\
---------------------------------------------------------------------------

    \91\ 31 U.S.C. 5336(a)(12); see also supra note 5.
---------------------------------------------------------------------------

c. Court Authorization and Written Certification
    Proposed Rule. The CTA provides that FinCEN may disclose BOI to a 
State, local, or Tribal law enforcement agency ``if a court of 
competent jurisdiction, including any officer of such a court, has 
authorized the law enforcement agency to seek the information in a 
criminal or civil investigation.'' \92\ Proposed 31 CFR 1010.955(b)(2) 
would implement this provision of the CTA by allowing FinCEN to 
disclose BOI to a State, local, or Tribal law enforcement agency that 
requests this information if a court of competent jurisdiction 
authorizes the agency's request for the BOI for use in a criminal or 
civil investigation. FinCEN did not propose to identify every kind of 
court authorization that would satisfy the CTA, and it did not propose 
to specify which officers of a court may provide authorization. That is 
because FinCEN recognized that State, local, and Tribal practices are 
likely to be varied with respect to how law enforcement agencies may be 
authorized by a court to seek information in connection with an 
investigation or prosecution.
---------------------------------------------------------------------------

    \92\ See 31 U.S.C. 5336(c)(2)(B)(i)(II).
---------------------------------------------------------------------------

    In addition, the proposed rule included safeguards designed to 
protect the confidentiality of BOI and ensure it is not misused. These 
requirements were also meant to ensure that FinCEN could properly audit 
requests for BOI from State, local, and Tribal law enforcement 
agencies, consistent with the CTA's audit requirements.\93\ As a 
result, proposed 31 CFR 1010.955(d)(1)(ii)(B)(2) required that when a 
State, local, or Tribal law enforcement agency requests BOI from 
FinCEN, the head of such an agency or their designee would have to 
submit to FinCEN, ``in the form and manner as FinCEN shall prescribe:'' 
(i) a copy of a court order from a court of competent jurisdiction 
authorizing the agency to seek the BOI in a criminal or civil 
investigation, and (ii) a written justification explaining why the 
request for BOI is relevant to the civil or criminal investigation. The 
proposed rule further explained that after FinCEN reviewed the relevant 
authorization for sufficiency and approved the request, an agency could 
then conduct searches using multiple search fields consistent in scope 
with the court authorization and subject to audit by FinCEN.\94\ Thus, 
the court order and written justification requirements in the proposed 
rule were meant to serve multiple purposes--i.e., to ensure that a 
court of competent jurisdiction has authorized an agency's request for 
the BOI, protect the security of confidential BOI, and enable FinCEN to 
conduct required audits of searches by State, local, or Tribal law 
enforcement agencies.
---------------------------------------------------------------------------

    \93\ See 31 U.S.C. 5336(c)(3)(J).
    \94\ 87 FR at 77409-10.
---------------------------------------------------------------------------

    These requirements were proposed alongside other security and 
confidentiality requirements applicable to all domestic government 
requesters of BOI. For example, the proposed rule explained that 
Federal agency users of FinCEN's BOI database would be required to 
submit brief justifications to FinCEN for their searches, explaining 
how their searches further a particular qualifying activity, and these 
justifications would be subject to oversight and audit by FinCEN. 
Additionally, the proposed rule required a Federal, State, local, or 
Tribal agency requesting BOI to minimize to the greatest practicable 
extent the scope of BOI it seeks, consistent with the agency's purpose 
in requesting BOI.
    Comments Received. Commenters generally opposed the requirements in 
proposed 31 CFR 1010.955(d)(1)(ii)(B)(2)(i) that the head of a State, 
local, or Tribal law enforcement agency, or their designee, must obtain 
and submit a copy of a court order to FinCEN authorizing the agency to 
seek BOI in a criminal or civil investigation. Commenters opposed the 
court order requirements for two broad reasons: they argued that, 
first, these requirements conflict with the plain language of the CTA 
as well as with congressional intent; and second, these requirements 
would create burdens on State, local, and Tribal agencies that would 
impede their ability to access BOI in a timely manner, which would be 
contrary to the goals of the CTA. In general, commenters encouraged 
FinCEN to take a more flexible approach in specifying the manner in 
which a court authorizes a request for BOI, which court personnel can 
provide that authorization, and at what stage in an investigation or 
proceeding agencies may seek the BOI from FinCEN. In sum, these 
commenters argued that the final rule should adopt the broader concept 
of court authorization from the CTA.
    Commenters also generally opposed for largely the same reasons the 
requirement in proposed 31 CFR 1010.955(d)(1)(ii)(B)(2)(i) that the 
agency head must also submit a written justification to FinCEN 
explaining the relevance of the BOI for the investigation. 
Specifically, some commenters noted that the CTA does not contain such 
a requirement, expressed concerns that this requirement would unduly 
delay requests by agencies for BOI, and highlighted the challenges 
involved in FinCEN reviewing each justification provided by an agency 
that requests BOI.
    In the first category of objections to the court order requirement, 
several commenters argued that the proposed rule conflicts with the 
plain language of the CTA which does not require a court order for 
State, local, or Tribal law enforcement agencies seeking access to BOI. 
Instead, these commenters pointed out that the CTA uses the general 
concept of court authorization, which could also include other kinds of 
authorization. Commenters also cited the legislative history of the CTA 
in arguing that Congress intended to create a less formal and more 
flexible process. These commenters noted that Congress had considered 
and rejected a narrower concept than court authorization when debating 
the CTA's provision concerning State, local, and Tribal law enforcement 
agency access to BOI.
    In the second category of objections to the proposed court order 
requirement, commenters argued that a court order requirement would 
place unnecessary burdens on State, local, and Tribal law enforcement 
agencies as well as the courts involved because of the need to take 
additional efforts to obtain a court order. These burdens would be 
exacerbated because these agencies often face greater resource 
constraints compared to their Federal counterparts. The result would be 
delays in investigations. One commenter noted that the requirement 
could give some courts the impression that formal pleadings, evidence-
based standards, or a hearing is necessary to authorize a request for 
BOI.
    Furthermore, commenters argued that a court order requirement would 
effectively restrict agencies to working only with a narrow category of 
court officers, most likely a judge, rather than ``any officer of such 
court'' as the CTA permits. These commenters also argued that, as a 
result, the court order requirement conflicts with the CTA. One 
commenter recommended that the final rule should clearly state that a 
court officer includes any individual who exercises court authority, 
including a judge, magistrate, clerk, bailiff, sheriff, prosecutor, 
clerk assistant, or other personnel that the court designates to 
authorize a request for BOI. A few commenters argued that since an 
attorney is commonly considered a ``court officer,'' and many 
jurisdictions allow attorneys to issue subpoenas,

[[Page 88747]]

attorneys should be able to authorize a request for BOI. However, one 
commenter disagreed with this view, arguing that only court personnel 
should be allowed to authorize an agency's request for BOI. In 
addition, one commenter requested that FinCEN provide guidance to court 
officials who are involved in authorizing an agency's request for BOI, 
setting forth the proper procedures for reviewing these requests as 
well as potentially providing an authorization form for agencies and 
courts to use. Commenters also recommended that FinCEN provide 
flexibility in how the court order was reported to FinCEN.
    Several commenters also highlighted the need for flexibility 
regarding when in the course of a civil or criminal investigation 
courts may authorize a State, local, or Tribal law enforcement agency 
to seek BOI. For example, some commenters requested that FinCEN clarify 
in the final rule that a grand jury subpoena qualifies as court 
authorization under the CTA. Some commenters also argued that the final 
rule should provide more clarity regarding how prosecutors can draft 
grand jury subpoenas to ensure that they would satisfy the court 
authorization requirement. Commenters also requested that the final 
rule clarify that courts should be permitted to authorize BOI requests 
throughout the full life cycle of an investigation, including after the 
initiation of a civil or criminal proceeding.
    As for the written justification requirement in the proposed rule, 
commenters argued that it could limit the ability of State, local, and 
Tribal law enforcement agencies to access BOI, and commenters noted 
that there is no such requirement in the text of the CTA. Several 
commenters argued that the written justification requirement would 
create a double review process in which these agencies would first have 
to obtain approval from a court for their request for BOI, and then 
they would need to gain a second level of approval from FinCEN. 
According to these commenters, FinCEN would compare the written 
justification to the court order, and based on its review, could reject 
the court's decision to authorize an agency's request for BOI. Some 
commenters argued that such case-by-case review of justifications by 
FinCEN would overwhelm FinCEN's resources and cause significant delays 
in the ability of State, local, and Tribal law enforcement agencies to 
access BOI.\95\ The result, according to several commenters, is that 
the written justification requirement would undermine the CTA's policy 
goal that the database be ``highly useful'' to law enforcement.\96\
---------------------------------------------------------------------------

    \95\ Commenters made several other arguments against the written 
justification requirement. For example, another commenter argued 
that it would be inappropriate for FinCEN to require 
``justification'' from State, local, or Tribal law enforcement 
agencies because the CTA only required ``certifications'' from 
Federal agency heads; that FinCEN does not have the required subject 
matter expertise to evaluate justifications; and that the term 
``justification'' implied a level of persuasiveness that would be 
required in the written statements that State, local, or Tribal law 
enforcement agencies provide when they request BOI.
    \96\ See CTA, section 6402(8)(C).
---------------------------------------------------------------------------

    Finally, some commenters focused on alternative approaches to 
State, local, and Tribal law enforcement access to BOI. One commenter 
argued that the final rule should require that State, local, and Tribal 
law enforcement agencies obtain a grand jury subpoena in order to 
request BOI, and this commenter also supported the written 
justification requirement. One commenter raised concerns about whether 
courts could adequately protect the privacy of BOI and argued that a 
separate government agency should be responsible for managing BOI 
access requests on behalf of State, local, and Tribal agencies. 
Further, one commenter noted that the CTA itself had imposed stricter 
requirements on State, local, and Tribal agencies than it imposed upon 
their Federal counterparts since the CTA imposed a court authorization 
requirement on the former agencies. This commenter believed that 
statutory changes would be necessary to remove the court authorization 
requirement in order to make it simpler for State, local, and Tribal 
agencies to access the BOI database.
    Final Rule. The final rule adopts the requirements for State, 
local, and Tribal law enforcement agencies' access to BOI in proposed 
31 CFR 1010.955(b)(2) without change. However, FinCEN was persuaded by 
comments that were critical of the requirements in proposed 31 CFR 
1010.955(d)(1)(ii)(B)(2) that State, local, and Tribal law enforcement 
agencies submit a copy of a court order and written justification for 
FinCEN review prior to searching for BOI. Accordingly, FinCEN has made 
several changes to that provision in the final rule. These revisions 
are intended to streamline State, local, and Tribal law enforcement 
agency access to BOI and reduce burdens on these agencies and courts as 
well as on FinCEN, while at the same time maintaining robust 
confidentiality and security requirements for these agencies and FinCEN 
oversight and audit of these requests.
    First, Sec.  1010.955(d)(1)(ii)(B)(2)(i) will no longer require 
that these agencies obtain a specific form of court authorization, such 
as a court order. Instead, the final rule requires only that State, 
local, and Tribal law enforcement agencies obtain ``court 
authorization'' to seek BOI from FinCEN as part of a civil or criminal 
investigation. As the preamble to the proposed rule noted, FinCEN 
requested comment on the various types of relevant court authorization 
that exist at the State, local, and Tribal level, and requested that 
commenters explain what role courts or court officers play in 
authorizing evidence-gathering activities, what existing practices 
involve court authorization, and the extent to which new court 
processes could be developed and integrated into existing practices to 
satisfy the CTA's authorization requirement. FinCEN also requested 
comment on the need for access to BOI at different stages of an 
investigation, as well as the privacy interests that may be implicated 
by such access. In requesting comment on these topics, FinCEN sought 
greater clarity on the various mechanisms in which courts might satisfy 
the CTA standard of ``court authorization.'' The comments that FinCEN 
received provided greater clarity on how State, local, and Tribal law 
enforcement agencies could satisfy the CTA's court authorization 
requirement while also meeting FinCEN's obligations under the CTA to 
protect the confidentiality of BOI and prevent potential misuse, 
including by being able to audit requests by agencies for BOI.
    FinCEN agrees that requiring State, local, and Tribal law 
enforcement agencies to obtain a court order may create unnecessary 
burdens. FinCEN further agrees that the statutory language concerning 
court authorization would maintain sufficient flexibility and 
facilitate access to BOI by State, local, and Tribal law enforcement 
agencies while still protecting against unauthorized use or disclosure. 
FinCEN intends the final rule to provide enough flexibility so that a 
variety of court officers--such as a judge, clerk of the court, or 
magistrate--could provide authorization at appropriate stages of the 
investigation process. FinCEN may issue guidance or FAQs on this 
subject in the future if needed, including, for example, on how the 
court authorization requirement would apply to grand jury proceedings. 
Such guidance may also further address questions about court personnel, 
stages of the investigation, court procedures

[[Page 88748]]

for reviewing requests for BOI, and other topics concerning court 
authorization in the context of specific factual circumstances.
    However, FinCEN agrees with those commenters who argued that being 
an attorney, by itself, is not sufficient to empower an individual to 
grant the required court authorization under the CTA. As discussed in 
the proposed rule, FinCEN does not believe the CTA, which includes 
numerous provisions limiting who may access BOI, permits any individual 
with a license to practice law to authorize the disclosure of BOI, even 
if they are sometimes referred to as ``officers of the court'' in other 
contexts. FinCEN further does not agree with the commenter that 
suggested that a separate government agency, apart from a court of 
competent jurisdiction, should handle BOI requests from State, local, 
or Tribal law enforcement agencies. The CTA is clear that these 
agencies must seek court authorization in order to request BOI from 
FinCEN, and FinCEN believes that the security and confidentiality 
requirements reflected in the final rule will be sufficient to protect 
against unauthorized use or disclosure.
    Second, rather than submit a copy of the authorization (such as a 
copy of a court order) to FinCEN, Sec.  1010.955(d)(1)(ii)(B)(2) now 
only requires that State, local, and Tribal law enforcement agencies 
(1) certify that they have received authorization to seek BOI from a 
court of competent jurisdiction and that the BOI is relevant to a civil 
or criminal investigation, and (2) provide a description of the 
information the court has authorized the agency to seek.\97\ FinCEN is 
persuaded by comments stating that the requirement in the proposed rule 
would have set more stringent requirements for State, local, and Tribal 
law enforcement agencies than would apply to their Federal 
counterparts. FinCEN is further persuaded by comments that FinCEN 
should instead allow these agencies to certify that they have obtained 
appropriate authorization from a court of competent jurisdiction.
---------------------------------------------------------------------------

    \97\ FinCEN will specify the precise method of certification at 
a later date.
---------------------------------------------------------------------------

    FinCEN does not intend to look behind these certifications to 
assess the sufficiency of a court's authorization at the time a request 
is submitted. Instead, the final rule clearly reflects FinCEN's role in 
auditing requesting agencies' BOI requests, which requires a process to 
ensure that a request for BOI by a State, local, or Tribal law 
enforcement agency remains within the terms of the court authorization. 
FinCEN believes that the certification requirement, along with the 
requirement to provide a description of the information the court has 
authorized the agency to seek, will provide FinCEN with a sufficiently 
robust means to effectively conduct oversight and audit of such access.
    Third, in response to commenters' concerns, the final rule 
eliminates the written justification requirement in proposed 31 CFR 
1010.955(d)(1)(ii)(B)(2)(ii). Moreover, after considering commenters' 
concerns about potential delays associated with a case-by-case review 
of written justifications from these agencies in connection with BOI 
requests, and taking into account available resources, FinCEN has 
determined that, as a policy matter, it will not conduct individual 
reviews of each request for BOI by State, local, or Tribal law 
enforcement agencies when they are submitted. Rather, consistent with 
requirements of the CTA, FinCEN will conduct robust audit and oversight 
of State, local, and Tribal law enforcement agency searches for BOI to 
ensure that BOI is requested for authorized purposes by authorized 
recipients. Finally, by adopting the broad notion of court 
authorization that the CTA uses, FinCEN is also choosing not to further 
specify in the rule the particular stages of an investigation during 
which courts could authorize a request for BOI by State, local, or 
Tribal agencies.
iii. Disclosure for Use in Furtherance of Foreign National Security, 
Intelligence, or Law Enforcement Activity
a. General
    Proposed Rule. Proposed 31 CFR 1010.955(b)(3) authorized FinCEN to 
disclose BOI to foreign requesters when certain criteria were 
satisfied. The criteria were that the foreign request for BOI must (1) 
come to FinCEN through an intermediary Federal agency; (2) be for 
assistance in a law enforcement investigation or prosecution, or for a 
national security or intelligence activity, authorized under the laws 
of the foreign country; and (3) either be made under an international 
treaty, agreement, or convention, or, when no such instrument was 
available, be an official request by a law enforcement, judicial, or 
prosecutorial authority of a trusted foreign country.
    Comments Received. A few commenters supported both foreign 
requester access to BOI and the threshold requirements for that access. 
Another commenter stated that the proposed rule should specify 
timelines for processing and responding to foreign requests. One 
commenter stated that BOI should not be shared with foreign requesters 
at all.
    Final Rule. FinCEN adopts the proposed rule without changes. The 
final rule is consistent with the letter, spirit, and purposes of the 
CTA by permitting foreign requesters to obtain BOI for, and use it in, 
the full range of activities contemplated by 31 U.S.C. 
5336(c)(2)(B)(ii) (i.e., law enforcement, national security, and 
intelligence activities). The rule also resolves ambiguities arising 
from inconsistent statutory language. Specifically, one part of the 
CTA's foreign access provision appears to require a request to arise 
from a foreign ``investigation or prosecution,'' \98\ while another 
appears to allow a foreign requester to use BOI to further any 
``authorized investigation or national security or intelligence 
activity.'' \99\ The final rule resolves this discrepancy by clarifying 
that authorized national security and intelligence activities, as well 
as law enforcement investigations or prosecutions, could be a basis for 
a BOI request.
---------------------------------------------------------------------------

    \98\ 31 U.S.C. 5336(c)(2)(B)(ii)(I).
    \99\ 31 U.S.C. 5336(c)(2)(B)(ii)(II)(bb).
---------------------------------------------------------------------------

    FinCEN declines to specify timelines for processing and responding 
to foreign requests. At this juncture, FinCEN does not have sufficient 
data to support a prediction about the average amount of time it will 
take to issue a response to a foreign request. Average response times 
for requests from foreign countries when no international treaty, 
agreement, or convention applies are particularly hard to predict. 
These may often require highly fact-intensive assessments of both the 
requester and the request, require broad analysis of U.S. interests and 
priorities, and involve consultation with other relevant U.S. 
government agencies. Such assessments could take a matter of days or 
significantly longer. While sharing under international treaties, 
conventions, or agreements might follow more predictable timelines, 
unforeseeable procedural, legal, or inter-governmental impediments 
hurdles could create delays. FinCEN commits to processing requests as 
quickly as practicable with available resources rather than establish 
deadlines based on limited data.
b. Intermediary Federal Agency
    Proposed Rule. Proposed 31 CFR 1010.955(b)(3) authorized FinCEN to 
disclose BOI to foreign requesters when certain criteria were 
satisfied. One criterion identified by the CTA and the proposed 
regulation was that requests for BOI must come to FinCEN through an 
intermediary Federal agency.

[[Page 88749]]

    The CTA did not identify particular intermediary Federal agencies, 
and FinCEN did not propose to identify any by regulation. FinCEN 
instead stated its intention to work with Federal agencies to identify 
agencies suited to serving as intermediaries between FinCEN and foreign 
requesters. For example, one indicator of potential suitability 
identified by FinCEN in the Access NPRM was a Federal agency having 
regular engagement and familiarity with foreign law enforcement 
agencies, judges, prosecutors, central authorities, or competent 
authorities on matters related to law enforcement, national security, 
or intelligence activity. Other factors would include whether a 
prospective intermediary Federal agency has established policies, 
procedures, and communication channels for sharing information with 
those foreign parties, and whether the prospective intermediary Federal 
agency represents the U.S. government in relevant international 
treaties, agreements, or conventions; other factors include the 
expected number of requests that the agency could receive, and the 
ability of the agency to efficiently process requests while managing 
risks of unauthorized disclosure.
    In the Access NPRM, FinCEN stated that it would work with potential 
intermediary Federal agencies to: (1) ensure that they have secure 
systems for BOI storage; (2) enter into MOUs outlining expectations and 
responsibilities; (3) translate the CTA foreign sharing requirements 
into evaluation criteria against which intermediary Federal agencies 
could review requests from foreign requesters; (4) integrate the 
evaluation criteria into the intermediary Federal agencies' existing 
information-sharing policies and procedures; (5) develop additional 
security protocols and systems as required under the CTA and its 
implementing regulations; and (6) ensure that intermediary Federal 
agency personnel have sufficient training on applicable requirements 
under the CTA and its implementing regulations. Under the proposal, 
FinCEN would exercise oversight and audit functions to ensure that 
intermediary Federal agencies adhere to requirements and take 
appropriate measures to mitigate the risk of foreign requesters abusing 
the information.
    Given its longstanding relationships and relevant experience as the 
financial intelligence unit (FIU) of the United States, FinCEN proposed 
to directly receive, evaluate, and respond to requests for BOI from 
foreign FIUs.
    Comments Received. One commenter expressed surprise that the 
proposed rule did not include examples of intermediary Federal 
agencies, while another commenter supported the potential for any 
Federal agency to become an intermediary Federal agency. There were 
varying perspectives on the proposal that FinCEN should act as an 
intermediary Federal agency for BOI requests from foreign FIUs. One 
commenter stated that foreign requesters might funnel all requests for 
BOI through their FIUs if FinCEN served as an intermediary Federal 
agency for foreign FIU requests, which would significantly increase 
FinCEN's workload. That commenter also said that exchanges through FIUs 
were not admissible in court. In contrast, one commenter indicated that 
FinCEN's role should be broadened to include receiving, reviewing, and 
evaluating all foreign requests, not just those from foreign FIUs. 
Another commenter asked FinCEN to clarify that, when reviewing and 
responding to requests for BOI from foreign FIUs, FinCEN would adhere 
to the proposed requirements applicable to other intermediary Federal 
agencies.
    Final Rule. FinCEN adopts the proposed rule without any changes. 
FinCEN is still in the early stages of working to identify intermediary 
Federal agencies, and therefore is not in a position to list those 
agencies in a regulation. FinCEN can anticipate several Federal 
agencies that likely could serve as intermediary Federal agencies given 
that (1) the rule contemplates FinCEN taking indirect requests for BOI 
from foreign requesters; (2) requests will be for assistance in law 
enforcement investigations or prosecutions, or for a national security 
or intelligence activity, authorized under the laws of the relevant 
foreign country; and (3) many requests for BOI will come under 
international treaties, agreements, and conventions. Federal agencies 
that are likely to meet these criteria include the U.S. Departments of 
State and Justice, the Federal Bureau of Investigation, U.S. Customs 
and Border Protection, the IRS, and member agencies of the Intelligence 
Community. This list only provides examples of Federal agencies whose 
activities seem to align with the functions of an intermediary Federal 
agency and is not intended to create expectations regarding possible 
intermediary Federal agencies.
    FinCEN itself will very likely act as the intermediary Federal 
agency for requests for BOI from foreign FIUs. As the FIU for the 
United States, FinCEN already has policies and procedures for, and 
extensive experience in, sharing information related to national 
security, intelligence, and law enforcement activities with foreign 
FIUs through the Egmont Group. Accordingly, FinCEN could leverage 
existing processes and relationships to fulfill the requirements of the 
CTA and its implementing regulations.
    FinCEN does not expect that foreign requesters will funnel all 
requests for BOI through their FIUs and overwhelm FinCEN. The rule 
permits foreign FIUs to request BOI in two scenarios. The first 
scenario is when two conditions apply: (1) the request is for 
assistance in a law enforcement investigation or prosecution, or for a 
national security or intelligence activity, authorized under the laws 
of the foreign country, and (2) a governing international treaty, 
agreement, or convention identifies the foreign FIU as the central or 
competent authority in the matter or otherwise dictates that the 
foreign FIU should request BOI from FinCEN. The second scenario in 
which a foreign FIU may request BOI is when there is no international 
treaty, agreement, or convention available. In this scenario, the 
foreign FIU may request BOI from FinCEN when (1) the request is for 
assistance in a law enforcement investigation or prosecution, or for a 
national security or intelligence activity, authorized under the laws 
of the foreign country, and (2) the FIU qualifies as a law enforcement 
(i.e., authorized by law to engage in the investigation or enforcement 
of civil or criminal violations of law), judicial, or prosecutorial 
authority of a trusted foreign country. Both scenarios involve multiple 
requirements that a foreign FIU must satisfy to request BOI from FinCEN 
and are unlikely to result in a large number of potential requests from 
foreign FIUs.
    On the question of BOI admissibility, FinCEN does not agree with 
the claim by one commenter that information exchanges through FIUs 
necessarily render the disclosed information inadmissible in courts 
around the world with enough frequency to warrant concern. Furthermore, 
if information exchanges between FIUs do render information 
inadmissible in some foreign courts, the CTA and this final rule 
provide means other than FIU exchanges by which foreign requesters may 
obtain BOI, namely through foreign judges, prosecutors, law enforcement 
agencies, and other central and competent authorities.\100\ FinCEN is 
confident that foreign requesters that require admissible BOI, that are

[[Page 88750]]

authorized to receive BOI under the terms set forth in the CTA and this 
final rule, and that satisfy all applicable criteria for BOI disclosure 
will be able to obtain the information they need in an admissible form 
through an intermediary Federal agency.
---------------------------------------------------------------------------

    \100\ See 31 U.S.C. 5336(c)(2)(B)(ii); 31 CFR 1010.955(b)(3).
---------------------------------------------------------------------------

    Nonetheless, FinCEN believes it should act as an intermediary 
Federal agency for BOI requests from foreign FIUs. Receiving, 
reviewing, and responding to requests for BOI from all foreign 
requesters would not be feasible, given FinCEN's resource limitations.
c. Foreign Central or Competent Authority
    Proposed Rule. Proposed 31 CFR 1010.955(b)(3) authorized FinCEN to 
disclose BOI to foreign requesters when certain criteria were 
satisfied. The CTA did not define central or competent authorities, and 
so FinCEN proposed to make clear that ``[a] relevant `foreign central 
authority or foreign competent authority' would be the agency 
identified in an international treaty, agreement, or convention under 
which a foreign request is made'' (emphasis added.) This decision was 
based on FinCEN's understanding that ``foreign central authority'' and 
``foreign competent authority'' are terms of art typically defined 
within the context of a particular agreement. FinCEN's goal was to 
remove any ambiguity around the terms without unduly excluding 
appropriate foreign requesters from access to BOI.
    Comments Received. One commenter pointed to the FATF and the Egmont 
Group as potential means of identifying foreign central and competent 
authorities. Specifically, the commenter stated that, because the 
United States is a member of both organizations, either body's method 
of designating foreign central or competent authorities (with 
appropriate safeguards) should allow an agency designated through that 
method to qualify as a foreign central or competent authority for the 
purposes of the CTA.
    Another commenter stated that requiring foreign central and 
competent authorities to be identified as such in a governing 
international treaty, agreement, or convention was overly restrictive. 
The commenter's concern stems from the word ``in.'' To support its 
position, the commenter points to the Hague Convention for Service 
Abroad of Judicial and Extrajudicial Documents in Civil or Commercial 
Matters and the Hague Convention on the Taking of Evidence Abroad in 
Civil or Commercial Matters. The commenter states that both agreements 
provide for the use of a central authority for the receipt of requests 
for service or evidence by requiring a contracting state to designate a 
central authority and organize the central authority in accordance with 
its own law. Requiring designation of that central authority upfront in 
the treaty itself, the commenter claims, would remove some level of 
flexibility, and would require cumbersome treaty amendment processes 
were a party to change the specified central authority.
    As an alternative, this same commenter suggested looking to the 
service provisions of the Foreign Sovereign Immunities Act, and in 
particular 28 U.S.C. 1608, to allow for largely undefined ``special 
arrangements'' to govern BOI disclosure through agencies other than 
central authorities. The commenter again pointed to the difficulty of 
changing treaties to reflect new central authorities, and viewed 
``special arrangements'' as possibly providing ``an approach to better 
manage the foreign access provisions of the CTA on a case-by-case 
basis.''
    Final Rule. FinCEN adopts the proposed rule, but with a 
clarification about its meaning.
    In the course of drafting the Access NPRM, FinCEN conducted 
extensive outreach to the Department of State, the Department of 
Justice, and other Federal agencies that participate in international 
affairs on behalf of the United States. As a result, Treasury 
understands that ``central authority'' and ``competent authority'' are 
referents that may be reliant on international treaties, agreements, 
and conventions for context and meaning. If an institution derives its 
status as a central and competent authority pursuant to an 
international treaty, agreement, or convention, then by definition 
requiring foreign central and competent authorities to be identified as 
such under governing international treaties, agreements, or conventions 
is not overly restrictive. In contrast, FATF and the Egmont Group are 
not international bodies established by treaty, agreement, or 
convention, nor do they issue, implement, or administer any of the 
international treaties, agreements, or conventions that make an 
institution a central or competent authority. That said, information 
from both bodies could be useful in determining whether foreign 
countries are ``trusted'' in situations when no international treaty, 
agreement, or convention is available.
    When such an agreement is available, a commenter makes a reasonable 
point that the instrument might not specifically identify particular 
central or competent authorities, but might instead direct contracting 
states to identify them through other means. The Hague conventions, 
which the commenter points to as examples, are instructive. As the 
commenter notes, both conventions require contracting states to 
identify central authorities to administer convention obligations, but 
do not themselves identify specific institutions of any particular 
governments as central authorities. That work is left to implementing 
statutes and regulations in contracting states. FinCEN understands that 
this is a common arrangement in international agreements. Consequently, 
for purposes of 31 CFR 1010.955(b)(3), a foreign central or competent 
authority may be identified as such either directly by a governing 
treaty, agreement, or convention, or by the statutes, regulations, or 
other legal means by which the relevant foreign requester country has 
implemented the agreement.
    With this clarification, FinCEN sees no need to resort to ``special 
arrangements'' under 28 U.S.C. 1608 of the Foreign Sovereign Immunities 
Act to disclose BOI to foreign requesters. The CTA is clear about which 
foreign requesters may obtain BOI from FinCEN, as well as the criteria 
they must satisfy and the general process they must follow to obtain 
it. The resulting framework reflects the requirements of the CTA but 
remains flexible enough to accomplish the stated aims and purposes of 
the CTA without need for supplemental measures.
d. Trusted Foreign Country
    Proposed Rule. Proposed 31 CFR 1010.955(b)(3)(ii)(B) authorized 
FinCEN to disclose BOI in response to official requests by law 
enforcement, judicial, or prosecutorial authorities of ``trusted'' 
foreign countries when other criteria are satisfied. The other criteria 
were that the request for BOI must (1) come to FinCEN through an 
intermediary Federal agency; and (2) be for assistance in a law 
enforcement investigation or prosecution, or for a national security or 
intelligence activity, authorized under the laws of the foreign 
country. In keeping with the CTA, the ``trusted foreign country'' 
requirement would come into play when there is no international treaty, 
agreement, or convention available under which the relevant foreign 
country could make the request.
    The CTA does not provide criteria for determining whether a 
particular foreign country is ``trusted,'' leaving FinCEN with 
flexibility to make the determination. FinCEN considered identifying 
particular countries or groups of countries as ``trusted'' for the

[[Page 88751]]

purposes of receiving BOI, but determined that such a restrictive 
approach could arbitrarily exclude foreign requesters with whom sharing 
BOI might be appropriate in some cases but not others. FinCEN proposed 
in the Access NPRM to instead consult with relevant U.S. government 
agencies on a case-by-case basis to determine whether to disclose BOI 
to foreign requesters when no international treaty, agreement, or 
convention applies. In making these determinations, FinCEN and the 
consulting agencies would consider U.S. priorities and interests, as 
well as the ability of a foreign requester to maintain the security and 
confidentiality of requested BOI.
    Comments Received. Commenters generally wanted to know either which 
foreign countries would be ``trusted'' or the criteria by which FinCEN 
would identify trusted foreign countries. One commenter wanted a 
searchable list of trusted foreign countries. Multiple commenters 
suggested that FinCEN publicly define its trust criteria, with some 
arguing that a non-transparent case-by-case determination process could 
yield unjustifiably disparate treatment. One commenter suggested either 
defining ``trusted'' or dropping the term entirely and relying solely 
on treaties, agreements, and conventions. Another commenter noted a 
FinCEN definition would promote consistency of access.
    A few commenters argued that FinCEN should not have sole discretion 
to determine which countries are trusted, as such decisions have 
implications for national security and foreign relations. One commenter 
supported FinCEN's decision not to develop a prior list of trusted 
foreign countries because such a list would inevitably change over 
time. That same commenter further argued, however, that FinCEN should 
define the ``relevant U.S. government agencies'' with which it would 
consult to make trust determinations as including the Departments of 
State and Justice, and should announce that, at a minimum, FinCEN will 
treat members of NATO, the EU, and the G7 group of nations as trusted 
foreign countries absent special circumstances. Another commenter 
stated that FinCEN had taken a sensible approach regarding the trusted 
foreign country requirements, but might consider giving advance notice 
to countries that would explicitly not be trusted.
    Final Rule. FinCEN adopts the proposed rule with limited 
clarifications. FinCEN agrees with the commenter that the rule would 
benefit from identifying particular agencies with which FinCEN is 
likely to consult when no international treaty, agreement, or 
convention applies to a foreign request for BOI and FinCEN needs to 
determine whether the country at issue is ``trusted.'' FinCEN is 
therefore specifying in the rule that, in determining whether a request 
is from a ``trusted foreign country,'' FinCEN will make such 
determination with the concurrence of the Department of State, and in 
consultation with the Department of Justice or other agencies as 
necessary and appropriate. Specifying that FinCEN will seek the 
Department of State's concurrence on these determinations reflects the 
Department of State's central role in conducting U.S. foreign policy 
and foreign relations. FinCEN has also explicitly identified the 
Department of Justice to reflect the major role that the Department 
Justice plays in U.S. relations with other countries in law 
enforcement, national security, and intelligence activities, and the 
commensurate likelihood that FinCEN will regularly consult it when 
making trust determinations. However, identifying these two agencies 
within the regulation does not mean that FinCEN will only consult them 
when making trust determinations, or that FinCEN is delegating its 
authority to make those determinations. Indeed, FinCEN will consult 
with agencies other than the Departments of State and Justice when 
appropriate, e.g., when those agencies have relevant equities, 
expertise, or relationships with foreign governments.
    While FinCEN is choosing to clarify the interagency coordination 
element of its trust determination process, it is not defining 
``trusted'' or enumerating criteria it will use to assess requests for 
BOI when no international treaty, agreement, or convention applies. 
There are likely too many situations in which providing other countries 
with BOI might be in the best interest of the United States to reduce 
that complexity to a single definition or list. That same variability 
also weighs against preemptively identifying certain countries as 
either wholly trusted or not. Particular facts and circumstances are 
relevant to the determination and may result in different outcomes 
where the same foreign requester is involved. These are dynamic 
situations to which FinCEN must be able to respond flexibly, in 
consultation with relevant Federal agencies. At this time, FinCEN 
believes that it is important to retain appropriate discretion in 
making determinations regarding ``trusted'' foreign countries in 
particular circumstances, and declines to adopt restrictive definitions 
or criteria that could be detrimental to broader U.S. interests.
e. Training
    Proposed Rule. Proposed 31 CFR 1010.955(d)(3)(i) required foreign 
requesters to handle, disclose, and use BOI consistent with the 
requirements of the applicable treaty, agreement, or convention under 
which it was requested. 31 CFR 1010.955(d)(3)(ii), meanwhile, applied 
to situations in which there was no applicable treaty, agreement, or 
convention, and would have imposed on foreign BOI requesters certain 
general requirements that the CTA imposes on all requesting 
agencies.\101\ FinCEN believed these measures were necessary to protect 
the security and confidentiality of BOI provided to foreign 
requesters.\102\ Proposed requirements applicable to foreign requesters 
when no treaty, agreement, or convention applies included having 
security standards and procedures, maintaining a secure storage system 
that complies with the security standards that the foreign requester 
applies to the most sensitive unclassified information it handles, 
minimizing the amount of information requested, and restricting 
personnel access to BOI to persons ``[w]ho have undergone training on 
the appropriate handling and safeguarding [BOI].'' Foreign requesters 
that request and receive BOI under an applicable international treaty, 
agreement, or convention would not have these requirements under the 
proposed rule, given that such requesters would be governed by 
standards and procedures prescribed by the applicable international 
treaty, agreement, or convention.
---------------------------------------------------------------------------

    \101\ In the Access NPRM, FinCEN misnumbered this provision as a 
duplicate 31 CFR 1010.955(d)(3)(i).
    \102\ See 31 U.S.C. 5336(c)(3)(A), (K).
---------------------------------------------------------------------------

    Comments Received. Several commenters indicated that FinCEN should 
revise the requirement that foreign requesters limit access to BOI to 
persons ``[w]ho have undergone training on the appropriate handling and 
safeguarding of [BOI].'' One commenter expressed the view that the 
training requirement was stricter than the one proposed for domestic 
agencies, under which personnel with access to BOI either had to 
receive training on its handling and safeguarding or received the 
information from someone who had undergone such training. Another 
commenter suggested that FinCEN adopt this domestic agency standard for

[[Page 88752]]

foreign requesters. Other commenters variously stated that training in 
this context is superfluous given the other requirements applicable to 
foreign requesters, that training requirements would exceed reciprocal 
standards imposed by foreign partners when U.S. government agencies 
obtained beneficial ownership information from foreign BOI databases, 
and that FinCEN should define with greater precision the requirements 
for foreign requester training.
    Final Rule. FinCEN adopts the proposed rule with changes. First, 
FinCEN fixed the typographical error in 31 CFR 1010.955(d)(3)(ii) to 
reflect the provision's correct numbering. Second, FinCEN has removed 
the proposed rule's requirement that an individual from an intermediary 
Federal agency submit personal details when making each request on 
behalf of a foreign requester. That is because the individual will 
submit identifying information to FinCEN at the time they create an 
account to access FinCEN's BO IT system, which will be necessary to 
make requests on behalf of foreign governments. FinCEN will provide 
guidance to intermediary Federal agencies at a later time on how users 
of the BO IT system will set up these accounts.
    The third change to the proposed provision pertains to 
certification requirements in situations involving ``trusted'' foreign 
countries. FinCEN originally proposed to require each intermediary 
Federal agency requesting BOI on behalf of a foreign requester under 
proposed 31 CFR 1010.955(b)(3)(ii)(B) to submit to FinCEN ``[a] written 
explanation of the specific purpose for which the foreign person is 
seeking information . . . along with an accompanying certification that 
the information is for use in furtherance of a law enforcement 
investigation or prosecution, or for a national security or 
intelligence activity, that is authorized under the laws of the 
relevant foreign country; will be used only for the particular purpose 
or activity for which it is requested; and will be handled consistent 
with [applicable security and confidentiality requirements].'' FinCEN 
is modifying the certification requirement to avoid unintentionally 
imposing on intermediary Federal agencies a requirement to certify to a 
foreign requester's future behavior with respect to the BOI obtained, 
which the agency could not know with certainty. Under the final rule, 
such agencies must still certify to FinCEN that the information is for 
use in furtherance of a law enforcement investigation or prosecution, 
or for a national security or intelligence activity, that is authorized 
under the laws of the relevant foreign country. However, the remainder 
of the original certification has been modified to require only that 
the intermediary Federal agency certify that the foreign requester has 
been informed that BOI disclosed to it may only be used for the 
particular purpose or activity for which it was requested and must be 
handled consistent with applicable requirements. This modified 
certification better reflects what an intermediary Federal agency can 
know and practically control. FinCEN's expectation that foreign 
requesters will handle BOI in accordance with applicable requirements 
and protect it to the best of their ability remains unchanged, as does 
FinCEN's willingness to withhold BOI from requesters that fail to meet 
that expectation.
    FinCEN declines to make additional revisions suggested by comments. 
The requirement that foreign requesters apply appropriate standards and 
procedures to protect BOI and limit BOI dissemination to trained 
individuals is reasonable under the circumstances and unlikely to place 
undue burden on foreign requesters. It is critical that all authorized 
BOI recipients-including foreign requesters-take steps to keep BOI 
confidential and secure and to prevent its misuse given the sensitivity 
of the personal information to be reported to the BO IT system. The 
application of BOI security standards and procedures, including the 
training requirement, effectuates these underlying objectives, 
including by requiring individual foreign recipients to have knowledge 
of those requirements. FinCEN also declines to prescribe specific 
requirements on the structure and content of any training. FinCEN 
recognizes that standards and procedures will vary by foreign requester 
to reflect organizational and resource differences. At root, every 
individual with access to BOI should understand the purposes for which 
BOI can be used, the persons with whom they can share BOI with and for 
what purpose, and the manner in which they must secure it.
    The differences between the application of BOI security standards 
and procedures for domestic and foreign requesters reflect legal and 
practical considerations. First, the CTA specifically prescribes 
certain standards for domestic agencies that have access to BOI, but 
not for foreign requesters. Second, the Access NPRM proposed standards 
and procedures that are tailored to particular circumstances and 
challenges involving foreign requesters, and are arguably less 
burdensome that those required of domestic agencies. For example, 
FinCEN decided not to propose an MOU requirement for foreign requesters 
because (1) foreign requesters will not have direct access to the BO IT 
system, and (2) FinCEN anticipates a significantly lower volume of 
foreign requests in general relative to other stakeholders. In 
contrast, the MOUs with domestic agencies are appropriate to mitigate 
the risks inherent in the expected volume and frequency of searches in 
the BO IT system. FinCEN anticipates that these MOUs will, among other 
things, memorialize and implement requirements regarding reports and 
certifications, periodic training of individual recipients of BOI, 
personnel access restrictions, re-disclosure limitations, and access to 
audit and oversight mechanisms. The MOUs will also include security 
plans covering topics related to personnel security (e.g., eligibility 
limitations, screening standards, certifications and notification 
requirements); physical security (system connections and use, 
conditions of access, data maintenance); computer security (use and 
access policies, standards related to passwords, transmission, storage, 
and encryption); and inspections and compliance.
    Foreign BOI requesters will only receive BOI through intermediary 
Federal agencies that will themselves be subject to the detailed MOUs 
described above. Those intermediary Federal agencies will in turn work 
with foreign requesters either in accordance with applicable 
international treaties, conventions, or agreements or under standards 
and protocols that ``trusted'' foreign countries would be required to 
develop and implement.
    FinCEN also decided against the imposition of audit requirements on 
foreign requesters because of practical considerations. First, for the 
sharing of BOI governed by international treaties, agreements, or 
conventions, the relevant treaty, agreement, or convention would govern 
whether audits would be permissible. If no treaty, agreement, or 
convention applied, practical challenges would limit FinCEN's ability 
to conduct audits of a foreign requester's BOI systems and practices. 
In order to conduct such an audit, FinCEN would need to negotiate 
appropriate audit mechanisms, likely on a reciprocal basis, given that 
foreign governments will likely be reluctant to allow FinCEN extensive 
access to comprehensively audit their secure IT systems and records. 
FinCEN would also likely need to commit substantial staff and personnel 
to conduct either remote or

[[Page 88753]]

in-person audits in foreign countries. While FinCEN could refrain from 
sharing BOI with foreign requesters that refuse to be subject to 
audits, it would likely degrade international cooperation on law 
enforcement and national security efforts and constrain the United 
States' ability to combat cross-border illicit finance and criminal 
activity, including fentanyl trafficking, fraud, and sanctions evasion, 
among other crimes.
f. Re-Disclosure of BOI in the Context of Foreign Requests
    Proposed Rule. The Access NPRM proposed rules that effectuated the 
foreign government access provisions in a series of steps that, first, 
would have authorized FinCEN to disclose BOI to intermediary Federal 
agencies; would have then authorized those agencies to redisclose BOI 
to the foreign requester; and would have authorized the foreign 
requester to use the BOI, including through re-disclosure, consistent 
with the applicable treaty.
    Specifically, proposed 31 CFR 1010.955(b)(3) authorized FinCEN to 
disclose BOI to intermediary Federal agencies for transmission to the 
foreign requester where (1) an intermediary Federal agency provides 
FinCEN with the foreign request; (2) the requested BOI is for 
assistance in a law enforcement investigation or prosecution, or for a 
national security or intelligence activity, authorized under the laws 
of the foreign country; and (3) the request is made under an 
international treaty, agreement, or convention, or, when no such 
instrument is available, is an official request by a law enforcement, 
judicial, or prosecutorial authority of a trusted foreign country. 
Proposed 31 CFR 1010.955(c)(2)(v) would further authorize the 
intermediary Federal agency to disclose the BOI to the foreign 
requester, consistent with the CTA's foreign government provisions.
    Lastly, proposed 31 CFR 1010.955(c)(2)(viii) allowed a foreign 
requester that receives BOI pursuant to a request made under an 
international treaty, agreement, or convention to re-disclose and use 
that BOI in accordance with the requirements of the relevant agreement. 
This approach accords with the CTA's preference for disclosing BOI to 
foreign requesters under international agreements and allowing the 
agreements to govern how the information is used, as indicated in the 
introductory paragraph in 31 U.S.C. 5336(c)(2)(B)(ii). For foreign 
requests that are not governed by an international treaty, agreement, 
or convention, FinCEN proposed reviewing re-disclosure requests from 
foreign requesters either on a case-by-case basis or pursuant to 
alternative arrangements with intermediary Federal agencies where those 
intermediary Federal agencies have ongoing relationships with the 
particular foreign requester. This would occur under former 31 CFR 
1010.955(c)(2)(ix), now 31 CFR 1010.955(c)(2)(x), discussed in section 
III.D.ii.
    Comments Received. Commenters noted several concerns regarding the 
re-disclosure of BOI by intermediary Federal agencies to foreign 
requesters. One commenter indicated that the proposed rule conflicted 
with section 2.3 of E.O. 12333 of December 4, 1981, as amended, by 
authorizing U.S. intelligence agencies to share information about U.S. 
persons with other countries' intelligence agencies without regard to 
the Executive Order's restrictions on collecting, retaining, and 
disseminating U.S. person information.\103\ Another commenter 
criticized the proposed rule as unduly vague about the foreign 
recipient of BOI, the scope of application of the proposed 31 CFR 
1010.955(c)(2)(viii), and whether re-disclosure would be consistent 
with the CTA where no international treaty, agreement, or convention is 
available. A third commenter observed that FinCEN could broaden Sec.  
1010.955(c)(2)(v) to allow intermediary Federal agencies to share BOI 
with ``relevant countries'' without first obtaining FinCEN's 
permission, while a fourth warned FinCEN to ensure that foreign 
countries do not use their tax authorities to obtain BOI for non-tax 
related reasons under the pretense of tax administration.
---------------------------------------------------------------------------

    \103\ E.O. 12333, 46 FR 59941 (Dec. 4, 1981) (``United States 
Intelligence Activities'').
---------------------------------------------------------------------------

    Final Rule. FinCEN views the proposed rules to be sufficiently 
clear and adopts the provisions as proposed, though the related 
provision at new 31 CFR 1010.955(c)(2)(x) is revised as discussed in 
section III.D.ii. Proposed 31 CFR 1010.955(c)(2)(v) makes clear that an 
intermediary Federal agency may disclose BOI only ``to the foreign 
person on whose behalf the Federal agency made the request'' to FinCEN 
(emphasis added). The provision is sufficiently specific as to the 
foreign recipient that receives BOI. The rule also is not in conflict 
with E.O. 12333, section 2.3 and, in particular, the requirement that 
elements of the Intelligence Community disseminate information 
concerning U.S. persons only in accordance with certain established 
procedures. FinCEN expects that intermediary Federal agency requests, 
and transmission of BOI to foreign requesters will be in accordance 
with any legal requirements, and internal protocols, applicable to the 
intermediary Federal agency. For instance, the guidelines of the Office 
of the Director of National Intelligence require that, for 
dissemination of information regarding U.S. persons to foreign 
governments, those entities must agree to restrictions on the use and 
dissemination of that information as necessary.\104\ Furthermore, 
consistent with the rule, an agency's internal protocols might place 
certain process requirements on the agency in making the request to 
FinCEN for BOI or on the re-disclosure of the information to the 
foreign requester.
---------------------------------------------------------------------------

    \104\ See Office of the Direct of National Intelligence, 
Attorney General (AG) Guidelines, Approved December 23, 2020, 
available at https://www.intel.gov/assets/documents/702%20Documents/declassified/AGGs/ODNI%20guidelines%20as%20approved%20by%20AG%2012.23.20_OCR.pdf.
---------------------------------------------------------------------------

    Former 31 CFR 1010.955(c)(2)(viii)--now renumbered as 31 CFR 
1010.955(c)(2)(ix)--permits foreign requesters to re-disclose BOI 
consistent with the terms of the applicable international treaty, 
agreement, or convention, but does not authorize disclosure in any 
other contexts.
    Relying on the general authority in 31 CFR 1010.955(c)(2)(x) for 
FinCEN to authorize by prior written authorization, protocols, or 
guidance redisclosures in furtherance of an authorized purpose or 
activity, FinCEN will review redisclosure requests from foreign 
requesters that did not request BOI pursuant to an international 
treaty, agreement, or convention.
    FinCEN also declines to permit intermediary Federal agencies to re-
disclose BOI to a defined list of countries, without either a governing 
international treaty, agreement, or convention or separate FinCEN 
authorization. The scenario the proposal seems to contemplate involves 
an intermediary Federal agency requesting BOI from FinCEN on behalf of 
one foreign requester, storing the information in the intermediary 
Federal agency's own database, and then later re-disclosing that same 
BOI to a different foreign requester that wants the information and 
satisfies the eligibility criteria that would qualify it to have the 
intermediary Federal agency request the information from FinCEN on its 
behalf. In this case, however, the intermediary Federal agency would 
not need to retrieve the BOI from FinCEN's BO IT system or involve 
FinCEN at all because it would already have the relevant BOI in its own 
system.

[[Page 88754]]

    FinCEN views this proposal as infeasible for a number of reasons. 
First, a reporting company might update its reported BOI in the interim 
between the times when two foreign requesters want the information. The 
intermediary Federal agency's stored BOI would not reflect those 
updates and would be out of date and potentially useless or confounding 
in an investigation or prosecution if passed to a foreign requester. 
Having foreign requesters receive outdated BOI would undercut the CTA's 
objective of providing useful information to authorized BOI recipients.
    The second consideration weighing against the proposal has to do 
with auditing. FinCEN has extensive audit requirements with respect to 
Federal agencies that receive BOI under the CTA. While an intermediary 
Federal agency will not need FinCEN's explicit and case-specific 
``permission'' to retrieve BOI from the BO IT system on a foreign 
requester's behalf, the intermediary will need to submit to FinCEN 
certain information about itself, the request, and the requester. 
FinCEN will in turn rely on this information to satisfy those audit 
requirements. The act of an intermediary Federal agency retrieving BOI 
from the BO IT system will also serve as information upon which FinCEN 
will rely as a proxy record indicating that a corresponding disclosure 
to a foreign requester occurred. Were FinCEN to authorize intermediary 
Federal agencies to store and disseminate FinCEN-derived BOI from their 
own databases instead of responding to foreign requests for BOI with 
information retrieved from FinCEN's BO IT system on a one-for-one 
basis, all of that information would be lost, more difficult to 
collect, or more subject to tampering. All of these considerations lead 
FinCEN to reject this proposal.
    Finally, FinCEN takes seriously concerns about foreign requesters 
and other authorized BOI recipients requesting BOI for one purpose and 
using it for other purposes the CTA does not permit. This includes 
concerns about pretextual requests made under the guise of activities 
related to the enforcement of tax laws, a relatively narrow aspect of 
``tax administration,'' as defined in 26 U.S.C. 6103(b)(4), for which 
the CTA authorizes BOI disclosure to foreign requesters.\105\ These 
concerns are why FinCEN is requiring intermediary Federal agencies to 
certify that requests for BOI from foreign requesters satisfy 
applicable CTA requirements, including the requirement that requests be 
for use in furtherance of a law enforcement investigation or 
prosecution, or for a national security or intelligence activity, that 
is authorized under the laws of the relevant foreign country.
---------------------------------------------------------------------------

    \105\ The CTA does not authorize FinCEN to provide BOI to 
foreign requestors for any and all tax administration purposes. Some 
foreign tax-related activities, however, including enforcement of 
tax laws, may qualify as law enforcement, national security, or 
intelligence activities under the CTA, 31 U.S.C. 5336(c)(2)(B)(ii), 
permitting BOI to be disclosed under appropriate circumstances.
---------------------------------------------------------------------------

    That said, a foreign requester that originally obtained BOI for use 
in furtherance of an authorized law enforcement investigation or 
prosecution (including those related to tax laws), or for an authorized 
national security or intelligence activity, would not necessarily be 
prohibited from also using that BOI for other purposes when the BOI was 
obtained pursuant to a treaty, agreement, or convention. As explained 
previously, if a foreign requester obtains BOI pursuant to a treaty, 
agreement, or convention for use in an activity authorized by the CTA, 
then the requester is authorized to subsequently use or re-disclose the 
information in any way permitted by that treaty, agreement, or 
convention. This allowance reflects the general deference to treaties, 
agreements, and conventions exhibited by the CTA's foreign sharing 
provision. In all cases, FinCEN will work with intermediary Federal 
agencies to ensure that foreign requesters understand and agree to 
abide by the restrictions and requirements associated with BOI, as well 
as the potential consequences for failing to honor those commitments.
iv. Disclosure To Facilitate Compliance With Customer Due Diligence 
Requirements
    The Access NPRM proposed to authorize disclosure of BOI to 
facilitate compliance with ``customer due diligence requirements under 
applicable law'' \106\ to: (1) ``financial institutions'' subject to 
such customer due diligence requirements, and (2) ``Federal functional 
regulator[s] or other appropriate regulatory agenc[ies] . . . 
authorized by law to assess, supervise, enforce, or otherwise determine 
the compliance'' of financial institutions with such requirements.\107\ 
FinCEN therefore discusses the proposed terms of financial institution 
and regulator access to BOI separately.
---------------------------------------------------------------------------

    \106\ 31 U.S.C. 5336(c)(2)(B)(iii); proposed 31 CFR 
1010.955(b)(4).
    \107\ Id.; 31 U.S.C. 5336(c)(2)(B)(iii), (C)(i).
---------------------------------------------------------------------------

a. Financial Institutions
    The Access NPRM proposed provisions specifying which financial 
institutions \108\ could access BOI, the uses to which they could put 
BOI, and the prerequisites for their access and terms of use. The 
NPRM's treatment of financial institution access was the focus of many 
comments. Numerous comments focused both on FinCEN's proposal to limit 
the financial institutions authorized to obtain BOI to those with 
responsibilities under FinCEN's 2016 CDD Rule and on FinCEN's proposal 
to limit those financial institutions' use of BOI to facilitating 
compliance with 31 CFR 1010.230 of the 2016 CDD Rule. Both of those 
subjects are discussed here. Other issues raised by commenters on 
financial institution access and use of BOI were tied to larger 
systemic concerns and less closely associated with financial 
institutions per se, including the consent requirement, confidentiality 
and security protocols, and redisclosure of BOI. These more systemic 
comments are addressed elsewhere in this document.
---------------------------------------------------------------------------

    \108\ FinCEN regulations generally define ``financial 
institution,'' including for the purposes of this rule, at 31 CFR 
1010.100(t). This general definition is distinct from that of 
``covered financial institution,'' as used in the 2016 CDD Rule and 
this preamble. Under the 2016 CDD Rule (specifically, 31 CFR 
1010.230(f)), ``covered financial institution'' has the meaning set 
forth in 31 CFR 1010.605(e)(1).
---------------------------------------------------------------------------

    Proposed Rule. The CTA authorizes FinCEN to disclose BOI upon 
receipt of a request ``made by a financial institution subject to 
customer due diligence requirements, with the consent of the reporting 
company, to facilitate the compliance of the financial institution with 
customer due diligence requirements under applicable law.'' \109\ The 
CTA neither defines ``financial institution subject to customer due 
diligence requirements'' nor ``customer due diligence requirements 
under applicable law.'' Proposed 31 CFR 1010.955(b)(4)(i) described 
both the types of financial institutions entitled to request BOI and 
the purposes for which those financial institutions could use that BOI. 
Under the rule, FinCEN would disclose BOI to financial institutions 
``subject to customer due diligence requirements under applicable 
law,'' and that BOI could be used ``in facilitating . . . compliance'' 
with those customer due diligence requirements.
---------------------------------------------------------------------------

    \109\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------

    Section 1010.955(b)(4)(i) further defined the phrase ``customer due 
diligence requirements under applicable law'' to mean the requirement 
imposed on ``covered financial institutions'' under 31 CFR 1010.230 to 
identify and

[[Page 88755]]

verify beneficial owners of their ``legal entity customers,'' primarily 
at account opening.\110\ These ``covered financial institutions'' are 
limited to: banks (including credit unions); brokers or dealers in 
securities registered, or required to be registered, with the SEC; 
futures commission merchants and introducing brokers in commodities 
registered, or required to be registered, with the CFTC; and mutual 
funds.\111\ In contrast, other types of financial institutions, such as 
money services businesses (MSBs) and insurance companies, would not be 
able to access BOI from FinCEN in light of the 2016 CDD Rule 
definition. Additionally, under the proposed rule, these financial 
institutions would be able to use BOI only to comply with 31 CFR 
1010.230, but not for other purposes. This approach was designed to 
enhance security and confidentiality, and facilitate audit and 
oversight, of the BOI database by describing a defined set of financial 
institutions and limiting opportunities for unauthorized use or 
intentional or inadvertent breaches.
---------------------------------------------------------------------------

    \110\ 31 CFR 1010.230(b). Under the 2016 CDD Rule, ``legal 
entity customer means a corporation, limited liability company, or 
other entity that is created by the filing of a public document with 
a Secretary of State or similar office, a general partnership, and 
any similar entity formed under the laws of a foreign jurisdiction 
that opens an account,'' with certain exceptions. Id. 1010.230(e). 
This definition of ``legal entity customer'' overlaps with, but is 
distinct from, the definition of ``reporting company'' in 31 CFR 
1010.380(c) of the Reporting Rule.
    \111\ 31 CFR 1010.230(f) (cross-referencing the definition of 
``covered financial institutions'' in 31 CFR 1010.605(e)(1)).
---------------------------------------------------------------------------

    FinCEN also considered a broader approach that would permit 
financial institutions with CIP obligations \112\ to access the 
database. A broader approach would have permitted more financial 
institutions to use BOI for a wider range of compliance activities, 
such as compliance with CIP regulations. FinCEN specifically requested 
comments on the interpretation of the phrase ``customer due diligence 
requirements under applicable law,'' including whether FinCEN should 
adopt a broader definition, how to best provide regulatory clarity, and 
how to maintain the security and confidentiality of BOI if a broader 
definition were adopted.\113\
---------------------------------------------------------------------------

    \112\ See 31 CFR 1020.220, 1023.220, 1024.220, 1026.220.
    \113\ The preamble to the proposed rule noted that FinCEN also 
had considered defining ``customer due diligence requirements under 
applicable law'' to include State, local, and Tribal customer due 
diligence requirements similar in substance to the 2016 CDD Rule. 
However, FinCEN chose not to do so, noting that it was unaware of 
any such requirements. FinCEN invited comments about any State, 
local, or Tribal laws or regulations that require financial 
institutions to identify and verify the beneficial owners of legal 
entity customers. One commenter noted that some states, such as New 
York, require financial institutions operating in the state to 
implement AML programs that include general customer identification 
and customer due diligence requirements. However, this commenter did 
not cite to any requirements to identify and verify beneficial 
owners of legal entities, as FinCEN's 2016 CDD Rule requires.
---------------------------------------------------------------------------

    Comments Received. FinCEN received many comments that were critical 
of FinCEN's proposed approach. First, commenters asserted that FinCEN's 
interpretation ran counter to the plain text of the CTA. Several 
commenters pointed to the CTA provision directing the Secretary to 
promulgate regulations that ``facilitate the compliance of [] financial 
institutions with anti-money laundering, countering the financing of 
terrorism, and customer due diligence requirements under applicable 
law.'' \114\ In order to implement this provision, one commenter noted 
that FinCEN should allow financial institutions to access BOI for more 
uses than compliance with 31 CFR 1010.230, and pointed to contrasting 
references in the CTA to 31 CFR 1010.230 and ``customer due diligence 
requirements under applicable law'' as indicative of Congressional 
intent.\115\ Another commenter stated that FinCEN erred when it pointed 
to the Sense of Congress as evidence that Congress understood 
``customer due diligence requirements under applicable law'' did not 
include ``anti-money laundering, [and] countering the financing of 
terrorism.'' \116\
---------------------------------------------------------------------------

    \114\ 31 U.S.C. 5336(b)(1)(F)(iv)(II).
    \115\ CTA, section 6403(d)(1) (directing the Secretary of the 
Treasury to revise the 2016 CDD Rule).
    \116\ CTA, section 6402(6)(B).
---------------------------------------------------------------------------

    Second, commenters argued that the proposed rule's approach would 
be burdensome for financial institutions and undermine the usefulness 
of the BOI database. In particular, commenters claimed that the 
proposed approach conflicted with the core CTA objectives that the BOI 
database be ``highly useful'' to financial institutions,\117\ and that 
burdens on financial institutions should be minimized.\118\ In this 
respect, one commenter listed the variety of AML/CFT compliance and 
sanctions-related tasks for which banks relied on the BOI obtained from 
legal entity customers under the 2016 CDD Rule, including, for example, 
compliance with CIP requirements, customer risk ratings, transaction 
monitoring, sanctions screening, identifying politically exposed 
persons, and filing SARs or sanctions-related reports.\119\ The 
commenter reiterated that the proposed rule would not provide financial 
institutions with any additional AML/CFT compliance value if financial 
institutions could use FinCEN-collected BOI only as described in the 
proposed rule; in fact, the commenter confirmed that financial 
institutions would be unlikely to use the database at all. Other 
commenters pointed to likely implementation burdens and duplicative 
requirements, such as the likely need to create a firewall and systems 
to separate FinCEN-obtained BOI from BOI obtained under the 2016 CDD 
Rule, given the different purposes for which those two types of BOI 
could be used. This, in turn, would also impose duplicative 
requirements on reporting companies, given their need to provide BOI to 
both FinCEN and to financial institutions.
---------------------------------------------------------------------------

    \117\ See 31 U.S.C. 5336(b)(1)(F)(iv).
    \118\ See CTA, section 6403(d)(1)(C) (directing that the 2016 
CDD Rule be revised to ``reduce any burdens on financial 
institutions and legal entity customers that are, in light of the 
enactment of this division and the amendments made by this division, 
unnecessary or duplicative'').
    \119\ The commenter noted, and FinCEN agrees, that the 2016 CDD 
Rule itself imposed no specific limits on how financial institutions 
could use the BOI collected under that rule, including for AML/CFT 
compliance purposes.
---------------------------------------------------------------------------

    Third, commenters maintained that the proposed approach conflicts 
with the broader AML/CFT regulatory framework, including supervisory 
expectations and FinCEN guidance on the role of customer due diligence 
in a financial institution's AML program. Several commenters stated 
squarely that the phrase ``customer due diligence requirements under 
applicable law'' clearly encompassed AML/CFT requirements beyond the 
identification and verification requirements of the 2016 CDD Rule. For 
example, commenters noted that the 2016 CDD Rule itself interprets 
``customer due diligence'' broadly to encompass ongoing monitoring for 
reporting suspicious transactions,\120\ and amends AML program rules to 
require financial institutions to implement risk-based
---------------------------------------------------------------------------

    \120\ See 2016 CDD Rule, 81 FR at 29398 (``FinCEN believes that 
there are four core elements of customer due diligence, and that 
they should be explicit requirements in the anti-money laundering 
(AML) program for all covered financial institutions, in order to 
ensure clarity and consistency across sectors: (1) Customer 
identification and verification; (2) beneficial ownership 
identification and verification; (3) understanding the nature and 
purpose of customer relationships to develop a customer risk 
profile; and (4) ongoing monitoring for reporting suspicious 
transactions and, on a risk-basis, maintaining and updating customer 
information.'').

---------------------------------------------------------------------------

[[Page 88756]]

procedures for doing so.121 122 Other commenters invoked 
supervisory expectations around the use of BOI, noting that the Federal 
Financial Institutions Examination Council (FFIEC) BSA/AML Examination 
Manual \123\ states that banks should specify in their policies, 
procedures, and processes how BOI will be used to meet other regulatory 
obligations, such as identifying suspicious activity and identifying 
parties sanctioned by Treasury's Office of Foreign Asset Control 
(OFAC).\124\ Commenters also provided specific suggestions to broaden 
the scope of use of BOI, for example, including CIP requirements under 
31 CFR 1010.220 and the ongoing customer due diligence requirements 
under 31 CFR 1010.210 to facilitate the compliance with AML/CFT and 
customer due diligence requirements under applicable law.\125\ Finally, 
some commenters claimed that the proposed approach would make it 
challenging for financial institutions to comply with other legal or 
regulatory requirements, such as sanctions screening, and urged FinCEN 
to broaden the permitted uses of BOI.
---------------------------------------------------------------------------

    \121\ See 2016 CDD Rule, 81 FR at 29457-29458, codified, as 
amended, at 31 CFR 1020.210(a)(2)(v), 1023.21(b)(5), 1024.210(b)(5), 
1026.210(b)(5).
    \122\ One commenter also noted that banks have built their 
compliance systems to be consistent with the preamble to the 2016 
CDD Rule. The commenter indicated that limiting the purposes for 
which BOI obtained from the database can be used thus would hurt 
such compliance efforts.
    \123\ FFIEC BSA/AML Examination Manual, available at https://bsaaml.ffiec.gov/manual.
    \124\ Relatedly, another commenter urged FinCEN to consider 
allowing broad BOI access for purely practical reasons, taking into 
account the value that BOI provides for financial institutions in 
meeting their regulatory obligations beyond the 2016 CDD Rule, such 
as fraud detection, customer identification and verification, and 
OFAC sanctions screening.
    \125\ In contrast, another commenter asked that FinCEN itemize 
exactly how financial institutions can use BOI, rather than cross-
referencing 31 CFR 1010.230 or any other regulatory provision.
---------------------------------------------------------------------------

    Fourth, commenters also expressed concerns about the policy reasons 
for choosing a narrower interpretation of ``customer due diligence 
requirements under applicable law,'' for example, easing administration 
of the BOI database and protecting BOI security and confidentiality. 
One commenter stated that ease of administration is not a sufficient 
justification to limit the ways financial institutions can use BOI to 
combat illicit finance. Several commenters noted that both the CTA, and 
laws requiring banks to protect the vast amounts of PII for which they 
are responsible, such as Gramm-Leach-Bliley, provide multiple 
safeguards to ensure the confidentiality and security of BOI, including 
substantial protocols that financial institutions must follow to access 
the BOI database.
    Fifth, while a few commenters expressed support for the limitation 
on the types of financial institutions with access to BOI, many 
commenters argued that certain types of financial institutions not 
subject to the 2016 CDD Rule--in particular, MSBs--would benefit from 
access to the BOI and that FinCEN's definition of ``customer due 
diligence requirements under applicable law'' thus should be changed to 
allow these other financial institutions to access FinCEN-collected 
BOI.\126\ One commenter noted that MSBs--which are required to 
implement AML compliance programs with ``policies, procedures, and 
internal controls reasonably designed'' to ensure compliance with the 
BSA \127\--may be required by those programs to identify and verify the 
beneficial owners of legal entity customers and authorized agents 
during onboarding. In this context, the commenter identified FinCEN's 
2016 guidance to MSBs concerning agent monitoring that required MSB 
principals to identify the owners of an MSB's agents as a reason for 
interpreting the term ``customer due diligence requirements under 
applicable law'' to include such MSB requirements.\128\ Lastly, one 
commenter urged FinCEN to allow any financial institution that has AML 
program obligations to have access to the BOI database, subject to 
appropriate security requirements and other access protocols, in order 
to enhance overall transparency in the U.S. financial system and to 
effectively fight illicit finance.
---------------------------------------------------------------------------

    \126\ Additionally, two commenters agreed with FinCEN's proposed 
definition of ``customer due diligence under applicable law'' but 
claimed that this did not lead to the limitations that FinCEN 
proposed to place on the use of BOI by financial institutions. These 
commenters asserted that FinCEN's proposed definition was consistent 
with a broader authorization for financial institutions to use BOI 
for any purpose consistent with a financial institution's anti-
financial crimes program, including (but not limited to) AML, 
sanctions, anti-bribery, and anti-corruption procedures.
    \127\ See 31 CFR 1022.210(d)(1)(i).
    \128\ FIN-2016-G001, Guidance on Existing AML Program Rule 
Compliance Obligations for MSB Principals with Respect to Agent 
Monitoring (Mar. 11, 2016).
---------------------------------------------------------------------------

    Final Rule. In light of the comments received, FinCEN has revised 
its proposed approach towards the financial institutions that will have 
access to the BOI database and the purposes for which that BOI may be 
used. The revised regulation now specifies that the clause ``customer 
due diligence requirements under applicable law'' includes ``any legal 
requirement or prohibition designed to counter money laundering or the 
financing of terrorism, or to safeguard the national security of the 
United States, to comply with which it is reasonably necessary for a 
financial institution to obtain or verify beneficial ownership 
information of a legal entity customer.'' Accordingly, the final 
regulations would permit a broader range of financial institutions to 
access BOI from the FinCEN database for a broader range of purposes 
than described in the proposed rule should FinCEN choose to afford such 
access. As discussed below in this section, however, FinCEN, in the 
exercise of its discretion, intends to permit only financial 
institutions with obligations under the 2016 CDD Rule to have access to 
the BOI database at this time.
    Under this approach, a financial institution can use BOI obtained 
from FinCEN to help discharge its AML/CFT obligations under the BSA, 
including its AML program, customer identification, SAR filing, and 
enhanced due diligence requirements. It can also use BOI to satisfy 
other requirements, so long as those requirements are designed to 
counter money laundering or the financing of terrorism or safeguard 
U.S. national security, and so long as it is reasonably necessary to 
obtain or verify BOI of legal entity customers to satisfy those 
requirements. For example, a financial institution may use BOI obtained 
from FinCEN (with the consent of the reporting company) to facilitate 
compliance with sanctions imposed by OFAC on individuals and legal 
entities under the International Emergency Economic Powers Act \129\ 
and other legal authorities, such as the Foreign Narcotics Kingpin 
Designation Act \130\ and the Global Magnitsky Human Rights 
Accountability Act.\131\ These sanctions can have national security and 
anti-money laundering purposes. Financial institutions regularly use 
BOI to comply with these sanctions, often through OFAC sanctions 
screening, including in ascertaining whether sanctions are applicable 
to persons by virtue of the so-called ``50-percent'' rule.\132\
---------------------------------------------------------------------------

    \129\ 50 U.S.C. 1701-1706.
    \130\ 21 U.S.C. 1901-1908.
    \131\ 22 U.S.C. 10101-10103.
    \132\ The ``50 percent rule'' subjects to U.S. sanctions any 
entity that is 50 percent owned by a blocked person is itself 
blocked, and U.S. persons, including domestic financial 
institutions, are prohibited from transacting business with such an 
entity. See, e.g., OFAC, Addition of General Licenses for the 
Official Business of the United States Government and Certain 
International Organizations and Entities and Updates to the 50 
Percent Rule Interpretive in OFAC Sanctions Regulations, 87 FR 78470 
(Dec. 21, 2022).
---------------------------------------------------------------------------

    At the same time, there are bounds to the uses of BOI by financial 
institutions under the final rule. As a threshold matter, the use of 
BOI should be directly

[[Page 88757]]

related to a financial institution's compliance with a legal obligation 
that is designed to counter money laundering or the financing of 
terrorism, or to safeguard the national security of the United States. 
For example, the final rule does not permit financial institutions to 
use BOI from FinCEN in assessing whether to extend credit to a legal 
entity, or in establishing the price of that credit, when credit 
decisions are unrelated to AML/CFT or national security purposes. 
Moreover, FinCEN does not consider general business or commercial uses 
of BOI, such as client development, to be consistent with AML/CFT or 
national security purposes.
    The broader approach taken in the final rule is motivated by both 
legal and policy considerations. First, FinCEN is persuaded that both 
the statutory framework and congressional intent are properly read to 
encompass uses broader than compliance with the 2016 CDD Rule. The CTA 
provision governing the 2016 CDD Rule revisions directs that the 
revised rule needs to take into account financial institution access to 
BOI ``to facilitate the compliance of those financial institutions with 
anti-money laundering, countering the financing of terrorism, and 
customer due diligence requirements under applicable law.'' \133\ The 
Sense of Congress similarly states that BOI should be available to 
``facilitate the compliance of the financial institutions with anti-
money laundering, countering the financing of terrorism, and customer 
due diligence requirements under applicable law.'' \134\ This 
terminology is broader than a reference to the 2016 CDD Rule. Moreover, 
commenters correctly point out that the CTA's specific references to 
the 2016 CDD Rule contrast with those more general references to 
customer due diligence requirements elsewhere in the CTA.\135\
---------------------------------------------------------------------------

    \133\ CTA, section 6402(d)(1)(B).
    \134\ CTA, section 6402(6).
    \135\ CTA, section 6403(d)(1).
---------------------------------------------------------------------------

    Second, as noted by many commenters, the revised approach will 
further the overarching purposes of the CTA to combat illicit activity 
by enabling financial institutions to use BOI for AML/CFT and national 
security purposes. The revised approach will allow a financial 
institution to integrate and leverage BOI obtained from FinCEN with 
other information that the financial institution uses for their full 
range of customer due diligence activities. It will also reduce the 
burdens on financial institutions in handling and using BOI, and 
correspondingly, increase its practical value.
    The final rule also authorizes FinCEN to disclose BOI to a broader 
range of financial institutions consistent with the revised approach 
taken with respect to the meaning of ``customer due diligence 
requirements under applicable law.'' Accordingly, MSBs and other 
financial institutions with AML program requirements, such as casinos, 
along with ``covered financial institutions'' as defined in the 2016 
CDD Rule, would be eligible under the final rule to access the database 
subject to appropriate security and confidentiality protocols. The 
final rule, however, accords FinCEN with discretion regarding the scope 
and timing of access by financial institutions. The CTA does not direct 
FinCEN to provide access to financial institutions, but rather states 
that FinCEN ``may disclose'' BOI to qualifying financial institutions, 
consistent with the CTA's security, confidentiality, and provisions 
regarding the usefulness of the database.\136\ The final rule, 31 CFR 
1010.955(b)(4)(i), likewise preserves this discretion accorded to 
FinCEN.
---------------------------------------------------------------------------

    \136\ 31 U.S.C. 5336(c)(2)(B).
---------------------------------------------------------------------------

    In the exercise of this discretion, FinCEN intends to provide 
access as an initial matter to financial institutions that are covered 
financial institutions under the 2016 CDD Rule. The initial focus on 
covered financial institutions under the 2016 CDD Rule will allow 
FinCEN to work towards timely access for those institutions with 
comprehensive security and confidentiality protocols and compliance and 
supervisory frameworks regarding the use of that information, while 
working to further evaluate whether it is appropriate and feasible to 
expand access to other financial institutions, such as MSBs or casinos, 
after an initial implementation period.
    Against the backdrop of the comments received on this provision, 
FinCEN notes that two core considerations motivate access: the 
importance of BOI access for effective AML/CFT compliance and the need 
for security and confidentiality in the handing and use of such BOI. 
There are estimated to be over 300,000 financial institutions regulated 
under the BSA that are diverse in size, business types, complexity, and 
supervisory and regulatory frameworks, in particular, with differences 
in security and confidentiality requirements. Covered financial 
institutions under the 2016 CDD Rule are subject to the Gramm-Leach-
Bliley security requirements and a national supervisory framework with 
respect to implementation of those requirements. In contrast, other 
financial institutions that are not subject to the 2016 CDD Rule, such 
as casinos, MSBs, and dealers in precious metals, precious stones, or 
jewels, are subject to more fragmented security standards that require 
additional time to evaluate and determine the extent to which standards 
and oversight mechanisms are required. Along with the development of 
new, and additional, standards, FinCEN will need to identify and 
implement additional outreach, help desk training, audit, oversight and 
other resources to ensure that this larger group of financial 
institutions complies with the security, confidentiality, and use 
requirements under the final rule. Lastly, FinCEN will continue to 
evaluate the usefulness of BOI access to particular industry sectors 
based on a range of factors, e.g., which financial institutions with 
AML program requirements have legal entity customers,\137\ the size of 
this customer base, and the related illicit finance risks, as it 
considers further expanding access to additional financial 
institutions.
---------------------------------------------------------------------------

    \137\ As defined at 31 CFR 1010.230(e).
---------------------------------------------------------------------------

b. Regulatory Agencies
1. Scope of Regulatory Agency Access to BOI
    Proposed Rule. The CTA authorizes Federal functional regulators and 
``other appropriate regulatory agencies'' to access ``the information'' 
previously made available to financial institutions subject to customer 
due diligence requirements under applicable law.\138\ Consistent with 
this provision, proposed 31 CFR 1010.955(b)(4)(ii) would allow FinCEN 
to disclose BOI that has been previously provided to a financial 
institution to a ``Federal functional regulator or other appropriate 
regulatory agency'' if the regulator requests it, is authorized by law 
to assess, supervise, enforce, or otherwise determine the compliance of 
such financial institution with ``customer due diligence requirements 
under applicable law'' (proposed Sec.  1010.955(b)(4)(ii)(A)); will use 
the BOI solely for that purpose (proposed Sec.  1010.955(b)(4)(ii)(B)); 
and has entered into an agreement with FinCEN to properly safeguard BOI 
(proposed Sec.  1010.955(b)(4)(ii)(C)). As discussed in the preceding 
section (III.C.iv.a), in view of the proposed rule's approach towards 
the phrase ``customer due diligence requirements under applicable 
law,'' Federal functional regulators and other regulatory agencies 
would have been authorized to access BOI only to assess, supervise, 
enforce, or otherwise

[[Page 88758]]

determine a financial institution's compliance with 31 CFR 1010.230.
---------------------------------------------------------------------------

    \138\ 31 U.S.C. 5336(c)(2)(C).
---------------------------------------------------------------------------

    Comments Received. Two commenters raised concerns that the 
limitations on access for regulators were overly restrictive. The 
comments argued that the proposed rule did not adequately justify why 
supervisory access should be limited for the sole purpose of 
determining financial institution compliance with the requirements of 
31 CFR 1010.230, and that regulators should have access to the database 
to assess a financial institution's compliance with customer due 
diligence obligations over which regulators broadly have regulatory 
authority.\139\
---------------------------------------------------------------------------

    \139\ This commenter supported FinCEN's separate statement in 
the NPRM, 87 FR at 77411, that regulators engaged in national 
security or law enforcement activities would be able to access BOI 
under proposed 31 CFR 1010.955(b)(1) in addition to proposed 31 CFR 
1010.955(b)(4)(ii), subject to specific conditions and limitations. 
The commenter viewed this position as partly correcting the 
limitation of regulatory access to supervising compliance with Sec.  
1010.230.
---------------------------------------------------------------------------

    In contrast, one commenter noted skepticism as to whether Federal 
or state regulators even needed to access the BOI database if financial 
institutions would not be subject to a requirement to use the database. 
Absent such a requirement, the commenter noted that financial 
institutions would likely obtain beneficial ownership information 
directly from their customers under the 2016 CDD Rule. The commenter 
further stated that financial institutions should not be responsible 
for resolving any discrepancies between the BOI reported to FinCEN and 
the BOI that financial institutions received from their customers.
    Final Rule. FinCEN retains proposed 31 CFR 1010.955(b)(4)(ii) in 
the final rule, but the scope of this provision has changed. In light 
of the revised approach to the phrase ``customer due diligence 
requirements under applicable law'' in 31 CFR 1010.955(b)(4)(i), Sec.  
1010.955(b)(4)(ii)(A) now provides access to BOI obtained from FinCEN 
to those regulatory agencies that ``assess, supervise, enforce, or 
otherwise determine'' compliance of financial institutions with AML/
CFT- or national security-related legal requirements for which BOI 
access is reasonably necessary. Relatedly, final rule Sec.  
1010.955(b)(4)(ii)(B)--which also remains identical to the proposed 
rule--prescribes that regulatory agencies can now use that BOI obtained 
from FinCEN to conduct ``the assessment, supervision, or authorized 
investigation'' in connection with a financial institution's use of BOI 
obtained from FinCEN to comply with legal requirements to counter money 
laundering or the financing of terrorism, or to safeguard the national 
security of the United States. FinCEN does not expect the number of 
regulatory agencies with access to BOI under this provision to change 
significantly under the final rule's approach, but believes that the 
supervisory scope will be better matched to effectively supervise 
financial institutions for AML program implementation. Supervisory 
agencies that seek to retrieve BOI under Sec.  1010.955(b)(4)(ii)(A) 
and (B) will continue to be required to enter into an agreement with 
FinCEN for such access under final rule Sec.  1010.955(b)(4)(ii)(C). 
FinCEN adopts this provision without change, consistent with the CTA 
itself.\140\
---------------------------------------------------------------------------

    \140\ 31 U.S.C. 5336(c)(2)(C)(iii).
---------------------------------------------------------------------------

    FinCEN regards the comment which stated that regulatory access to 
the BOI database under these provisions will have no value if financial 
institution use of BOI obtained from FinCEN is not mandatory as 
incorrect in its understanding. First, the CTA expressly requires 
FinCEN to provide Federal functional regulators or other appropriate 
regulatory agencies with access to BOI provided to a financial 
institution.\141\ It is true that if financial institutions in fact do 
not access BOI, regulatory access will be commensurately limited. But 
less access does not mean no utility: at the very least, regulatory 
agencies will be able to use their access to gauge the intensity of 
financial institution use of BOI, and therefore regulatory agency 
access will aid their understanding of financial institution activity. 
Likewise, as a policy matter, if financial institutions were to access 
BOI, supervisory agencies should have access to the same BOI for 
supervisory purposes to better understand the use and handling of BOI 
obtained from by financial institutions.
---------------------------------------------------------------------------

    \141\ 31 U.S.C 5336(c)(2)(C).
---------------------------------------------------------------------------

    FinCEN notes, however, that neither the CTA nor the final rule 
requires financial institutions to access the BOI database. Under the 
final rule, the decision whether to access the database is left to the 
discretion of financial institutions, with the understanding that 
financial institutions that choose to access the BOI database will make 
use of such access subject to the use limitations and security and 
confidentiality requirements of the final rule itself. Accordingly, 
FinCEN notes that the final rule neither creates nor establishes 
supervisory expectations with respect to whether and the extent to 
which financial institutions access the BOI database, or report 
discrepancies between the BOI obtained from the database and BOI the 
financial institution may collect through other channels, including, 
for example, directly from its customers under the 2016 CDD Rule. In 
summary, the final rule does not create a new regulatory requirement 
for financial institutions to access BOI from the BO IT System or a 
supervisory expectation that they do so. The final rule also does not 
make any changes to the requirements of the 2016 CDD Rule. As such, the 
Access Rule does not necessitate changes to BSA/AML compliance programs 
designed to comply with the (unchanged) 2016 CDD Rule, and other 
existing BSA requirements, such as customer identification program 
requirements,\142\ and suspicious activity reporting.\143\ However, any 
access to and use of BOI obtained from the BO IT System must comply 
with the requirements of the CTA and the Access Rule. FinCEN will 
address whether, and if so how, financial institutions should access 
BOI for CDD Rule compliance purposes in its revision of the 2016 CDD 
Rule.
---------------------------------------------------------------------------

    \142\ 31 CFR 1010.220.
    \143\ 31 CFR 1010.320.
---------------------------------------------------------------------------

2. Meaning of ``Other Appropriate Regulatory Agencies''
    Proposed Rule. Proposed 31 CFR 1010.955(b)(4)(ii) would permit 
FinCEN to disclose BOI to either a ``Federal functional regulator'' or 
an ``other appropriate regulatory agency . . . [that] assessed, 
supervised, enforced, or otherwise determined the compliance of such 
financial institution with customer due diligence requirements under 
applicable law.'' While ``Federal functional regulator'' is a defined 
term,\144\ the proposed rule did not define ``other appropriate 
regulatory agency.'' \145\ The preamble, however, provided illustrative 
examples, and invited comment. For example, the preamble noted that 
``other appropriate regulatory agencies'' could ``include State banking 
regulators,'' \146\ but that it was ``unclear'' whether SROs registered 
with or designated by a Federal functional regulator (i.e., qualifying 
SROs) should be considered ``other appropriate regulatory agencies''.
---------------------------------------------------------------------------

    \144\ 31 CFR 1010.100(r). Under this definition, the Federal 
functional regulators are the Board of Governors of the Federal 
Reserve System (FRB), the Office of the Comptroller of the Currency 
(OCC), the Federal Deposit Insurance Corporation (FDIC), the Office 
of Thrift Supervision, the NCUA, the SEC, and the CFTC.
    \145\ 87 FR at 77416.
    \146\ Id.
---------------------------------------------------------------------------

    Comments Received. Several comments requested that FinCEN define 
``other appropriate regulatory agency'' to

[[Page 88759]]

include specified entities. Three commenters suggested that state 
regulatory agencies be expressly included. These commenters variously 
recommended that the term ``State bank supervisor,'' as used in the AML 
Act,\147\ state credit union regulators, and other state supervisory 
authorities should be expressly incorporated into the meaning of 
``other appropriate regulatory agency'' in order to ensure consistent 
database access for state regulators supervising customer due diligence 
compliance and to avoid confusion. Another commenter argued that some 
SROs, including FINRA, should be considered to be ``other appropriate 
regulatory agencies,'' given that those SROs have broad AML/CFT 
oversight and that limiting SRO access to BOI would undermine the CTA's 
objectives.
---------------------------------------------------------------------------

    \147\ See AML Act, section 6003(8), 6304 (cross-referencing 12 
U.S.C. 1813); 12 U.S.C. 1813(r)(1) (``The term `State bank 
supervisor' means any officer, agency, or other entity of any State 
which has primary regulatory authority over State banks or State 
savings associations in such State.'').
---------------------------------------------------------------------------

    Final Rule. The final rule does not provide the specificity in the 
regulatory definition of ``other appropriate regulatory agencies'' 
requested by commenters given that the rule provides sufficient clarity 
regarding the agencies that are entitled to BOI access under Sec.  
1010.955(b)(4)(ii).\148\ FinCEN notes that ``State bank supervisors,'' 
as defined in the AML Act, as well as state credit union regulators and 
other state supervisory authorities that meet the criteria of the final 
rule may have access to the BOI database. Moreover, the term ``other 
appropriate regulatory agency'' does not include SROs because the term 
``agency'' is generally understood to mean a governmental entity, 
rather than a private organization regardless of whether it performs 
governmental functions.149 150 FinCEN recognizes that SROs 
perform critical oversight functions with respect to AML/CFT 
compliance. The final rule retains the ability for qualifying SROs to 
receive BOI redisclosed to them from a financial institution or Federal 
functional regulator under Sec.  1010.955(c)(2)(iii) and (iv).
---------------------------------------------------------------------------

    \148\ 31 U.S.C. 5336(c)(2)(C).
    \149\ See, e.g., 5 U.S.C. 551(1) (`` `agency' means each 
authority of the Government of the United States . . .'').
    \150\ See, e.g., In re William H. Murphy & Co., SEC Release No. 
34-90759, 2020 WL 7496228, *17 (Dec. 21, 2020) (explaining that 
FINRA ``is not a part of the government or otherwise a [S]tate 
actor'' to which constitutional requirements apply).
---------------------------------------------------------------------------

3. Redisclosure of BOI to SROs
    Proposed Rule. Proposed Sec.  1010.955(c)(2)(iii) and (iv) \151\ 
would allow financial institutions and Federal functional regulators to 
re-disclose BOI obtained from the BOI database to a qualifying SRO 
provided that it meets the requirements of proposed Sec.  
1010.955(b)(4)(ii). Under this provision, the qualifying SRO would have 
had to be authorized by law to determine compliance with customer due 
diligence requirements under appliable law; it would have been able to 
use BOI obtained from FinCEN only to determine such compliance; and it 
would have had to enter into an agreement with FinCEN to safeguard the 
information. The proposed rule noted that qualifying SROs play an 
important role, working under oversight of Federal functional 
regulators, in assessing, supervising, and enforcing compliance with 
customer due diligence requirements under applicable law, among other 
requirements.\152\
---------------------------------------------------------------------------

    \151\ These provisions are discussed in greater depth in section 
III.D.ii.
    \152\ 87 FR at 77416.
---------------------------------------------------------------------------

    Comments Received. One commenter agreed that it is sufficient for 
qualifying SROs to receive BOI obtained from FinCEN through the re-
disclosure provisions given the limited purposes for which that BOI 
could be used by regulators. However, the commenter noted that those 
limitations were too narrow and could interfere with other SRO 
oversight responsibilities, including investigations of fraud and other 
illicit activity.\153\ Another commenter suggested that any SRO with 
market regulation functions, regardless of whether registered with or 
designated by a Federal functional regulator--beyond the two qualifying 
SROs (FINRA and NFA) specifically named in the NPRM--be permitted to 
receive BOI obtained from the BO IT system by financial 
institutions.\154\
---------------------------------------------------------------------------

    \153\ The SRO also expressed concern that the proposed rule 
could be interpreted to prohibit financial institutions from 
collecting BOI or similar information from any source other than the 
BOI database. FinCEN does not believe that this is a reasonable 
reading of the regulatory text and thus does not believe the text 
needs revision. Regardless, to avoid any confusion, FinCEN clarifies 
that this rule does not restrict SROs' ability to acquire BOI from 
other sources.
    \154\ This commenter cited the CME Group as one example of an 
SRO that should have such access. CME Group, however, is an SRO that 
has been designated by a Federal functional regulator (CFTC) 
pursuant to Federal statute, i.e., a qualifying SRO. See, e.g., 
CFTC, Final Rule, Financial Surveillance Examination Program 
Requirements for Self-Regulatory Organizations, 84 FR 12882, 12884 
n. 22 (Apr. 3, 2019). Thus, these provisions would not prohibit 
financial institutions or Federal functional regulators from 
redisclosing BOI to the CME Group if the provisions' other 
requirements were met.
---------------------------------------------------------------------------

    Final Rule. FinCEN is adopting Sec.  1010.955(c)(2)(iii) and (iv) 
as proposed.\155\ In light of the revised approach to the scope of 
``customer due diligence requirements under applicable law,'' however, 
qualifying SROs would be able to use BOI redisclosed to them to conduct 
``the assessment, supervision, or authorized investigation'' in 
connection with a financial institution's use of BOI obtained from 
FinCEN to comply with legal requirements to counter money laundering or 
the financing of terrorism, or to safeguard the national security of 
the United States. Even if the CTA could be read to permit qualifying 
SROs to use BOI for purposes beyond these under the re-disclosure 
provision, however, such an approach would be inconsistent with the use 
limitations imposed on Federal functional regulators and other 
appropriate regulatory agencies and the CTA's emphasis on safeguarding 
BOI.
---------------------------------------------------------------------------

    \155\ Comments regarding re-disclosure under Sec.  
1010.955(c)(2) more broadly are discussed in section III.D.ii FinCEN 
has made several changes to proposed Sec.  1010.955(c)(2) in 
response to these comments, but these changes do not include any 
alterations to Sec.  1010.955(c)(2)(iii) or (iv).
---------------------------------------------------------------------------

    FinCEN also is not extending the re-disclosure provisions to SROs 
that have not registered with or been designated by a Federal 
functional regulator. Qualifying SROs exercise unique regulatory 
authority within the framework of Federal law and under the oversight 
of Federal functional regulators to assess, supervise, and enforce 
financial institution compliance with customer due diligence and other 
requirements.156 157 In light of their unique role, and the 
oversight provided by the Federal functional regulators, in particular, 
with respect to security and confidentiality requirements, FinCEN 
determined that qualifying SROs are appropriate authorized recipients 
for BOI re-disclosures under FinCEN's discretionary authority. In 
contrast, non-qualifying SROs do not play the same unique role within 
the Federal regulatory framework and are not subject to the same 
extensive government oversight as qualifying SROs.
---------------------------------------------------------------------------

    \156\ See, e.g., FINRA Rule 3310(f); NFA Compliance Rule 2-
9(c)(5).
    \157\ See, e.g., Scottsdale Cap. Advisors Corp., 844 F.3d at 418 
(``Before any FINRA rule goes into effect, the SEC must approve the 
rule and specifically determine that it is consistent with the 
purposes of the Exchange Act. The SEC may also amend any existing 
rule to ensure it comports with the purposes and requirements of the 
Exchange Act.'' (citations omitted); Birkelbach, 751 F.3d at 475 
(``A [FINRA] member can appeal the disposition of a FINRA 
disciplinary proceeding to the SEC, which performs a de novo review 
of the record and issues a decision of its own.'').
---------------------------------------------------------------------------

v. Department of the Treasury Access
a. Disclosure to Officers or Employees of the Department of the 
Treasury
    Proposed Rule. Proposed 31 CFR 1010.955(b)(5)(i) permits officers 
or

[[Page 88760]]

employees of the U.S. Department of the Treasury to access BOI when 
official duties require such inspection or disclosure, subject to 
internal procedures and safeguards.
    Comments Received. Multiple comments supported the proposed access 
for Treasury officers and employees. Commenters suggested a few 
clarifications, e.g., listing the official duties that justify access 
such as Treasury's role in auditing and reporting on BOI. Other 
comments suggested that FinCEN should apprise the public of, or 
clarify, the internal Treasury procedures to ensure the confidentiality 
and security of BOI. Some commenters proposed that BOI be treated as 
``return information'' subject to the same protections as tax 
information under 26 U.S.C. 6103, particularly when it is obtained by 
IRS. One commenter stated that there should be coordinating regulations 
issued to ensure that BOI disclosed to Treasury's officers and 
employees, including those at the IRS, is ``protected to at least the 
same degree'' as BOI that is disclosed to other agencies and that these 
regulations should be coordinated with 26 U.S.C. 6103.\158\
---------------------------------------------------------------------------

    \158\ The commenter also requested clarification on the sharing 
of BOI by Treasury with state or foreign requesters for tax 
administration purposes, as well as how FinCEN would ensure that any 
BOI shared is adequately protected. FinCEN notes that state-level 
and foreign requesters will obtain BOI pursuant to other provisions 
of 31 CFR 1010.955(b)--specifically, 31 CFR 1010.955(b)(2) and 
(b)(3). In contrast, 31 CFR 1010.955(b)(5) is specific to access by 
officers or employees of the Department of the Treasury; 
1010.955(b)(5) does not itself authorize these Treasury officers or 
employees to share BOI with state or foreign requestors for tax 
administration purposes. 31 CFR 1010.955(d) provides security and 
confidentiality requirements for BOI shared with state or foreign 
requestors pursuant to (b)(2) and (b)(3).
---------------------------------------------------------------------------

    Final Rule. FinCEN adopts the proposed rule. FinCEN declines to add 
to the rule a list of official duties that would require access to BOI 
because those duties may change over time, and because, consistent with 
the CTA, Treasury access to BOI will be governed by internal procedures 
and safeguards. As noted in the proposed rule, however, FinCEN expects 
that Treasury officers and employees will access and use BOI for a 
range of appropriate purposes, including: tax administration, 
enforcement actions, intelligence and analytical purposes, use in 
sanctions -related investigations, and identifying property blocked 
pursuant to sanctions, as well as for administration of the BOI 
framework, such as for audits, enforcement, and oversight. This will 
include access to BOI necessary to complete the reports required by 
section 6502 of the AML Act and audit and oversight activities, 
including access by the Treasury OIG. FinCEN will work with other 
Treasury components to establish internal policies and procedures 
governing Treasury officer and employee access to BOI. These policies 
and procedures will ensure that FinCEN discloses BOI only to Treasury 
officers or employees with official duties requiring BOI access, or for 
tax administration.
    Furthermore, FinCEN does not believe that BOI reported to it is 
``return information'' subject to the disclosure limitations on tax-
related information under the Internal Revenue Code (26 U.S.C. 6103). 
Since BOI is information reported to FinCEN to fulfill a reporting 
requirement under Title 31 of the United States Code, it does not fall 
within the definition of ``return information'' at 26 U.S.C. 
6103(b)(2), which is defined to include information received by the 
Secretary in connection with determining ``a person's liability (or the 
amount thereof) . . . under this title''--i.e., Title 26 containing the 
Internal Revenue Code. The CTA instead provides particular security and 
confidentiality requirements to govern the protection and disclosure of 
BOI, which this final rule implements.
    In accordance with the detailed security and confidentiality 
requirements in the CTA, the final rule expressly imposes robust 
requirements on ``requesting agencies'' outside of the Treasury 
Department. Similarly, Treasury access to BOI will be governed by 
internal procedures and safeguards consistent with the CTA. FinCEN 
anticipates that these internal procedures and safeguards will be 
comparable to, and include elements of, the security and 
confidentiality requirements in 31 CFR 1010.955(d)(1) taking into 
account Treasury's unique role in administering the BO IT system and 
framework. Officers and employees identified as having duties 
potentially requiring access to BOI would receive training on, among 
other topics, determining when their duties require access to BOI, what 
they can do with the information, and how to handle and safeguard it. 
Their activities would also be subject to audit.
b. Disclosure for Tax Administration Purposes
    Proposed Rule. Proposed 31 CFR 1010.955(b)(5)(ii) permits 
disclosure of BOI to officers or employees of the Department of the 
Treasury for tax administration as defined in 26 U.S.C. 6103(b)(4), 
subject to internal procedures and safeguards.
    Comments Received. Several commenters suggested that use of BOI for 
tax administration purposes should be further clarified. Comments asked 
for greater specificity on tax administration uses, and one commenter 
requested clarification on the ``analytical'' use of BOI referenced in 
the NPRM, as applied to tax administration. Another commenter stated 
that use by Treasury should be limited to the purposes of the CTA.
    Final Rule. FinCEN adopts the proposed rule. As explained in the 
NPRM, FinCEN interprets the term ``tax administration,'' as employed in 
the CTA, to have the meaning provided for in 26 U.S.C. 6103(b)(4). 
Accordingly, in the context of tax administration, use of BOI in an 
``analytical'' capacity would be delimited by this definition. Further, 
as explained in the NPRM, FinCEN believes that adopting the 26 U.S.C. 
6103(b)(4) definition of tax administration is appropriate because 
Treasury officers and employees who administer tax laws are already 
familiar with it and have a clear understanding of the activity it 
covers. FinCEN also believes the definition is broad enough to avoid 
inadvertently excluding a tax administration-related activity that 
would be undermined by lack of access to BOI. In response to the 
proposal that FinCEN limit access to matters within the scope of the 
CTA, FinCEN declines to make this proposed amendment and notes that the 
CTA specifically provides that officers and employees of the Treasury 
may obtain access to beneficial ownership information for ``tax 
administration purposes'' generally.
vi. Other Disclosures and Related Issues
    Proposed Rule. Consistent with the CTA, proposed 31 CFR 1010.955(b) 
limits disclosure of BOI by FinCEN, and corresponding access to BOI, to 
certain categories of recipients. The NPRM included a question for 
comment about whether there are additional circumstances not reflected 
in this proposed rule when the CTA would authorize FinCEN to disclose 
BOI.
    Comments Received. Commenters suggested additional categories of 
authorized recipients and additional recipients within categories 
already proposed in the NPRM. Within government channels, commenters 
proposed that FinCEN should make BOI available to public authorities 
involved in public procurement at both the Federal and state level and 
to those with audit authority over BOI--the Government Accountability 
Office (GAO) and Treasury OIG. Commenters also stated that additional 
financial institutions should have access to BOI, including money 
services businesses (MSBs). Another commenter, however,

[[Page 88761]]

asked for confirmation that financial institutions with access to BOI 
will be limited to ``covered financial institutions'' as defined in 31 
CFR 1010.230(f). Several commenters stated that real estate 
professionals, such as land title agencies and real estate settlement 
agents, should be permitted to access BOI. These commenters stated such 
access would facilitate compliance with laws regarding foreign 
ownership of agricultural land and FinCEN's real estate geographic 
targeting orders (GTOs), among other common business practices. 
Commenters also stated that entities that assist financial institutions 
with customer due diligence and beneficial ownership data analysis, 
such as regulatory technology (RegTech) firms and beneficial ownership 
data service providers, should be able to access and request BOI from 
FinCEN on behalf of a financial institution. One commenter noted that 
such entities are ``contractors'' or ``agents'' of financial 
institutions. Another commenter noted that access should be broadened 
to include non-governmental organizations, journalists, and eventually 
the public, to align with global standards.
    Several commenters asked whether and how BOI would be authenticated 
before disclosure for purposes of a proceeding governed by rules of 
evidence. Two commenters focused their concern on authentication in 
foreign courts, focusing on a statement in the preamble to the NPRM 
regarding the authentication of BOI in international sharing 
arrangements. That statement indicated that ``[w]here a request for BOI 
includes a request that the information be authenticated for use in a 
legal proceeding in the foreign country making the request, FinCEN may 
establish a process for providing such authentication via MOU with the 
relevant intermediary Federal agency.'' These commenters conveyed that 
FinCEN should issue a blanket rule authorizing all Federal agencies 
that transmit BOI to authenticate such records, rather than doing so 
through ad hoc agreements.
    One of the same commenters asked that the rule be clarified to 
allow Federal, State, local, and Tribal agencies to themselves 
authenticate BOI obtained from FinCEN, rather than requiring FinCEN to 
authenticate the records in each case. The commenter was concerned that 
if FinCEN must certify the authenticity of these records in every case, 
then it could create an administrative chokepoint that could impede 
civil and criminal actions.
    Final Rule. FinCEN declines to make further changes to the 
categories of recipients to which BOI may be disclosed. The proposed 
rule aligns with the CTA in limiting disclosure to the categories of 
recipients FinCEN has already identified. The CTA does not provide for 
FinCEN to disclose BOI to non-governmental organizations, journalists, 
or the public.
    FinCEN notes, however, that the CTA and the final rule permit 
disclosure to some of the specific recipients commenters suggested 
within those categories. Regarding additional disclosures for 
government users, FinCEN reiterates that authorities with audit 
requirements such as the GAO and Treasury OIG will have the ability to 
complete these statutorily mandated activities. FinCEN anticipates 
working with the GAO to ensure access to BOI as required by the 
CTA,\159\ and as permitted by 31 U.S.C. 716(a).\160\ Treasury OIG will 
have access to BOI under the specific CTA and final rule provision for 
employees and officers of the Department of the Treasury.\161\ 
Regarding access for procurement-related purposes, FinCEN expects that 
it will be able to disclose BOI to government agencies for such 
purposes when the procurement or the review of the procurement is an 
activity for which FinCEN is otherwise authorized to disclose BOI, 
e.g., a national security, law enforcement, or intelligence activity.
---------------------------------------------------------------------------

    \159\ See 31 U.S.C. 5336(c)(10); see also Anti-Money Laundering 
Act of 2020, section 6502.
    \160\ 31 U.S.C. 716(a) entitles GAO to ``obtain such agency 
records as . . . require[d] to discharge [its] duties . . . .'' Only 
certain foreign intelligence records and agency records 
``specifically exempted from disclosure to the Comptroller General 
by a statute'' fall outside this requirement. Id. at 716(d)(1). 
Indeed, 31 U.S.C. 716 expressly contemplates agencies' disclosure of 
confidential information to GAO, requiring GAO to ``maintain the 
same level of confidentiality'' over records disclosed to it as is 
required of the agency responsible for the record. Id. at 716(e)(1).
    \161\ See 31 U.S.C. 5336(c)(5).
---------------------------------------------------------------------------

    Discussion about which types of financial institutions will have 
access to BOI is included in section III.C.iv.a. With respect to the 
question of whether FinCEN may disclose BOI to RegTech firms, 
beneficial ownership data service providers, due diligence vendors, or 
other third-party service providers to financial institutions, FinCEN 
believes that the final rule authorizes the disclosure of FinCEN BOI to 
such services providers provided that they and their employees are 
``agents'' or ``contractors'' of a financial institution with access to 
BOI and are performing a function on behalf of the financial 
institution that requires direct access to it. If a financial 
institution relies on a service provider or other contractor to 
request, obtain, and access BOI, the financial institution will 
ultimately be responsible for the activity of any service provider or 
contractor accessing BOI on its behalf. Service providers that are 
agents or contractors of a financial institution authorized to access 
BOI will be able to request and access BOI through accounts associated 
with that financial institution. It will be the financial institution's 
responsibility to ensure that its service providers or other such 
contractors comply with all applicable obligations, including 
requirements to protect and store BOI in compliance with the rule, and 
ensuring that BOI is used for appropriate purposes. Additionally, 
service providers and other contractors will not be permitted to use 
the BOI accessed on behalf of a financial institution for any purpose 
not authorized by the CTA or FinCEN's regulations. For example, BOI 
requested by a service provider on a financial institution's behalf 
cannot be integrated into downstream services that the service provider 
makes accessible to other financial institutions. When requesting BOI 
for a financial institution, a service provider or contractor is acting 
for or on behalf of this specific financial institution; it cannot 
repurpose BOI for the contractor's own use, such as data aggregation, 
or for the use of other financial institutions.
    Regarding authentication of BOI, FinCEN declines to add a specific 
regulatory provision to address this issue. With respect to foreign 
countries, foreign laws will govern what constitutes an authenticated 
record in a particular legal proceeding. Many foreign countries have 
developed information sharing arrangements for criminal, civil, or 
other investigations or proceedings. These arrangements include Mutual 
Legal Assistance Treaties (MLATs), multilateral conventions, and other 
agreements that are typically consistent with a foreign country's rules 
concerning authentication. In most such international arrangements, the 
U.S. Department of Justice's Office of International Affairs (DOJ/OIA) 
is the intermediary Federal agency that would receive information from 
FinCEN and transmit it to the requesting foreign authority.
    In some cases, a foreign country's laws may require FinCEN, as the 
records custodian of BOI, to certify the information's authenticity. 
Some foreign countries may require that DOJ/OIA certify the 
authenticity of the BOI, while others still might require that both 
agencies provide a certification. The preamble to the NPRM explained:


[[Page 88762]]


    Where a request for BOI includes a request that the information 
be authenticated for use in a legal proceeding in the foreign 
country making the request, FinCEN may establish a process for 
providing such authentication via MOU with the relevant intermediary 
Federal agency. Such process may include an arrangement where FinCEN 
searches the beneficial ownership IT system and provides the 
information and related authentication to the intermediary Federal 
agency consistent with the terms of the relevant MOU.\162\
---------------------------------------------------------------------------

    \162\ 87 FR at 77414-15.

    This approach allows for variations in the requests for 
authentication that may come from foreign countries. All government 
agencies obtaining BOI from FinCEN, including those transmitting BOI to 
foreign countries, will be required to enter into an MOU with FinCEN in 
order to ensure that all domestic agencies have appropriate protocols 
in place to ensure the proper handling and use of BOI. FinCEN will take 
into consideration the question of authentication in crafting its MOUs 
with intermediary Federal agencies such as OIA.
    FinCEN did not accept the proposal that the regulation should be 
altered to allow State, local, and Tribal agencies to themselves 
authenticate BOI they obtain from FinCEN, that is, without obtaining a 
certificate of authenticity or other form of evidentiary authentication 
from FinCEN. The authentication of evidence depends on the operation of 
applicable law. For example, state-level rules of evidence often 
require documents maintained by Federal agencies to be authenticated by 
the affixing of the official seal of the agency, a statement or 
testimony by a designated custodian of those records by the agency, or 
some other certification of authenticity by the agency.\163\ Each 
jurisdiction has its own applicable rules of evidence, however, and may 
not require certification by a Federal agency. FinCEN declines to issue 
a blanket rule on authentication, as such a rule would be hard to craft 
given the variation in State, local, and Tribal procedures and would 
invite needless confusion on the interaction between State, local, or 
Tribal rules of evidence and FinCEN's rule. FinCEN believes that 
existing laws will suffice to provide for authentication of BOI.
---------------------------------------------------------------------------

    \163\ See, e.g., Fed. R. Evid. 902(1)-(2), (4).
---------------------------------------------------------------------------

D. Use of Information

i. Use of Information by Authorized Recipients
    Proposed Rule. Proposed 31 CFR 1010.955(c)(1) provided generally 
that authorized recipients shall use BOI received from FinCEN ``only 
for the particular purpose or activity for which such information was 
disclosed,'' unless otherwise authorized by FinCEN. In the unique case 
of a Federal agency that receives information pursuant to 31 CFR 
1010.955(b)(3) (Disclosure for Use in Furtherance of Foreign National 
Security, Intelligence, or Law Enforcement Activity), the rule more 
specifically provided that the Federal agency shall only use it to 
facilitate a response to that foreign request for assistance. In other 
words, the proposed rule limits the use of BOI by an intermediary 
Federal agency to facilitating a response to a proper request for BOI 
from a foreign requester.
    Comments Received. One commenter suggested deleting the word 
``only'' from proposed 31 CFR 1010.955(c)(1) and adding language that 
would allow BOI to be used for any CTA-authorized purpose for that 
agency once FinCEN disclosed it. This commenter raised practical 
concerns about the restriction that BOI obtained from FinCEN only be 
used for the particular purpose or activity for which the information 
was disclosed, noting that this could lead to multiple requests to 
FinCEN for the same information by the same agency. They then provided 
the example of a Federal functional regulator obtaining BOI, and then 
realizing it would be critical for a legal action.
    Final Rule. FinCEN adopts the proposed rule with two revisions to 
the first sentence of 31 CFR 1010.955(c)(1). First, FinCEN amends this 
sentence to begin ``[e]xcept as permitted under paragraph (c)(2) of 
this section,'' instead of ``[u]nless otherwise authorized by FinCEN.'' 
Second, FinCEN has added the phrase ``shall not further disclose such 
information to any other person'' to this sentence, so that the first 
sentence of 31 CFR 1010.955(c)(1) of the final rule reads: ``Except as 
permitted under paragraph (c)(2) of this section, any person who 
receives information disclosed by FinCEN under paragraph (b) of this 
section shall not further disclose such information to any other 
person, and shall use such information only for the particular purpose 
or activity for which such information was disclosed.''
    Both of these newly added phrases were (with minor, non-substantive 
differences) previously contained in proposed 31 CFR 
1010.955(c)(2)(ix), the last provision of proposed Sec.  1010.955(c), 
and establish that recipients of BOI under Sec.  1010.955(b) may only 
re-disclose that BOI when authorized under Sec.  1010.955(c)(2). Given 
the importance of this limitation to BOI use generally, FinCEN 
determined that this text should be given greater prominence at the 
beginning, rather than placed at the end, of Sec.  1010.955(c)'s 
provisions governing the use of BOI.\164\ FinCEN also continues to 
believe that limiting the use of BOI by authorized recipients to the 
``particular purpose or activity for which such information was 
disclosed'' is necessary to reflect the general expectation in the CTA 
that authorized recipients should not obtain BOI for one authorized 
activity and then use it for another, unrelated purpose. Thus, for 
example, a Federal agency officer, employee, contractor, or agent who 
obtains BOI from FinCEN for use in furtherance of national security 
activity would be authorized to use that BOI only for the particular 
national security activity for which the request was made. With respect 
to the commenter's suggestion to delete the word ``only'' from this 
paragraph, FinCEN believes such a change is unnecessary. With respect 
to the commenter's suggestion to add language to allow BOI to be used 
for any CTA-authorized purpose for that agency, FinCEN declines to 
adopt this suggestion. FinCEN believes that such an authorization would 
be overbroad and would run counter to the disclosure framework and 
oversight, audit, and access protocols of the CTA and the proposed 
rule. Further, as described in proposed 31 CFR 1010.955(c)(2), FinCEN 
has proposed to allow the re-disclosure of BOI in certain specified 
circumstances to further the goals of the CTA, subject to applicable 
security and confidentiality requirements.
---------------------------------------------------------------------------

    \164\ As discussed below in section III.D.ii.e. (Re-Disclosure 
with Written Consent of FinCEN), FinCEN's decision to move this 
language to 31 CFR 1010.955(c)(1) was also based in part on FinCEN's 
consideration of a commenter recommending an alteration to proposed 
1010.955(c)(2)(ix).
---------------------------------------------------------------------------

ii. Disclosure of Information by Authorized Recipients
    Proposed Rule. Proposed 31 CFR 1010.955(c)(1) would establish a 
blanket prohibition on the ``re-disclosure'' of BOI by an authorized 
recipient unless such disclosure is authorized by FinCEN. However, 
provided that the authorized recipient abides by applicable security 
and confidentiality requirements, the proposed rule would permit 
authorized recipients to re-disclose BOI in eight circumstances, as 
summarized here:
    1. Officers, employees, contractors, or agents of a Federal, State, 
local or Tribal agency may disclose BOI to other officers, employees, 
contractors, or agents within the same organization for the particular 
purpose or activity for which the BOI was requested (proposed Sec.  
1010.955(c)(2)(i)).
    2. Officers, employees, contractors, or agents of a financial 
institution may

[[Page 88763]]

disclose BOI to other officers, employees, contractors, or agents 
within the United States of the same financial institution for the 
particular purpose or activity for which the BOI was requested 
(proposed Sec.  1010.955(c)(2)(ii)).
    3. Officers, employees, contractors, or agents of a financial 
institution may disclose BOI to the financial institution's Federal 
functional regulator, a self-regulatory organization that is registered 
with or designated by a Federal functional regulator pursuant to 
Federal statute, or other appropriate regulatory agency, that meets the 
requirements identified in proposed 31 CFR 1010.955(b)(4)(ii)(A) 
through (C) (proposed Sec.  1010.955(c)(2)(iii)).\165\
---------------------------------------------------------------------------

    \165\ Proposed 31 CFR 1010.955(b)(4)(ii)(A) through (C) provide 
that the agency--
    ``(A) [i]s authorized by law to assess, supervise, enforce, or 
otherwise determine the compliance of such financial institution 
with customer due diligence requirements under applicable law; (B) 
[w]ill use the information solely for the purpose of conducting the 
assessment, supervision, or authorized investigation or activity 
described in paragraph (b)(4)(ii)(A) of this section; and (C) [h]as 
entered into an agreement with FinCEN providing for appropriate 
protocols governing the safekeeping of the information.''
---------------------------------------------------------------------------

    4. Any officer, employee, contractor, or agent of a Federal 
functional regulator may disclose BOI to a self-regulatory organization 
that is registered with or designated by the Federal functional 
regulator, provided that the self-regulatory organization meets the 
requirements of proposed 31 CFR 1010.955(b)(4)(ii)(A) through (C) 
(proposed Sec.  1010.955(c)(2)(iv)).
    5. Any officer, employee, contractor, or agent of a Federal agency 
that receives BOI from FinCEN after requesting it on behalf of a 
foreign authority pursuant to proposed Sec.  1010.955(b)(3) may 
disclose the BOI to the foreign person on whose behalf the Federal 
agency made the request (proposed Sec.  1010.955(c)(2)(v)).
    6. Any officer, employee, contractor, or agent of a Federal agency 
engaged in a national security, intelligence, or law enforcement 
activity, or any officer, employee, contractor, or agent of a State, 
local, or Tribal law enforcement agency may disclose BOI to a court of 
competent jurisdiction or parties to a civil or criminal proceeding 
(proposed Sec.  1010.955(c)(2)(vi)).
    7. Any officer, employee, contractor, or agent of a Federal agency 
that receives BOI from FinCEN pursuant to 31 CFR 1010.955(b)(1) 
(Federal agencies engaged in national security, intelligence, or law 
enforcement activity), (b)(4)(ii) (Federal functional regulators or 
other appropriate regulatory agencies), or (b)(5) (The Department of 
the Treasury) may disclose BOI to the United States Department of 
Justice for purposes of making a referral to the Department of Justice 
or for use in litigation related to the activity for which the 
requesting agency requested the information (proposed Sec.  
1010.955(c)(2)(vii)).
    8. A foreign authority specified in proposed Sec.  1010.955(b)(3) 
may disclose and use BOI consistent with the international treaty, 
agreement, or convention under which the request for BOI was made 
(proposed Sec.  1010.955(c)(2)(viii)).
    In addition to these eight circumstances, the proposed rule 
contains a catch-all, proposed 31 CFR 1010.955(c)(2)(ix), that would 
permit FinCEN to authorize the re-disclosure of BOI by an authorized 
recipient, so long as the re-disclosure is for an authorized purpose. 
To this end, proposed 31 CFR 1010.955(c)(2)(ix) specified that, except 
as described above, any information disclosed by FinCEN under proposed 
31 CFR 1010.955(b) shall not be further disclosed to any other person 
for any purpose without the prior written consent of FinCEN, or as 
authorized by applicable protocols or guidance that FinCEN may issue.
    In sum, the proposed rule would permit the re-disclosure of BOI by 
authorized recipients in limited circumstances that further the core 
underlying national security, intelligence, and law enforcement 
objectives of the CTA while at the same time ensuring that BOI is 
disclosed only where appropriate for those purposes. Generally, 
authorized re-disclosures would be subject to protocols designed, as 
with those applicable to initial disclosures of BOI from the BO IT 
system, to protect the security and confidentiality of BOI.
a. Re-Disclosure--In General
    Comments Received. Several commenters approved of the approach in 
the proposed rule permitting certain broad categories of re-disclosure, 
and not requiring a case-by-case determination by FinCEN. On the other 
hand, several commenters felt that, as written, the scope of the 
authorized re-disclosure of BOI was too limiting. One commenter 
proposed that FinCEN consider creating a special ``amended request'' 
form for situations in which an agency or a financial institution 
requests BOI and then comes back to FinCEN to request authorization to 
re-disclose that BOI, rather than requiring separate requests for the 
BOI and subsequent re-disclosure authorization.
    Several commenters felt that the proposed re-disclosure provisions 
would unduly restrict the use of the BOI. They raised concerns about 
repeatedly needing to return to FinCEN for requests to use the same BOI 
for one purpose, then another, in the course of, for example, a 
regulatory examination. Two commenters expressed concern that the 
proposed rule might not permit re-disclosure in open court.
    Commenters raised several other, more specific issues related to 
re-disclosure that are discussed elsewhere in this preamble.\166\
---------------------------------------------------------------------------

    \166\ Such topics include re-disclosure to outside contractors 
and agents, re-disclosure to state examiners, re-disclosure within a 
financial institution to persons and directors responsible for 
monitoring compliance with customer due diligence rules, re-
disclosure related to 314(b) sharing, and geographic limitations on 
re-disclosure.
---------------------------------------------------------------------------

    Final Rule. FinCEN adopts the proposed rule with several 
modifications described in subsections below. Specifically, FinCEN 
inserted a new 31 CFR 1010.955(c)(2)(viii) to allow a re-disclosure of 
BOI by State, local, and Tribal law enforcement agencies to State, 
local, and Tribal agencies for the purpose of making a referral for 
possible prosecution by that agency, or for use in litigation related 
to the activity for which the requesting agency requested the 
information (discussed in greater detail below). FinCEN also renumbered 
31 CFR 1010.955(c)(2)(ix) as 31 CFR 1010.955(c)(2)(x) to account for 
the insertion of the new paragraph (c)(2)(viii) and revised the text of 
that paragraph.
    Concerning comments that the proposed rule might not permit re-
disclosure in open court, proposed 31 CFR 1010.955(c)(2)(vi) would 
permit re-disclosure ``to a court of competent jurisdiction or parties 
to a civil or criminal proceeding,'' including, in the appropriate 
circumstance, in open court. Further, this rule would also permit re-
disclosure to a court of competent jurisdiction in broader settings 
such as in an application for a search warrant or a warrant pursuant to 
the Foreign Intelligence Surveillance Act. Thus, no changes to the 
proposed rule are needed to allow for the disclosure of BOI in these 
circumstances.
    As to the comment that FinCEN consider an ``amended request'' form, 
FinCEN will consider the appropriate process for requesting 
authorization to re-disclose BOI and will issue guidance for such 
requests when implementing the final rule.
b. Re-Disclosure--Law Enforcement
    Proposed Rule. As described above, the proposed rule would permit 
re-

[[Page 88764]]

disclosure of BOI for law enforcement purposes by Federal, State, 
local, or Tribal agencies in several contexts. As relevant here, under 
the proposed rule, Federal, State, local, or Tribal agencies that 
receive BOI from FinCEN pursuant to a request under 31 CFR 
1010.955(b)(1) or (2) would be permitted to re-disclose BOI to a court 
of competent jurisdiction or parties to a civil or criminal proceeding 
(proposed Sec.  1010.955(c)(2)(vi)); and agencies that receive BOI 
under 31 CFR 1010.955(b)(1) (Federal agencies engaged in national 
security, intelligence, or law enforcement activities), (b)(4)(ii) 
(Federal functional regulators or other appropriate regulatory 
agencies), or (b)(5) (the Department of the Treasury) would be 
permitted to re-disclose BOI to the United States Department of Justice 
(DOJ) for purposes of making a referral to DOJ or for use in litigation 
related to the activity for which the requesting agency requested the 
information (proposed Sec.  1010.955(c)(2)(vii)).
    Comments Received. One commenter noted that State, local, and 
Tribal law enforcement agencies did not have a rule analogous to Sec.  
1010.955(c)(2)(vii) that would permit re-disclosure of BOI to State, 
local, or Tribal prosecutors for purposes of making a case referral, 
and recommended the addition of such a rule. The commenter suggested 
amending proposed 31 CFR 1010.955(c)(2)(vi) to insert ``to any officer, 
employee, contractor, or agent of an attorney general, district 
attorney'' after the word ``jurisdiction,'' in order to enable such re-
disclosure.
    Another commenter noted that, at times, law enforcement and 
regulatory agencies engage in joint investigations--that is, multiple 
agencies investigate a single fact pattern, sharing information among 
themselves. The commenter proposed that FinCEN clarify that 
authorization from FinCEN is not needed for re-disclosure within a 
joint investigation.
    Commenters expressed concern that the re-disclosure rules would 
prevent effective use of BOI by law enforcement. For example, 
authorized recipients outside of law enforcement would be prohibited 
from providing the information to law enforcement without first going 
to FinCEN to obtain permission to re-disclose that information. One 
commenter suggested an edit to proposed 31 CFR 1010.955(c)(2)(ix), the 
catch-all provision permitting FinCEN to authorize re-disclosure of 
BOI, to permit an authorized recipient to disclose BOI to a Federal 
agency engaged in national security, intelligence, law enforcement 
activities, or a Federal regulatory agency when in the judgment of that 
person re-disclosure would be in the public interest and would assist 
in combatting illicit finance.
    Final Rule. FinCEN modifies the proposed rule to include an 
additional re-disclosure authorization for State, local, and Tribal law 
enforcement agencies, what is now 31 CFR 1010.955(c)(2)(viii), as noted 
above. FinCEN agrees that State, local, and Tribal law enforcement 
agencies should be permitted to disclose BOI for the purpose of making 
a referral to another State, local, or Tribal agency for possible 
prosecution. Although such disclosures may be covered by proposed 31 
CFR 1010.955(c)(2)(vi) in certain contexts, FinCEN is electing to 
expand 31 CFR 1010.955(c)(2) to include a new provision, 31 CFR 
1010.955(c)(2)(viii), to explicitly address such disclosures. FinCEN 
declines the proposed edits to 31 CFR 1010.955(c)(2)(vi) as that 
paragraph is intended to apply to active litigation matters.
    FinCEN recognizes that at times agencies engage in joint 
investigations; that is, multiple agencies work together on a single 
investigation. Federal agencies that are a part of a task force to 
target specific criminal activity, such as drug trafficking or 
corruption, may also need to share BOI within the task force. In such 
cases, it would be more efficient for the agencies involved to share 
BOI directly among themselves instead of each agency having to 
separately request the same BOI from FinCEN.\167\ FinCEN did not 
include a provision permitting re-disclosure in joint investigations or 
task forces in the proposed rule, but it did explicitly address joint 
investigations and task forces in the preamble to the proposed rule. 
There, FinCEN indicated that it would evaluate requests to share BOI in 
the context of a joint investigation or task force under its 
discretionary re-disclosure authority under proposed 31 CFR 
1010.955(c)(2)(ix).
---------------------------------------------------------------------------

    \167\ 87 FR at 77419.
---------------------------------------------------------------------------

    FinCEN recognizes that sharing between agencies in the context of 
joint investigations or task forces is consistent with the CTA's 
direction that BOI should be used to advance law enforcement interests. 
However, joint investigations and task forces come in many potential 
permutations--for example, multiple Federal agencies, a mix of Federal 
and state agencies, state and Tribal agencies, multiple state agencies, 
etc. Each such permutation raises unique issues. For example, in a 
joint investigation between Federal and state law enforcement agencies, 
do the agencies have to provide FinCEN both a request from Federal law 
enforcement under 31 CFR 1010.955(b)(1) and a court authorization under 
31 CFR 1010.955(b)(2), or would one type of process suffice? If a 
Federal law enforcement agency obtained BOI for the purpose of 
investigating Federal crimes, could it re-disclose that information to 
a state law enforcement agency for its purpose in investigating state 
crimes? Does a task force consisting of both state and Tribal law 
enforcement agencies need to obtain a court authorization from multiple 
courts of competent jurisdiction, or just one? It would be difficult to 
establish a regulation that would resolve all of these issues, and even 
attempting to do so in a regulation runs the risk of further 
complicating the issue.
    For these reasons, FinCEN is not creating a specific re-disclosure 
provision in 31 CFR 1010.955(c)(2) that would address these scenarios. 
Instead, FinCEN will address joint investigations and task forces in 
future guidance, with an eye toward issuing guidance that captures the 
most common or straightforward circumstances, and in more unusual or 
complex situations evaluating specific re-disclosure requests on a 
case-by-case basis under its 31 CFR 1010.955(c)(2)(x) authority to 
approve in writing re-disclosure of BOI in furtherance of an authorized 
purpose or activity. This approach permits FinCEN greater flexibility 
in crafting appropriate rules for varied circumstances.
    As noted, one commenter stated that FinCEN should permit an 
authorized recipient to re-disclose BOI to a Federal agency engaged in 
national security, intelligence, law enforcement activities, or a 
Federal regulatory agency, when in the judgment of that person, re-
disclosure would be in the public interest and would assist in 
combating illicit finance. FinCEN finds such a provision to be too 
vague and subjective to be implementable. The CTA prohibits re-
disclosure of beneficial ownership information except as authorized in 
the protocols promulgated by regulation, thereby leaving it to FinCEN 
to establish the appropriate re-disclosure rules.\168\ FinCEN is 
promulgating rules to permit the re-disclosure of beneficial ownership 
information under certain, limited circumstances that would further the 
core underlying national security, intelligence, and law

[[Page 88765]]

enforcement objectives of the CTA while at the same time ensuring that 
BOI is disclosed only where appropriate for those purposes. However, 
the proposed change suggests supplementing objective standards with the 
subjective judgment of any person in receipt of BOI. This proposal is 
beyond the confines of the CTA's disclosure provisions. Although the 
number of cases in which BOI would need to be disclosed to law 
enforcement as a matter of emergency is likely to be quite low, FinCEN 
will consider future guidance on this topic.
---------------------------------------------------------------------------

    \168\ 31 U.S.C. 5336(c)(2)(A). The CTA appears to presume that 
some re-disclosure will be permitted when it requires requesting 
agencies to keep records related to their requests, including of 
``any disclosure of beneficial information made by . . . the 
agency.'' 31 U.S.C. 5336(c)(3)(H).
---------------------------------------------------------------------------

c. Re-Disclosure--Financial Institutions
    Proposed Rule. Proposed 31 CFR 1010.955(c)(2)(ii) would authorize 
any director, officer, employee, contractor, or agent of a financial 
institution who received BOI from FinCEN to re-disclose the information 
to another director, officer, employee, contractor, or agent within the 
United States of the same financial institution for the particular 
purpose or activity for which the BOI was requested, consistent with 
the security and confidentiality requirements of 31 CFR 1010.955(d)(2). 
Proposed 31 CFR 1010.955(c)(2)(iii) would further authorize financial 
institutions to re-disclose BOI received from FinCEN to regulators--
specifically, Federal functional regulators, specified SROs, and other 
appropriate regulatory agencies--that meet the requirements identified 
in paragraphs (b)(4)(ii)(A) through (C) of the proposed rule. Financial 
institutions would be able to rely on a Federal functional regulator, 
SRO, or other appropriate regulatory agency's representation that it 
meets the requirements.
    Comments Received. Commenters generally opposed the requirement in 
proposed 31 CFR 1010.955(c)(2)(ii) and 31 CFR 1010.955(d)(2)(i) that 
financial institutions limit disclosure of BOI obtained from FinCEN 
under the CTA to directors, officers, employees, contractors, and 
agents physically present within the United States. These comments and 
FinCEN's response to them are consolidated in the discussion of 
proposed 31 CFR 1010.955(d)(2)(i) in section III.E.ii.a below.
    Several comments interpreted these proposed authorizations as 
prohibitions against financial institutions disclosing BOI to 
directors, officers, employees, contractors, or agents. One commenter 
asked FinCEN to include safe harbor provisions to permit employees to 
share BOI within their institutions according to that institution's 
policies and procedures. Other comments asked FinCEN to state 
explicitly that the proposed rule would authorize BOI disclosure 
``enterprise-wide,'' as well as to certain specific parties. These 
specific parties were (1) internal and external auditors; (2) legal and 
compliance personnel; (3) state regulators; (4) affiliated financial 
institutions and other financial institutions involved in syndicated 
loans; (5) other financial institutions under USA PATRIOT Act section 
314(b); and (6) third-party service providers, including RegTech 
companies.
    Final Rule. FinCEN adopts proposed 31 CFR1010.955(c)(2)(ii) and 
(iii) without change, other than deletion of the phrase ``within the 
United States,'' the reasons for which will be discussed in section 
III.E.ii.a below. As indicated above, 31 CFR 1010.955(c)(2)(ii) does 
not prohibit financial institution directors, officers, employees, 
contractors, or agents from re-disclosing BOI received from FinCEN to 
one another, but rather authorizes them to do so, provided re-
disclosure is for the particular purpose or activity for which the BOI 
was requested. ``Employees'' might include, among others, a financial 
institution's internal legal and compliance personnel. ``Contractors'' 
and ``agents'' might include any individual or entity providing 
services by contract, including, for example, outside counsel, 
auditors, and providers of data analysis software tools.
    FinCEN views state regulators that meet the requirements identified 
in paragraphs (b)(4)(ii)(A) through (C) of the final rule as ``other 
appropriate regulatory agencies'' to which financial institutions may 
re-disclose BOI from FinCEN under 31 CFR 1010.955(c)(2)(iii).
    FinCEN understands that financial institutions might want or need 
to re-disclose BOI from FinCEN to parties that are not their directors, 
officers, employees, contractors, agents, or regulators. Examples 
provided in comments include affiliated financial institutions, other 
financial institutions involved in syndicated loan agreements, and 
other financial institutions eligible to participate in section 314(b) 
information sharing. Another example might be an external compliance 
monitor appointed as part of a civil or criminal enforcement matter. 
These are typically complex arrangements with highly variable facts and 
circumstances that do not lend themselves well to one broad regulation. 
FinCEN will therefore address these issues in future guidance, with an 
eye toward evaluating specific re-disclosure requests on a case-by-case 
basis under its 31 CFR 1010.955(c)(2)(x) authority to approve in 
writing re-disclosure of BOI in furtherance of an authorized purpose or 
activity.
d. Re-Disclosure Required by Law
    Proposed Rule. The proposed rule did not provide for explicit 
directions for responding to legal demands for BOI.
    Comments Received. Several commenters requested that the rule 
contain specific processes for responding to legal demands for BOI. For 
example, a commenter asked how a financial institution should respond 
to a law enforcement subpoena for BOI obtained from FinCEN. Another 
commenter asked that FinCEN treat BOI like SAR information and issue a 
prohibition on re-disclosure of BOI by financial institutions in 
response to legal process.
    Final Rule. FinCEN recognizes the issues that may be raised when 
compulsory legal process--such as a court order or grand jury 
subpoena--calls for the production of BOI obtained from FinCEN. The 
resolution of these issues is most appropriate for post-rule guidance. 
FinCEN will seek to address these issues in future guidance or through 
specific re-disclosure requests under its 31 CFR 1010.955(c)(2)(x) 
authority to approve in writing re-disclosure of BOI in furtherance of 
an authorized purpose or activity.
e. Re-Disclosure With Written Consent of FinCEN
    Proposed Rule. Proposed 31 CFR 1010.955(c)(2)(ix) would prohibit 
the re-disclosure of BOI obtained under proposed 31 CFR 1010.955(b) 
other than as permitted in proposed 31 CFR 1010.955(c)(2), and would 
permit FinCEN to authorize the re-disclosure of BOI in other 
circumstances via written consent, or through applicable protocols or 
guidance that FinCEN may issue.
    Comments Received. One commenter recommended removing the first 
sentence of proposed Sec.  1010.955(c)(2)(ix) as redundant given 
proposed 31 CFR 1010.955(a), the baseline prohibition on re-disclosure. 
The language the commenter suggested removing reads, ``[e]xcept as 
described in this paragraph (c)(2), any information disclosed by FinCEN 
under paragraph (b) of this section shall not be further disclosed to 
any other person for any purpose without the prior written consent of 
FinCEN, or as authorized by applicable protocols or guidance that 
FinCEN may issue.''
    Final Rule. FinCEN adopts proposed 31 CFR 1010.955(c)(2)(ix) with 
technical and organizational changes. First, FinCEN made a minor 
technical update to renumber 31 CFR 1010.955(c)(2)(ix) as 31 CFR 
1010.955(c)(2)(x) to reflect the insertion of the new 31 CFR 
1010.955(c)(2)(viii). Second, FinCEN

[[Page 88766]]

considered the comment which suggested the removal of the first 
sentence of proposed 31 CFR 1010.955(c)(2)(ix). Although there is some 
overlap with 31 CFR 1010.955(a), FinCEN believes that the first 
sentence of this provision is important to clarify the obligations of 
authorized recipients of BOI with respect to the re-disclosure of such 
information once they have obtained it. However, as described above in 
section III.D.i (Use of Information by Authorized Recipients), FinCEN 
concluded that language describing this obligation was better placed in 
31 CFR 1010.955(c)(1) given its importance and general applicability. 
Accordingly, FinCEN removed the portions of the first sentence of 
proposed 31 CFR 1010.955(c)(2)(ix) prohibiting re-disclosure of BOI, 
except as permitted in Sec.  1010.955(c)(2), and inserted them into the 
first sentence of 31 CFR 1010.955(c)(1).
    FinCEN retained the proposed provision providing that FinCEN may 
authorize further re-disclosures of BOI not otherwise permitted under 
Sec.  1010.955(c)(2) by prior written consent or ``by applicable 
protocols or guidance that FinCEN may issue,'' but moved this 
limitation into the remaining sentence in new 31 CFR 1010.955(c)(2)(x). 
This part now reads, ``FinCEN may by prior written authorization, or by 
protocols or guidance that FinCEN may issue, authorize persons to 
disclose information obtained pursuant to paragraph (b) of this section 
in furtherance of a purpose or activity described in that paragraph.'' 
This provision gives FinCEN the ability to authorize, either on a case-
by-case basis or categorically through written protocols, guidance, or 
regulations, the re-disclosure of BOI in limited cases to further the 
purposes of the CTA.
    As stated in the proposed rule, this provision could be used to 
address situations involving sharing of BOI by government agencies as 
part of a joint investigation or within a task force. The requirements 
that an agency would need to satisfy to obtain BOI through re-
disclosure are the same as those an agency would need to satisfy to 
obtain BOI from FinCEN directly under this proposed rule. FinCEN also 
envisions including re-disclosure limitations in the BOI disclosure 
MOUs it enters into with recipient agencies. These provisions would 
make clear that it would be the responsibility of a recipient agency to 
take necessary steps to ensure that BOI is made available for purposes 
specifically authorized by the CTA, and not for the general purposes of 
the agency. Such agency-to-agency agreements can be effective at 
creating and enforcing standards on use, reuse, and redistribution of 
sensitive information.

E. Security and Confidentiality Requirements

    The CTA directs the Secretary to establish by regulation protocols 
to protect the security and confidentiality of any BOI provided 
directly by FinCEN.\169\ It then prescribes specific security and 
confidentiality requirements that FinCEN must impose on ``requesting 
agencies'' and grants the Secretary authority to ``provide such other 
safeguards which the Secretary determines (and which the Secretary 
prescribes in regulations) to be necessary or appropriate to protect 
the confidentiality of the beneficial ownership information.'' \170\
---------------------------------------------------------------------------

    \169\ 31 U.S.C. 5336(c)(3)(A).
    \170\ 31 U.S.C. 5336(c)(3)(B)-(K).
---------------------------------------------------------------------------

i. Security and Confidentiality Requirements for Domestic Agencies
a. General
    Proposed Rule. Proposed 31 CFR 1010.955(d)(1)(i) addressed general 
security and confidentiality requirements applicable to Federal, State, 
local, and Tribal requesting agencies, including intermediary Federal 
agencies acting on behalf of authorized foreign requesters, Federal 
functional regulators, and other appropriate regulatory agencies 
(collectively, ``requesting agencies''). These general requirements 
would need to be satisfied by a requesting agency for it to be eligible 
to receive BOI from FinCEN. Proposed 31 CFR 1010.955(d)(1)(i) required 
that each requesting agency:

    (1) Enter into an agreement with FinCEN specifying the 
standards, procedures, and systems to be maintained by the agency, 
and any other requirements FinCEN might specify, to protect the 
security and confidentiality of such information;
    (2) Establish standards and procedures, approved by the head of 
the agency, to protect the security and confidentiality of BOI;
    (3) Provide FinCEN with an initial report that describes these 
standards and procedures established and includes a certification 
from the head of the agency that the standards and procedures 
implement the requirements of this paragraph;
    (4) Establish and maintain a secure system for storing BOI which 
complies with information security standards prescribed by FinCEN;
    (5) Establish and maintain a permanent, auditable system of 
standardized records of the agency's BOI requests;
    (6) Restrict access to BOI to personnel meeting specified 
criteria, which would include meeting the training requirements of 
the proposed rule;
    (7) Conduct an annual audit to verify that information obtained 
from FinCEN has been accessed and used appropriately, provide FinCEN 
with the results of the audit upon FinCEN's request, and cooperate 
with FinCEN's annual audit of requesting agencies' adherence to the 
requirements established under this paragraph;
    (8) Provide a semi-annual certification from the head of the 
agency, on a non-delegable basis, that the agency's standards and 
procedures are in compliance with the security and confidentiality 
requirements of this provision; and
    (9) Provide FinCEN an annual report that describes the standards 
and procedures the agency uses to ensure the security and 
confidentiality of the BOI it receives from FinCEN.

    The preamble to the proposed rule explained that the agreement 
required by 31 CFR 1010.955(d)(1)(i)(A) would be a MOU that each 
requesting agency would enter into with FinCEN before being able to 
request any BOI.
    Comments Received. FinCEN received several comments on security and 
confidentiality requirements for all authorized users, as well as 
comments focused more specifically on security and confidentiality 
requirements for domestic requesting agencies. For all authorized 
users, one commenter expressed support for the proposed rule's general 
security and confidentiality requirements, noting that these align with 
the CTA. Several other commenters expressed appreciation for FinCEN's 
efforts to balance the interests of those requesting BOI against the 
protections and restrictions mandated by the CTA. One commenter viewed 
these requirements as adequate and argued that FinCEN should not add 
any new requirements that were not included in the CTA.
    As for the requirements applicable to requesting agencies, one 
commenter argued that the proposed requirements would be so strict that 
they could hinder the agencies' access to BOI. However, this commenter 
recognized that in proposing these requirements, FinCEN was simply 
implementing statutory requirements, and that any change to these 
requirements would have to come from Congress. With respect to the 
requirement that agencies establish and maintain secure systems for BOI 
storage, one commenter welcomed the clarification in the Access NPRM 
preamble that agencies may rely on existing databases and related IT 
infrastructure to satisfy this requirement. This commenter proposed 
additional points of clarification with respect to these systems--for 
example, on how FinCEN would coordinate with

[[Page 88767]]

agencies to develop technology-enabled access that ``maximize[s] the 
utility of access and minimize[s] additional development costs,'' and 
whether agencies would be able to pool their resources and collaborate 
to satisfy this requirement.
    There were several comments requesting additional clarifications or 
changes to proposed 31 CFR 1010.955(d)(1)(i). Two commenters asked that 
FinCEN clarify in the final rule that certain security and 
confidentiality requirements for requesting agencies apply to the 
entire information-sharing relationship between FinCEN and the 
requesting agency, instead of applying on what one commenter referred 
to as an ``iterative'' basis, which FinCEN understands to mean case-by-
case or request-by-request. One commenter cited the provisions of the 
CTA contained in sections 5336(c)(2)(C)(iii) and 5336(c)(3)(B)-(D), 
(H), and (I), which 31 CFR 1010.955(d)(1)(i) implements, as examples of 
provisions that should apply at the relationship rather than the case-
by-case level. These commenters argued that applying certain of these 
requirements for each individual request would be impractical and would 
effectively undermine the usability of the BOI database. These same 
commenters asked FinCEN to further clarify that it does not intend to 
review access determinations on a case-by-case basis prior to 
authorized users accessing the BOI database.
    There were also several comments related to the proposed rule's 
audit requirements. One commenter suggested that FinCEN should expand 
the audit requirements in the final rule to require that agencies 
verify that requests for BOI are appropriate under proposed 31 CFR 
1010.955(b) and that records of BOI requests are kept in accordance 
with proposed 31 CFR 1010.955(d)(1)(i)(E), which requires agencies to 
maintain an auditable record of requests. This commenter also suggested 
that the final rule should include audit requirements specifically for 
Federal agencies that are making requests on behalf of foreign persons, 
i.e., for intermediary Federal agencies. These requirements would 
include ensuring that the information required of intermediary Federal 
agencies under 31 CFR 1010.955(d)(1)(ii)(B)(3) and (4) has been 
maintained and that these agencies are compliant with 31 CFR 
1010.955(d)(3), the security and confidentiality requirements for 
foreign persons on whose behalf an intermediary Federal agency requests 
BOI. A different commenter also requested that FinCEN audit BOI 
requests from foreign requesters. Another commenter recommended that 
FinCEN modify the audit and annual report requirements to be completed 
by requesting agencies to also include data relevant for evaluating the 
accuracy, completeness, and usefulness of the BOI database.
    One commenter requested that FinCEN provide for greater involvement 
by the head of a requesting agency in satisfying the agency's security 
and confidentiality requirements. For example, this commenter suggested 
that the final rule should specify that only the head of an agency, on 
a non-delegable basis, could enter into the agreement with FinCEN, or 
acknowledge the final audit report satisfying the requirements under 
5336(c)(3)(B) and (H). In addition, one commenter asked FinCEN to add a 
provision requiring that agencies specify which agency personnel can 
make requests to FinCEN for BOI and access BOI. Finally, one commenter 
suggested that FinCEN could develop a series of model MOUs for each 
agency type (local law enforcement agency, state law enforcement 
agency, etc.).
    Final Rule. The final rule adopts proposed 31 CFR 1010.955(d)(1)(i) 
with only minor technical changes. FinCEN agrees with the commenter 
that the general security and confidentiality requirements for domestic 
agencies are statutory requirements, and any change to these 
requirements would have to be mandated by Congress. FinCEN believes 
these requirements are reasonable given the sensitive nature of BOI and 
expects that once a requesting agency meets the general security and 
confidentiality requirements, it should be able to use the BO IT system 
to access BOI in a rapid and efficient manner. With respect to requests 
for additional clarifications on the requirement that agencies 
establish and maintain a secure system for BOI storage, FinCEN 
appreciates these suggestions and will give them due consideration in 
the context of entering into MOUs with domestic agencies. FinCEN 
believes that agencies will likely be able to leverage existing 
databases and related IT infrastructure to meet this requirement, and 
has included the statutory language ``to the satisfaction of the 
Secretary'' in the regulatory text to ensure sufficient flexibility to 
implement this approach.\171\ FinCEN may also choose to provide 
additional guidance on these topics in the future.
---------------------------------------------------------------------------

    \171\ With the addition of the statutory language ``to the 
satisfaction of the Secretary'' to the regulatory text, FinCEN also 
removed as unnecessary the proposed language that would have 
required any agency's secure system for BOI storage to ``compl[y] 
with information security standards prescribed by FinCEN.''
---------------------------------------------------------------------------

    As for the comments requesting clarification that the requirements 
in this provision apply generally and not on a request-by-request 
basis, FinCEN believes that the rule text, and the heading ``general 
requirements,'' made it sufficiently clear that these requirements 
apply to requesting agencies generally, and that the requirements of 31 
CFR 1010.955(d)(1)(ii), as the heading ``requirements for requests for 
disclosure'' suggests, are request-by-request requirements. Several of 
the general requirements, such as the audit, certification, and report 
requirements, explicitly state that these requirements apply on an 
annual or semi-annual basis. Other requirements, such as the 
requirement that requesting agencies establish and maintain a secure 
system to store BOI, would by their nature apply on an ongoing basis.
    FinCEN also considered comments suggesting that additional audit 
requirements are necessary. Regarding the commenter suggesting that 
FinCEN include audit requirements to ensure that BOI requests are 
appropriate under proposed 31 CFR 1010.955(b) and that requesting 
agencies have properly maintained an auditable record of requests, 
FinCEN believes that the proposed audit requirements sufficiently cover 
these areas. FinCEN also declines to accept this commenter's proposal 
to add specific requirements concerning the audit of requests by 
intermediary Federal agencies on behalf of foreign persons. In FinCEN's 
view, when a request for BOI is made under an international treaty, 
agreement, or convention, the arrangements set forth in (or authorized 
by) that treaty, agreement, or convention would govern. When no such 
treaty, agreement, or convention is involved, and a trusted foreign 
country is involved, FinCEN will work closely with the intermediary 
Federal agency and will take measures to confirm compliance with 
proposed 31 CFR 1010.955(d)(3).
    In response to the commenter recommending that the audit and 
reporting requirements for requesting agencies should also address the 
accuracy, completeness, and usefulness of the BOI database, FinCEN does 
not view these issues as relevant to the security and confidentiality 
provisions of the regulation, which FinCEN adopted directly from the 
CTA. FinCEN may consider these requirements in the context of MOUs with 
relevant agencies to establish feedback mechanisms to facilitate 
evaluation of the quality of the

[[Page 88768]]

database with a view to improving compliance and enforcement.
    As for the commenter suggesting an additional requirement for 
agencies to specify which personnel may request and access BOI, FinCEN 
does not believe a rule change is necessary but will consider this 
suggestion further and potentially address it in future guidance. In 
response to the commenter suggesting an expanded role in the security 
and confidentiality requirements for agency heads, FinCEN believes that 
the involvement of agency heads in these requirements is already 
significant, and that greater involvement would create burdens on 
agencies without clear benefits. Lastly, concerning the comment 
regarding MOUs, FinCEN appreciates this feedback and will consider 
developing template MOUs for different types of BOI user agencies. 
FinCEN will also consider further tailoring MOUs as needed for specific 
agencies and will work with agencies on MOUs when appropriate.
b. Minimization and Requirements for Individual Requests for BOI by 
Domestic Agencies
    Proposed Rule. Proposed 31 CFR 1010.955(d)(1)(ii) includes 
requirements that would apply to each individual request for BOI from 
requesting agencies. This provision includes two general requirements. 
First, agencies must minimize, to the greatest practicable extent, the 
scope of the BOI they request consistent with the purpose of the 
request (the NPRM referred to this as the ``minimization'' 
requirement). Second, the head of a Federal agency, or their designee, 
must provide written certifications to FinCEN, in the form and manner 
that FinCEN prescribes, (1) that the agency is engaged in a national 
security, intelligence, or law enforcement activity, and (2) that the 
BOI requested is for use in such activity, along with the specific 
reasons why the BOI is relevant to the activity.
    Comments Received. FinCEN did not receive comments concerning the 
minimization requirement. FinCEN received several comments relating to 
FinCEN's review process for BOI requests from authorized users 
generally, and these comments also apply to proposed 31 CFR 
1010.955(d)(1)(ii)(B) on the requirements for written certification by 
Federal agencies. Commenters generally requested that FinCEN clarify in 
the final rule that FinCEN will not review the agency requests for BOI 
on a case-by-case basis. One commenter claimed that case-by-case review 
of the purpose of an agency's requests would not be worth the costs 
given FinCEN's resource constraints. This commenter focused on the 
general security and confidentiality requirements that the CTA imposes 
on requesting agencies and argued that additional oversight on a case-
by-case basis would be unnecessary. Another commenter argued that case-
by-case review would create administrative hurdles for agencies in 
accessing BOI, thereby undermining the usefulness of the BOI database. 
This commenter also argued that the CTA was not meant to give FinCEN 
the authority to question requesting agencies' substantive reasons for 
requesting BOI. Thus, this commenter urged FinCEN to clarify in the 
final rule that FinCEN will not evaluate the purpose of agencies' 
requests in deciding whether to grant requests for BOI.
    Separately, one commenter recommended that FinCEN should further 
strengthen the safeguards concerning individual requests for BOI by 
requiring senior-level review and written approvals by requesting 
agencies for each BOI request. While this commenter did not specify 
which provision of the rule text should be changed, the commenter 
appeared to suggest adding additional requirements to proposed 31 CFR 
1010.955(d)(1)(ii). This commenter argued that because of the highly 
sensitive nature of BOI and the importance of securing it, FinCEN 
should require senior-level officials of agencies to provide written 
approval for each BOI request to FinCEN by an agency. These senior-
level officials, the commenter argued, should be Senate-confirmed 
Presidential appointees of Federal agencies and chief executives or 
their designees for State, local, or Tribal agencies.
    Final Rule. The final rule adopts 31 CFR 1010.955(d)(1)(ii) largely 
as proposed. Although not specifically suggested by comments, FinCEN is 
removing the proposed requirement at 31 CFR 
1010.955(d)(1)(ii)(B)(3)(ii) that intermediary Federal agencies 
identify the date of the international treaty, agreement, or convention 
under which a request for BOI is being made; FinCEN believes that 
identification of the date is unnecessary. Regarding the comments 
expressing concerns that FinCEN will be reviewing each agency's 
requests for BOI on a case-by-case basis, FinCEN does not believe it is 
necessary to change the rule to address this concern. Instead, FinCEN 
reiterates here that it has no intention of reviewing each individual 
request for BOI from a requesting agency. The requirement for 
certifications from requesting agencies is sufficient to establish a 
basis for FinCEN to know which agencies are accessing the BOI database, 
and the basis on which they are doing so. This is important for 
purposes of meeting FinCEN's audit requirements. FinCEN, however, will 
not review each individual request from these agencies in real time. As 
for the commenter who argued that FinCEN should add a requirement that 
senior-level officials at requesting agencies must approve each BOI 
request, FinCEN declines to adopt this recommendation. Such a 
requirement would add an unwarranted burden on requesting agencies and 
would not be outweighed by sufficient benefits.
ii. Security and Confidentiality Requirements for Financial 
Institutions
a. Restriction on Personnel Access to Information
    Proposed Rule. FinCEN proposed to require financial institutions to 
limit access to BOI obtained from FinCEN to the financial institutions' 
directors, officers, employees, contractors, and agents within the 
United States. Proposed 31 CFR 1010.955(d)(2)(i) explicitly imposed 
this limitation, while proposed 31 CFR 1010.955(c)(2)(ii) made clear 
that it not only applied to initial BOI recipients, but continued to 
apply when directors, officers, employees, contractors, and agents of a 
financial institution wanted to re-disclose BOI to directors, officers, 
employees, contractors, and agents within the same financial 
institution for the particular purpose or activity for which the 
financial institution requested the information.
    Comments Received. Commenters generally opposed the requirement 
that financial institutions limit disclosure of BOI obtained from 
FinCEN to directors, officers, employees, contractors, and agents 
physically present within the United States. One commenter supported 
the limitation, but many more did not. Comments stated that the 
limitation would cause a disruption in the financial industry and run 
counter to current business practices. Commenters indicated that 
contracting with foreign workers is common for AML/CFT purposes, and 
financial institution personnel outside of the United States (including 
contractors and agents) routinely have access to customer information.
    Commenters further argued that the limitation would decrease the 
utility of BOI. Some stated that financial institutions may choose to 
continue to collect BOI from customers under the 2016 CDD Rule and 
forego accessing FinCEN's BO IT system altogether to avoid the BOI 
handling requirements set

[[Page 88769]]

out in the NPRM. One commenter stated that the limitation would result 
in less effective risk management, while others indicated that it would 
increase compliance costs. One commenter estimated that it will take 
years and millions of dollars to ``onshore'' job functions tasked with 
handling BOI from FinCEN. Further, commenters asserted that the 
limitation is not included in the CTA and that it contradicts other 
portions of the AML Act. Commenters also claimed that the proposed 
limitation is inconsistent with U.S. and international regulatory 
expectations for enterprise-wide risk management. Comments pointed to 
previous Treasury, FinCEN, and other regulatory guidance about sharing 
information across borders within enterprises. A commenter stated that 
FinCEN did not give a specific reason for the limitation.
    Some comments proposed alternatives, such as allowing re-disclosure 
to individuals outside of the United States and relying on 
technological safeguards and security requirements to protect the 
information. Another suggestion was to limit access to the BO IT system 
to personnel within the United States, but allow re-disclosure to 
directors, officers, employees, contractors, and agents in other 
countries. A few comments suggested those counterparts could be limited 
to ``trusted foreign countries'' or other specified destinations. 
Finally, one commenter asked FinCEN to define ``physically present in 
the United States.''
    Final Rule. The final rule at 31 CFR 1010.955(d)(2)(i) and (ii) 
revises the limitation on sending BOI outside the United States so that 
it is less stringent than the proposed rule. Under the final rule, 
financial institutions do not need to keep BOI confined to the United 
States, but rather are prohibited from sending BOI to certain foreign 
jurisdictions and categories of jurisdictions. As articulated in the 
Access NPRM, the CTA describes a framework for disclosures of BOI to 
foreign governments, and the regulations should seek to ensure 
consistency with the broader CTA framework. At the same time, FinCEN 
takes seriously commenters' argument that a flat prohibition on sending 
BOI abroad is too blunt a mechanism that would impose significant 
costs.\172\ FinCEN has determined that it is not necessary to prohibit 
all offshoring of BOI in order to address the threat posed by sending 
BOI to jurisdictions of greatest concern. Instead, 31 CFR 
1010.955(d)(2)(i) prohibits BOI from being sent to Russia, China, any 
jurisdiction designated as a state sponsor of terrorism, and any 
jurisdiction that is subject to comprehensive sanctions under U.S. law, 
which are the jurisdictions SARs cannot be sent to pursuant to 31 
U.S.C. 5318(g)(8)(C)(i). While the information contained in SARs is 
clearly different from BOI in many respects, FinCEN considers the 
selection of these jurisdictions to be a strong indicator of a broader 
congressional perspective on the acceptability of exposing sensitive 
information filed with the U.S. government to the legal processes of 
these foreign jurisdictions. As the selection of these jurisdictions 
indicates, Congress clearly regards the exposure of such sensitive 
information as more acceptable when it involves some jurisdictions than 
when it involves others. FinCEN has used this list of jurisdictions 
based on that understanding of the general congressional perspective on 
offshoring of information. The Secretary is authorized to add to this 
list to ensure compliance with the CTA or for national security 
reasons.
---------------------------------------------------------------------------

    \172\ At least one commenter suggested that any such limitation 
is in conflict with the FFIEC manual's recognition that ``[a] bank 
may choose to implement customer due diligence policies, procedures 
and processes on an enterprise-wide basis.'' Such a choice, however, 
as the manual itself acknowledges, is permissible only ``to the 
extent permitted by law.'' FFIEC BSA/AML Examination Manual, 
Assessing Compliance with BSA Regulatory Requirements, Customer Due 
Diligence--Overview (May 5, 2018), p. 4, https://www.ffiec.gov/press/pdf/Customer%20Due%20Diligence%20-%20Overview%20and%20Exam%20Procedures-FINAL.pdf. Here, the CTA 
establishes the legal parameters under which an institution can 
choose its enterprise-wide policies by authorizing FinCEN to 
prescribe by regulation any safeguards it determines to be necessary 
or appropriate to protect the confidentiality of BOI. 31 U.S.C. 
5336(c)(3)(K).
---------------------------------------------------------------------------

    FinCEN acknowledges that allowing BOI to be used and disseminated 
offshore creates a risk of unauthorized disclosure and misuse, and 
entails translating U.S. legal requirements for non-U.S. personnel and 
training them to understand and comply with those requirements. FinCEN 
weighed these risks against the burden that limiting BOI to directors, 
officers, employees, contractors, and agents within the United States 
would impose on some financial institutions. Many financial 
institutions operate global compliance programs that apportion 
responsibilities among different regions and reduce compliance 
expenses. Relocating certain compliance functions to the United States 
simply to allow them to obtain BOI from FinCEN could be very costly, 
and in many cases might be financially infeasible. FinCEN assesses that 
the cost of the targeted offshoring limitation should be de minimis: it 
is FinCEN's understanding that U.S financial institutions currently do 
not send a significant volume of customer information to Russia, China, 
any jurisdiction designated as a state sponsor of terrorism, or any 
jurisdiction that is subject to comprehensive sanctions under U.S. law, 
and with respect to jurisdictions that are state sponsors of terrorism, 
sending such information is already prohibited by other law.
    In addition, in order for FinCEN to monitor foreign government 
interest in obtaining BOI, the final rule requires that financial 
institutions notify FinCEN within three business days of receiving a 
demand from a foreign government for BOI obtained from FinCEN. FinCEN 
assesses that this offshoring limitation with notification requirement 
addresses the legitimate issues regarding security and conformity with 
the CTA raised by sending BOI outside the United States, without 
resorting to a blanket onshoring requirement.
b. Safeguards and Security Standards
    Proposed Rule. Proposed 31 CFR 1010.955(d)(2)(ii) described 
safeguards applicable to financial institutions that were designed to 
maintain the security and confidentiality of BOI while preserving 
accessibility and usefulness.\173\ Proposed 31 CFR 
1010.955(d)(2)(ii)(A) required financial institutions to develop and 
implement administrative, technical, and physical safeguards reasonably 
designed to protect BOI as a precondition for receiving BOI. The 
provision did not prescribe specific safeguards or security 
requirements. Rather, proposed 31 CFR 1010.955(d)(2)(ii)(A) provided 
that the application to BOI obtained from FinCEN of security and 
information handling procedures established by a financial institution 
to comply with section 501 of the Gramm-Leach-Bliley Act (Gramm-Leach-
Bliley) \174\ and its implementing regulations, with regard to the 
protection of its customers' nonpublic personal information, would 
satisfy the requirement.
---------------------------------------------------------------------------

    \173\ See 31 U.S.C. 5336(c)(3)(K).
    \174\ Public Law 106-102, 113 Stat. 1338, 1436-37 (1999).
---------------------------------------------------------------------------

    Gramm-Leach-Bliley provides general baseline expectations for 
keeping data secure and confidential, while each agency's implementing 
regulations take into account factors unique to the financial 
institutions the agency supervises. Section 501 of Gramm-Leach-Bliley, 
codified at 15 U.S.C.

[[Page 88770]]

6801(b) and 6805, requires each Federal functional regulator to 
establish appropriate standards relating to administrative, technical, 
and physical safeguards for financial institutions it regulates to: (1) 
ensure the security and confidentiality of customer records and 
information; (2) protect against any anticipated threats or hazards to 
the security or integrity of such records; and (3) protect against 
unauthorized access to or use of such records or information that could 
result in substantial harm or inconvenience to any customer. The 
Federal functional regulators have implemented these requirements in 
different ways. The OCC, FRB, FDIC, and the NCUA incorporated into 
their regulations the Interagency Guidelines Establishing Interagency 
Security Standards (Interagency Guidelines).\175\ The Interagency 
Guidelines add detail to the more general Gramm-Leach-Bliley 
requirements, covering specific subjects related to identifying, 
managing, and controlling risk (e.g., physical and electronic access 
controls, encryption and training requirements, and testing). The CFTC 
has incorporated the Gramm-Leach-Bliley expectations of financial 
institutions into its regulations \176\ and recommended best practices 
for meeting them that are ``designed to be generally consistent with'' 
the Interagency Guidelines.\177\ The SEC has also incorporated the 
Gramm-Leach-Bliley expectations of financial institutions into its 
regulations,\178\ and has instituted enforcement actions for violations 
of such regulations.\179\
---------------------------------------------------------------------------

    \175\ See Interagency Guidelines Establishing Standards for 
Safeguarding Customer Information and Rescission of Year 2000 
Standards for Safety and Soundness, 66 FR 8616 (Feb. 1, 2001). The 
agencies' implementing regulations are at 12 CFR part 30, app. B 
(OCC); 12 CFR part 208, app. D-2 and part 225, app. F (FRB); 12 CFR 
part 364, app. B (FDIC); and 12 CFR part 748, apps. A & B (NCUA).
    \176\ See 17 CFR 160.
    \177\ See CFTC Staff Advisory No. 14-21 (Feb. 16, 2014).
    \178\ See 17 CFR 248.1-248.100.
    \179\ See, e.g., Morgan Stanley Smith Barney LLC, SEC Exchange 
Act Release No. 95832 (Sept. 20, 2022).
---------------------------------------------------------------------------

    Under proposed 31 CFR 1010.955(d)(2)(ii)(B), financial institutions 
that were not subject to the requirements of section 501 of Gramm-
Leach-Bliley could apply security and handling procedures that were 
``at least as protective of the security and confidentiality of 
customer information'' as procedures that satisfy the standards set out 
in Gramm-Leach-Bliley. For these financial institutions, the proposed 
rule suggested that the Interagency Guidelines might serve as a useful 
checklist against which to evaluate existing security and 
confidentiality practices, as well as a useful guide for possible 
information security program modifications.
    Comments Received. Commenters generally concurred with the proposal 
to anchor BOI security and confidentiality requirements to Gramm-Leach-
Bliley, noting that the information security program requirements under 
that statute and its implementing regulations were sufficient to secure 
BOI received by financial institutions. Commenters observed that these 
requirements are already familiar to financial institutions and 
integrated into business practices.
    Commenters further encouraged FinCEN not to impose additional 
security and information handling protocols on financial institutions 
that could be duplicative of, inconsistent with, or more burdensome 
than these existing requirements. A commenter requested that FinCEN 
create a safe harbor provision for all employees of a financial 
institution that is compliant with Gramm-Leach-Bliley to further 
minimize compliance burden. Regarding information security requirements 
generally, commenters requested clarification on whether background 
checks would be required for any employees, and whether a ``firewall'' 
would be required to block access to BOI by employees not involved in 
opening accounts for new customers.
    Final Rule. The final rule adopts the proposed rule without change. 
Allowing financial institutions to satisfy the requirement to safeguard 
BOI by applying the security and information handling procedures used 
to comply with Gramm-Leach-Bliley and its implementing regulations is 
intended to avoid duplicative or inconsistent requirements and reduce 
burdens, while maintaining a high degree of security and 
confidentiality. As commenters pointed out, many financial institutions 
are generally familiar with the Gramm-Leach-Bliley requirements and 
already have policies, procedures, and infrastructure in place to 
comply with its requirements. In addition, Federal functional 
regulators currently assess financial institutions for compliance with 
Gramm-Leach-Bliley, which reduces burdens on supervisors while ensuring 
continued predictability for financial institutions. Lastly, for 
financial institutions not subject to Gramm-Leach-Bliley, the 
Interagency Guidelines provide a blueprint for establishing or 
benchmarking existing compliance systems so that those financial 
institutions can access the BO IT system and manage BOI securely.
    FinCEN is not extending a safe harbor to employees of a financial 
institution that is compliant with Gramm-Leach-Bliley standards. It is 
important for FinCEN to retain discretion to evaluate individual 
conduct by a director, officer, employee, contractor, or agent and 
related facts and circumstances on a case-by-case basis where there are 
unauthorized disclosures or uses by a financial institution, and to 
consider potential enforcement action.
    On the question of background checks and firewalls, the final rule 
does not include additional safeguards or other requirements. FinCEN 
views the security and information handling procedures implemented by 
financial institutions to comply with Gramm-Leach-Bliley to be 
sufficient. Additional requirements could create inconsistencies with 
existing security and information handling programs and create 
unnecessary burdens on both financial institutions and their 
supervisors, without a clear security benefit given the absence of 
specific concerns from commenters on the sufficiency of the Gramm-
Leach-Bliley requirements.
    FinCEN also declines to impose specific, additional safeguards on 
financial institutions that are not subject to Gramm-Leach-Bliley 
because such requirements could result in unintended consequences. 
These financial institutions can vary significantly in size, 
organizational structure, client base, risk profile, resources, and 
other characteristics. Many of these financial institutions could face 
significant costs and technical challenges in implementing uniform, 
additional standards, or FinCEN would need to expend resources to 
consider case-by-case modifications to address the diversity of unique 
circumstances.
c. Protocols and Training
    Proposed Rule. For each BOI request, proposed 31 CFR 
1010.955(d)(2)(iii) would require a financial institution to certify in 
writing that it fulfilled information security and other requirements 
set out in that section. The proposed rule explained that FinCEN 
expected that financial institutions would establish protocols to 
satisfy these information security requirements, including appropriate 
recordkeeping, to enable FinCEN to fulfill its audit and oversight 
responsibilities. The proposed rule also indicated that financial 
institutions would need to develop a training program that would ensure 
that BO IT system users at the financial institution received training 
on the protocols and completed FinCEN-provided online training as a 
condition

[[Page 88771]]

for creating and maintaining system accounts.
    Comments Received. One commenter was skeptical that financial 
institutions would act in accordance with FinCEN's expectations for 
protocols and training without specific regulatory requirements. The 
commenter suggested expressly setting out in the regulations the 
expectations regarding protocols and training. Another commenter 
expressed appreciation that FinCEN planned to provide training on the 
BO IT system when it becomes available. A third commenter asked FinCEN 
to confirm that only financial institution employees who will access 
the system would need to take this training, and not employees who may 
view and use BOI retained on the financial institution's system in 
accordance with applicable requirements.
    Final Rule. FinCEN adopts the proposed rule without change given 
that the imposition of additional requirements regarding protocols and 
training would likely be duplicative and potentially confusing. 
Financial institutions can satisfy the requirements of 31 CFR 
1010.955(d)(2)(ii) by either applying to BOI security and information 
handling procedures designed to comply with section 501 of Gramm-Leach-
Bliley Act or by implementing procedures that are ``at least'' as 
protective of customer information as procedures that satisfy Gramm-
Leach-Bliley standards. The different materials promulgated by the 
Federal functional regulators to implement Gramm-Leach-Bliley have in 
common requirements to (1) establish policies and procedures that 
govern security; and (2) provide related training.\180\ Additional 
requirements to establish protocols and training could create confusion 
and inconsistencies in implementation, and likely impose additional 
burdens on financial institutions and FinCEN.
---------------------------------------------------------------------------

    \180\ See generally Interagency Guidelines, supra note 168, p. 
138.
---------------------------------------------------------------------------

    Moreover, the final rule imposes on the director, officer, 
employee, contractor, or agent of a financial institution the 
individual responsibility for ensuring compliance with BOI security and 
information handling requirements. Accordingly, FinCEN believes that 
financial institutions have appropriate incentives to develop protocols 
and training programs that adequately train relevant financial 
institution staff on requirements for handing BOI based on the nature, 
scope, and risks presented in particular circumstances.
d. Consent To Obtain Information
    Proposed Rule. The CTA authorizes FinCEN to disclose a reporting 
company's BOI to a financial institution only if the reporting company 
consents to the disclosure.\181\ Proposed 31 CFR 1010.955(b)(4) would 
have allowed FinCEN to disclose a reporting company's BOI to a 
financial institution only if the reporting company consented to the 
disclosure. In addition, proposed 31 CFR 1010.955(d)(2)(iii) would have 
required a financial institution that wanted a reporting company's BOI 
to obtain and document the company's consent to having its BOI 
disclosed before requesting the BOI from FinCEN.
---------------------------------------------------------------------------

    \181\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------

    Comments Received. FinCEN received comments for and against 
requiring financial institutions to obtain consent from reporting 
companies. It also received comments addressing specific aspects of how 
the consent process should be managed.
    Commenters in favor of imposing the requirement on financial 
institutions to obtain consent generally agreed with the rationale 
articulated in the proposed rule. In the preamble, the proposed rule 
reasoned that financial institutions are best positioned to obtain 
consent because they have (1) direct customer relationships with 
reporting companies, and (2) existing policies and procedures to obtain 
and document consent on other matters. Commenters agreed that financial 
institutions can leverage these existing relationships and processes to 
fulfill the consent requirement and did not view the additional 
requirement to be overly burdensome. Several commenters noted concerns, 
however, that a request by a financial institution to a reporting 
company for consent could be perceived to be ``tipping off'' reporting 
companies if the financial institution was investigating the company 
for suspicious activity. Two commenters recommended that FinCEN add 
provisions to prevent tipping off reporting company prospects or 
customers.
    Other commenters argued that FinCEN, rather than financial 
institutions, should obtain a reporting company's consent. One 
commenter stated that FinCEN's role as the central U.S. repository for 
BOI made FinCEN the appropriate choice for collecting consent and 
revocations of that consent. Another noted that FinCEN would have a 
direct relationship with reporting companies through the collection of 
BOI reports and could use the reporting mechanism to obtain and 
document consent. Commenters also suggested ways that FinCEN could 
facilitate reporting company consent at the time the company submits a 
BOI report. For example, FinCEN could generate a blanket notice to a 
reporting company at the time it submits a BOI report stating that 
government agencies and financial institutions can request the 
reporting company's information for specific purposes. A related 
suggestion was to allow reporting companies to pre-authorize financial 
institutions to access their BOI at the submission of the BOI report, 
as a way to reduce burdens on the reporting companies.
    Commenters covered additional subjects. One commenter noted that 
financial institutions already collect BOI from customers under 
existing requirements and argued that requiring explicit consent to 
retrieve the same information from another source--in this case 
FinCEN's BO IT system--adds unnecessary complexity. Another commenter 
recommended delaying the consent requirement until FinCEN finalizes 
revisions to the 2016 CDD Rule. Two commenters stated that money 
launderers and other illicit actors who deliberately form shell 
companies to engage in criminal activity will see the consent 
requirement as an opportunity to further obscure their identity, noting 
that it is difficult to imagine a shell company providing consent to 
retrieve its BOI.
    Two commenters noted that the consent requirement could have 
unintended consequences on reporting company access to financial 
services. One commenter stated that reporting companies risk losing 
financial services if they do not provide consent. Another commenter 
stated that the consent requirement may push reporting companies to 
seek out alternative financing rather than provide financial 
institutions with consent to retrieve their BOI.
    FinCEN also received numerous comments about when and how reporting 
company consent should be obtained. Several commenters stated that 
consent should be obtained at account opening in a customer-
acknowledged agreement, not as a standalone document. Commenters also 
likewise requested that FinCEN expressly allow financial institutions 
to obtain consent in conjunction with other required consents and 
certifications, and through normal account opening and customer 
onboarding processes. Numerous commenters requested that FinCEN clarify 
that consent need only be obtained once at account opening and that it 
does not expire unless expressly revoked. One commenter stated that

[[Page 88772]]

consent should remain valid for the length of the customer 
relationship, and that a financial institution should not need to renew 
consent or notify a reporting company each time the financial 
institution retrieves its BOI. One commenter asked whether a reporting 
company changing its structure would affect its consent. That commenter 
also asked whether a new consent is required each time a reporting 
company customer opens a new account. Several commenters requested that 
FinCEN create standardized consent language for financial institutions 
to use to obtain a reporting company's consent. One commenter requested 
that FinCEN explicitly permit reporting companies to grant consent on 
behalf of their parent companies.
    Several commenters proposed alternatives to requiring a reporting 
company to provide affirmative consent. Two commenters suggested 
permitting a reporting company to opt-out if it did not want to consent 
to its BOI being obtained by a financial institution. One commenter 
suggested that financial institutions be allowed to provide disclosures 
of intent to obtain a reporting company's BOI from FinCEN that would be 
acknowledged by the reporting company, instead of requiring affirmative 
consent.
    Other commenters proposed alternatives to written affirmative 
consent, with one commenter suggesting a checkbox and another commenter 
suggesting replacing the term ``written'' with ``documented'' or 
defining ``written'' in a way that provides financial institutions with 
flexibility about how to implement the requirement. Several commenters 
suggested that any consent that satisfies these requirements should 
benefit from a safe harbor under which such consent is deemed 
effective.
    Two commenters stated that consent should be in writing and 
financial institutions should furnish a copy of that written consent to 
FinCEN when requesting the relevant BOI. Two other commenters expressed 
the opposite view that FinCEN should not require financial institutions 
to submit proof of consent.
    A few commenters requested clarification on how consent may be 
provided and by whom. Several commenters stated that FinCEN should 
expressly permit a financial institution to obtain consent from a 
reporting company customer authorizing the financial institution to use 
that customer's BOI for broader purposes. Another commenter stated that 
financial institutions should be able to rely on their affiliates to 
obtain consent, providing the example of futures commission merchants 
often relying on introducing brokers to engage with customers as a way 
of arguing that the former should be able to obtain a reporting 
company's BOI based on consent obtained by the latter.
    One commenter requested a clear definition of what constitutes 
customer consent and sought guidance on when customer consent is deemed 
revoked. Several commenters requested clarification on how revocation 
should be documented, while others recommended that FinCEN issue 
guidance to financial institutions on what to do if a customer refuses 
to provide consent.
    Final Rule. FinCEN adopts the proposed rule with the clarification 
that reporting company consent must be documented but need not 
specifically be in writing. FinCEN cannot eliminate the consent 
requirement as suggested by commenters given that the CTA authorizes 
FinCEN to disclose a reporting company's BOI to a financial institution 
only if the reporting company consents to the disclosure.\182\ Nor can 
FinCEN side-step the consent requirement by notifying reporting 
companies that financial institutions can request their BOI for 
specific purposes or treat the submission of a BOI report as implied 
consent.
---------------------------------------------------------------------------

    \182\ 31 U.S.C. 5336(c)(2)(B)(iii).
---------------------------------------------------------------------------

    After carefully considering comments and the relative burdens and 
options, FinCEN continues to believe that financial institutions are 
better positioned to obtain and document a reporting company's consent. 
As explained in the proposed rule, financial institutions are well-
positioned to obtain consent--and to track any revocation of such 
consent--given that they maintain direct customer relationships and are 
able to leverage existing onboarding and account maintenance processes 
to obtain reporting company consent. By contrast, considerable delay 
and burdens on reporting companies could result if FinCEN were to 
administer the consent process. For example, it would be impractical 
for FinCEN to administer a process through which a reporting company 
could consent to the disclosure of BOI to some financial institutions, 
but not others. It would also be administratively complex for FinCEN to 
establish a mechanism to timely verify and respond to consent requests, 
which could result in delays in a reporting company's ability to access 
financial services.
    The final rule does not prescribe any particular means by which a 
financial institution must obtain a reporting company's consent. 
Rather, the final rule affords financial institutions substantial 
discretion in the manner in which they obtain consent. FinCEN 
recognizes that financial institutions vary greatly in customer bases, 
risk tolerance, and resources. All financial institutions obtain 
customer consent on a range of subjects and have existing policies and 
procedures for doing so that reflect their unique attributes. Those 
policies and procedures also reflect different legal requirements, 
including those involving consent in the data privacy context at the 
Federal and state levels.
    Additionally, in response to comments that suggested replacing the 
term ``written'' with ``documented'' to provide financial institutions 
with more flexibility in how to implement the requirement (e.g., via a 
checkbox), the final rule no longer requires consent to be in writing; 
it only requires that the consent be documented.
    FinCEN also believes that providing financial institutions with 
flexibility in how they implement this requirement will help minimize 
the burden associated with obtaining consent from reporting company 
customers. Financial institutions may satisfy this requirement through 
any lawful method of obtaining meaningful consent from a customer. As a 
consequence of offering this flexibility, however, FinCEN cannot offer 
a safe harbor for any particular method used to obtain consent.
    The final rule does not require a financial institution to notify a 
reporting company each time the financial institution retrieves the 
reporting company's BOI from FinCEN, nor does it require financial 
institutions to submit proof of consent to FinCEN, unless otherwise 
required by law. The final rule only requires the financial institution 
to obtain a reporting company's consent at a time prior to an initial 
request for the reporting company's BOI from FinCEN, and it may rely on 
that consent to retrieve the same reporting company's BOI on subsequent 
occasions, including to open additional accounts for that reporting 
company, unless the consent is revoked. The ability of financial 
institutions to broadly obtain reporting company consent is expected to 
alleviate concerns regarding ``tipping off'' reporting companies about 
investigations that require the retrieval of BOI.
    The final rule also does not address either revocation or 
expiration of consent. Rather, the final rule provides

[[Page 88773]]

flexibility to financial institutions to develop appropriate procedures 
and mechanisms with respect to the revocation of consent or the 
expiration of consent. This flexibility will allow financial 
institutions to develop processes appropriate to their size, business 
lines, and customer types, among other considerations, and provide 
reporting companies greater flexibility regarding the manner in which 
they provide and revoke consent--in contrast, a FinCEN mechanism will 
likely provide less flexibility and disadvantage both financial 
institutions and reporting companies. For example, if needed, financial 
institution may set terms through contract or otherwise to provide for 
the expiration of consent or revocation given that the final rule does 
not specify any time frames for expiration of consent.
    The final rule also does not articulate specific procedures or 
mechanisms through which a reporting company can provide or revoke 
consent, e.g., what forms or mechanisms a financial institution should 
use, which company representatives may provide or revoke consent, 
whether affiliates can consent on behalf of one another, when corporate 
changes would require obtaining new consent, or how financial 
institutions should handle customers who refuse to provide consent. 
Rather, FinCEN believes that it is appropriate to provide flexibility 
to a financial institution based on its practices and circumstances, as 
well as its extensive experience in implementing consent procedures in 
other contexts and subject to different legal requirements. FinCEN will 
consider additional guidance or FAQs if additional clarification is 
required.
    Lastly, FinCEN does not share concerns that the consent requirement 
could drive customers with legitimate business away from financial 
institutions. FinCEN's 2016 CDD Rule already requires financial 
institutions to identify the beneficial owners of legal entity 
customers, and financial institutions regularly seek information from 
reporting companies regarding beneficial ownership information. As 
such, FinCEN does not expect reporting companies to systemically 
decline financial services because of the consent requirement and the 
availability of the FinCEN database to confirm reporting company BOI.
e. Certification
    Proposed Rule. Proposed 31 CFR 1010.955(d)(2)(iv) would require a 
financial institution to ``make a written certification to FinCEN'' for 
each BOI request that it: (1) is requesting the information to 
facilitate its compliance with customer due diligence requirements 
under applicable law; (2) obtained the reporting company's ``written 
consent'' to request its BOI from FinCEN; and (3) fulfilled the other 
security and confidentiality requirements financial institutions must 
satisfy to receive BOI from FinCEN (as reflected in other provisions of 
Sec.  1010.955(d)(2)). The Access NPRM indicated that a financial 
institution would be able to make the certification via a checkbox when 
requesting BOI via the BO IT system.\183\
---------------------------------------------------------------------------

    \183\ 87 FR at 77422.
---------------------------------------------------------------------------

    Comments Received. One commenter suggested that the final rule 
should not require a financial institution to obtain a ``written'' 
certification from financial institutions.
    Final Rule. FinCEN is amending the proposed rule to require that 
financial institutions provide a certification to FinCEN ``in such form 
and manner as FinCEN shall prescribe.'' The revision in the final rule 
will allow FinCEN to take a flexible approach towards implementation of 
the certification requirement that takes into account a range of 
considerations, such as technological feasibility. Accordingly, FinCEN 
intends to prescribe a certification mechanism that seeks to minimize 
burdens and provide certainty, and may include checkboxes or other 
forms. As it develops the BO IT system, FinCEN anticipates that a 
financial institution will be able to make the certification via a 
simple checkbox when requesting BOI via the BO IT system.
    Additionally, FinCEN amends proposed Sec.  1010.955(d)(2)(iv) to 
require a financial institution to certify that it has obtained and 
``documented'' a reporting company's consent to request the reporting 
company's BOI from FinCEN. The revised approach eliminates the 
requirement for the financial institution to obtain ``written'' consent 
from the reporting company, requiring only that consent be 
``documented.''
iii. Sensitivity of Beneficial Ownership Information
    Proposed Rule. Proposed 31 CFR 1010.955(a) states that information 
reported to FinCEN pursuant to 31 CFR 1010.380 is confidential and may 
not be disclosed except in certain enumerated circumstances.\184\ The 
draft rule identifies five categories of recipients who may receive 
BOI, with each category of disclosure limited to a particular purpose 
or purposes, and an additional eight categories of authorized re-
disclosure, plus a catch-all provision permitting FinCEN to authorize 
re-disclosure in other circumstances.\185\
---------------------------------------------------------------------------

    \184\ 31 U.S.C. 5336(c)(2)(A).
    \185\ 31 U.S.C. 5336(c)(2)(B).
---------------------------------------------------------------------------

    Comments Received. Commenters provided mixed views on the overall 
sensitivity of BOI and the security and confidentiality requirements 
that should be applicable to protect BOI from unauthorized use or 
disclosure and the privacy interests of beneficial owners and company 
applicants. Some commenters felt that the CTA's confidentiality 
requirement was too broad, and that individuals should have little or 
no privacy interest in such information. One commenter noted that the 
CTA never identifies ``privacy'' as a statutory objective, arguing that 
while the CTA does direct FinCEN to build a secure database, ensuring 
data security is not equivalent to implementing privacy protections for 
individuals or entities. Another argued that individuals should not 
have any expectation of privacy over BOI because an entity ``exists 
only through the public's concession.'' Others felt that the CTA's 
confidentiality requirements were too narrow, highlighting the impact 
on small businesses. One commenter noted that the proposed rule did not 
provide adequate reassurances that the information would be protected; 
others felt that the disclosure provisions under proposed 31 CFR 
1010.955(b) rendered the idea of confidentiality or privacy 
meaningless. Finally, as discussed above in section III.D.v.a, one 
commenter felt that the confidentiality requirements for BOI should 
mirror those for tax returns and tax return information under 26 U.S.C. 
6103 to ensure that BOI is protected.
    Final Rule. The final rule adopts proposed 31 CFR 1010.955(a) as 
written. FinCEN considered the comments and is sensitive to concerns 
about data security and privacy. As discussed throughout this preamble, 
the CTA establishes that BOI is ``sensitive information'' and imposes 
strict security and confidentiality requirements on BOI. For example, 
31 U.S.C. 5336(c)(2)(A) creates a baseline presumption of 
confidentiality with a provision on prohibition on disclosure by any 
individual who receives it. Other provisions reinforce the sensitivity 
of BOI and further limit such disclosures. For example, the CTA 
mandates ``appropriate protocols'' in order to disclose BOI to 
recipients, and even specifies procedural steps in certain

[[Page 88774]]

cases,\186\ such as the requirement that a State, local, or Tribal law 
enforcement agency obtain authorization from a court of competent 
jurisdiction to seek the information in a criminal or civil 
investigation. FinCEN is following the statutory requirements 
prescribed by Congress in the CTA in promulgating the security and 
confidentiality provisions in the final rule.
---------------------------------------------------------------------------

    \186\ 31 U.S.C. 5336(c)(3).
---------------------------------------------------------------------------

    On the other hand, FinCEN agrees with comments that the overarching 
goal of the CTA is to make BOI available to help law enforcement and 
agencies engaged in national security activities prevent and combat 
money laundering, terrorist financing, tax fraud, and other illicit 
activity, as well as protect national security. As discussed above in 
section III.D.v.a, FinCEN has declined to adopt provisions that mirror 
those in 26 U.S.C. 6103. The CTA provides detailed security and 
confidentiality requirements tailored to the BO IT system's authorized 
uses and authorized recipients, and the final rule adopts these 
requirements to ensure the protection of this sensitive information. In 
addition, FinCEN believes that the requirements of 26 U.S.C. 6103 would 
impose a substantial burden on the overall functionality of the BO IT 
system and the requirement to establish a BOI database highly useful to 
law enforcement. For example, 26 U.S.C. 6103 at times requires Federal 
law enforcement to obtain a court order to access tax returns and tax 
return information, while the CTA imposes no such restriction.\187\ 
Further, the CTA envisions that financial institutions would have 
access to BOI for its customers through access to FinCEN's database, 
while 26 U.S.C. 6103 has no analogous provision. Ultimately, FinCEN 
found this suggestion unworkable in the context of the CTA.
---------------------------------------------------------------------------

    \187\ 26 U.S.C. 6013(i).
---------------------------------------------------------------------------

F. Administration of Requests

i. Rejection of Requests
    Proposed Rule. Proposed 31 CFR 1010.955(e)(1) provided that 
requests for BOI under 31 CFR 1010.955(b) shall be submitted to FinCEN 
in such form and manner as FinCEN shall prescribe. Proposed 31 CFR 
1010.955(e)(2)(i) states that FinCEN will reject requests for BOI made 
under 31 CFR 1010.955(b)(4) (Disclosure to facilitate compliance with 
customer due diligence requirements) if such request is not submitted 
in the form and manner prescribed by FinCEN. Furthermore, proposed 31 
CFR 1010.955(e)(2)(ii) provided that FinCEN may reject requests or 
otherwise decline to disclose BOI if FinCEN, in its sole discretion, 
finds that, with respect to the request, the requester has failed to 
meet any requirements of the rule, the BOI is being requested for an 
unlawful purpose, or other good cause exists to deny the request.
    Comments Received. FinCEN received several comments relating to the 
level of discretion that FinCEN can exercise in determining when to 
grant or deny a request for access to BOI. One commenter supported the 
proposed rule's provisions related to FinCEN's authority to reject 
requests for BOI as a faithful implementation of the CTA. A few 
commenters requested that FinCEN remove the words ``sole discretion'' 
from proposed 31 CFR 1010.955(e)(2)(ii). One commenter argued that 
there are significant protocols under the CTA to adequately protect the 
security and confidentiality BOI, so it is not consistent with the CTA 
for FinCEN to have unlimited discretion to reject or grant access. The 
commenter also noted that the CTA does not use the term ``sole 
discretion.''
    Final Rule. The final rule adopts 31 CFR 1010.955(e)(2) as 
proposed. In FinCEN's view, it is important to clearly state in 31 CFR 
1010.955(e)(2)(ii) that FinCEN has the sole discretion to approve or 
deny requests for access to BOI because FinCEN has obligations under 
the CTA to protect the security and confidentiality of BOI, ensure that 
BOI is used for authorized purposes by authorized recipients, and to 
ensure audit and oversight of the BO IT System. The CTA does not 
require that FinCEN consult with any other agency or with those 
requesting access to BOI when it decides to grant or reject access. 
FinCEN believes it is within its authority under the CTA to decide, 
based on its sole discretion, whether to accept or reject a request for 
access to BOI.
ii. Suspension of Access
    Proposed Rule. In keeping with the CTA,\188\ proposed 31 CFR 
1010.955(e)(3)(i) specified that FinCEN could suspend or debar a 
requesting agency or financial institution (referred to in the proposed 
provision as a ``requesting party'') from access to BOI for (1) failing 
to meet applicable regulatory requirements; (2) requesting BOI for an 
unlawful purpose; or (3) other good cause. Proposed 31 CFR 
1010.955(e)(3)(ii) further specified that FinCEN could reinstate a 
suspended or debarred party's access upon the latter satisfying any 
terms or conditions that FinCEN deems appropriate. The Access NPRM 
explained that suspension of access to BOI would be temporary while 
debarment would be permanent. FinCEN alone would determine suspension 
periods.\189\
---------------------------------------------------------------------------

    \188\ 31 U.S.C. 5336(c)(6)-(7).
    \189\ 87 FR at 77423.
---------------------------------------------------------------------------

    Comments Received. One commenter asked for more information about 
how FinCEN would evaluate whether to suspend or debar a financial 
institution. This commenter also asked whether FinCEN or the financial 
institution's appropriate state or Federal functional regulator would 
make the ultimate suspension or debarment decision, and whether a 
financial institution would have an opportunity to rebut a claim that 
it improperly used BOI. Several commenters asked how financial 
institutions should continue meeting their customer due diligence 
obligations if they lose access to BOI from FinCEN. One commenter 
viewed the use of the term ``requesting party'' in proposed Sec.  
1010.955(e)(3)(i) as limiting FinCEN to permanently debarring or 
temporarily suspending only entities rather than individual users as 
well. This commenter recommended that FinCEN clarify that there may be 
times when FinCEN wants to allow continued access by an agency or 
financial institution but disallow continued access by an individual 
user from that agency or financial institution.
    Final Rule. FinCEN adopts 31 CFR 1010.955(e)(3)(i) and (ii) with 
minor modifications. These final regulations as a whole establish the 
requirements that a financial institution must satisfy to obtain BOI 
from FinCEN, what they may do with the information, and how they must 
safeguard it. Section 1010.955(e)(3)(i) makes clear that failing to 
abide by these requirements and restrictions, including by requesting 
BOI for an unlawful purpose, can result in suspension or debarment from 
access to BOI. FinCEN further reserves the right to suspend or debar a 
requesting party for good cause involving other circumstances. As 
stated in the Access NPRM, the decision to suspend or debar a financial 
institution from access to BOI is subject to FinCEN's sole discretion. 
Imposing limitations on that discretion as a regulatory matter, such as 
by implementing a ``three strikes'' rule on certain conduct while 
identifying other activity as grounds for immediate debarment, are 
premature and require further evaluation. FinCEN will make 
determinations on a case-by-case basis after considering the available 
facts and circumstances. FinCEN will continue to consider whether 
additional standards or limitations are needed to foster 
predictability, provide fairness,

[[Page 88775]]

and enhance compliance after gaining experience.
    Questions about how a financial institution temporarily or 
permanently losing access to BOI from FinCEN might affect the 
institution's ability to meet its customer due diligence obligations 
are also premature because they implicate the forthcoming 2016 CDD Rule 
revisions. FinCEN may address those issues in that future rulemaking.
    FinCEN, however, has decided to make modest changes to 31 CFR 
1010.955(e)(3)--changing the term ``requesting party'' in 31 CFR 
1010.955(e)(3)(i) and the term ``requester'' in 1010.955(e)(3)(ii) to 
``individual requester or requesting entity''--in order to clarify that 
FinCEN may permanently debar or temporarily suspend individual users at 
an agency or financial institution in addition to the entity itself.

G. Violations--Unauthorized Disclosure or Use

    Proposed Rule. Proposed rule 31 CFR 1010.955(f) tracks the CTA's 
language making it unlawful for any person to knowingly disclose, or 
knowingly use, BOI obtained by that person, except as authorized by the 
CTA and these regulations. The rule applies to BOI whether the person 
obtained it directly or indirectly, and whether this information was 
contained in a report submitted to FinCEN under 31 CFR 1010.380 or 
disclosed by FinCEN under 31 CFR 1010.955(b). The rule goes on to 
broadly define ``unauthorized use'' to include accessing information 
without authorization, or ``any violation'' of the security and 
confidentiality requirements described in 31 CFR 1010.955(d) in 
connection with any access.
    Comments Received. Several commenters stated that they approved of 
the enforcement provisions of the proposed rule, largely in the context 
of providing comments to other parts of the rule. Otherwise, FinCEN did 
not receive substantive comments about the enforcement provisions.
    Final Rule. FinCEN adopts the rule as written and notes that the 
CTA provides civil penalties in the amount of $500 for each day a 
violation continues or has not been remedied. Criminal penalties are a 
fine of not more than $250,000 or imprisonment for not more than 5 
years, or both.\190\ The CTA also provides for enhanced criminal 
penalties, including a fine of up to $500,000, imprisonment of not more 
than 10 years, or both, if a person commits a violation while violating 
another law of the United States or as part of a pattern of any illegal 
activity involving more than $100,000 in a 12-month period.\191\
---------------------------------------------------------------------------

    \190\ 31 U.S.C. 5336(h)(3)(B).
    \191\ 31 U.S.C. 5336(h)(3)(B)(ii)(II).
---------------------------------------------------------------------------

H. Implementation Efforts

i. Implications for Revision of the 2016 CDD Rule
    Proposed Rule. The preamble to the proposed rule discussed the 
requirement in section 6403(d) of the CTA that FinCEN revise the 2016 
CDD Rule in order to (1) ensure that the rule conforms with the CTA; 
(2) address how financial institutions with customer due diligence 
obligations will access the database; and (3) reduce burdens on 
financial institutions and legal entity customers.\192\ The CTA 
requires that FinCEN revise the 2016 CDD Rule within one year of 
January 1, 2024, the effective date of the final BOI Reporting Rule, by 
rescinding paragraphs (b) through (j) of 31 CFR 1010.230.\193\ The 
preamble to the proposed rule noted that FinCEN will revise the 2016 
CDD Rule at a later date instead of addressing it in this rulemaking. 
The preamble further stated that FinCEN expected that the revision of 
the 2016 CDD Rule would likely address the interaction of financial 
institutions' existing customer due diligence efforts and the BOI 
database. The proposed rule did not otherwise address the required 
revision to the 2016 CDD Rule.
---------------------------------------------------------------------------

    \192\ See CTA, section 6403(d)(1)(A)-(C).
    \193\ CTA, section 6403(d)(1), (2). The CTA orders the 
rescission of paragraphs (b) through (j) directly (``the Secretary 
of the Treasury shall rescind paragraphs (b) through (j)'') and 
orders the retention of paragraph (a) by a negative rule of 
construction (``nothing in this section may be construed to 
authorize the Secretary of the Treasury to repeal . . . [31 CFR] 
1010.230(a)[.]'').
---------------------------------------------------------------------------

    Comments Received. Some commenters expressed that it was difficult 
to comment comprehensively on the Access NPRM as FinCEN has not yet 
issued a notice of proposed rulemaking concerning revisions to the 2016 
CDD Rule. Other commenters, however, addressed the future rulemaking 
despite FinCEN's express reservation of 2016 CDD Rule issues for 
consideration at a later date. In particular, these commenters 
identified several issues that they believe a revision of the 2016 CDD 
Rule should address in light of financial institution access to the BOI 
database. These issues included (1) whether FinCEN should mandate that 
financial institutions access the BOI database; (2) the verification 
and identification of financial institutions customers' beneficial 
owners; (3) how to address discrepancies between the BOI database and 
the BOI that financial institutions receive directly from their 
customers; (4) whether there should be a safe harbor for financial 
institutions in case of such discrepancies; and (5) regulatory 
expectations related to financial institutions' use of the BOI 
database. FinCEN also received comments on a number of technical issues 
related to specific provisions of the 2016 CDD Rule, the desirability 
of changes to those provisions, and the overall process of revision.
    Final Rule. FinCEN appreciates the comments on the interaction of 
the proposed rule with the forthcoming revision to the 2016 CDD Rule 
but declines to make modifications in this final rule based on 
consideration of the forthcoming revision. Furthermore, comments that 
relate to how FinCEN should revise the 2016 CDD Rule are not addressed 
in this rule. However, FinCEN will consider these comments in its 
development of a notice of proposed rulemaking on this topic in the 
future. Covered financial institutions will continue to be subject to 
the existing 2016 CDD Rule until a revision of that rule is effective. 
In addition, FinCEN, in consultation with the Federal functional 
regulators, will issue guidance on this topic as appropriate.
    While FinCEN is reserving consideration of certain issues for the 
2016 CDD Rule revision, comments on the Access NPRM are addressed 
here--in particular those comments that are relevant to the use of the 
BOI database by financial institutions in the period between the 
effective date of this final rule and the revision to the 2016 CDD 
Rule. FinCEN is also addressing comments that requested specific 
changes to this final rule in connection with reporting discrepancies 
in BOI, as well as those that requested a definitive authorization to 
rely on BOI or a definitive exemption from liability (a safe harbor 
provision). FinCEN addresses these matters as follows.
    Some commenters requested that FinCEN explicitly state in this 
final rule that use of the BOI database by financial institutions is 
not mandatory. As with the proposed rule, the final rule outlines who 
may access the BOI database and for what purpose; however, it does not 
require financial institutions to access the BOI database, nor does it 
speak to what financial institutions' obligations may be once the 2016 
CDD Rule is revised. FinCEN expects to more fully address the question 
of the extent to which, and how, financial institutions should access 
the BOI database for the purpose of fulfilling their customer due 
diligence obligations when FinCEN revises the 2016 CDD Rule. As

[[Page 88776]]

explained in section III.C.iv.b.1, the final rule does not create a new 
regulatory requirement for financial institutions to access BOI from 
the BO IT System or a supervisory expectation that they do so. Thus, 
the Access Rule does not necessitate changes to BSA/AML compliance 
programs designed to comply with existing BSA requirements, such as the 
2016 CDD Rule, customer identification program requirements,\194\ and 
suspicious activity reporting.\195\ However, any access to and use of 
BOI obtained from the BO IT System must comply with the requirements of 
the CTA and the Access Rule.
---------------------------------------------------------------------------

    \194\ 31 CFR 1010.220.
    \195\ 31 CFR 1010.320.
---------------------------------------------------------------------------

    Similarly, on the issue of discrepancies between the BOI that 
financial institutions obtain from FinCEN and the BOI that they obtain 
directly from their customers, several commenters asked FinCEN to 
clearly state in the final rule that financial institutions would not 
be required to report discrepancies. This final rule does not require 
financial institutions to access the BOI database, nor does it require 
them to report discrepancies between information obtained from 
customers and BOI obtained from FinCEN, if any are discovered. This 
final rule also does not change a financial institution's obligations 
under other provisions of the BSA and implementing regulations, 
including the regulatory requirement for financial institutions to 
maintain an anti-money laundering program that involves, among other 
things, the reporting of suspicious transactions to FinCEN.\196\ FinCEN 
declines to follow suggestions from commenters that the final rule 
address this subject. If FinCEN finds that additional guidance or 
regulatory changes are necessary, it may issue stand-alone guidance or 
take up the subject in a later rulemaking such as the revision of the 
2016 CDD Rule.
---------------------------------------------------------------------------

    \196\ See 31 CFR 1020.320.
---------------------------------------------------------------------------

    The issues raised by commenters relating to handling discrepancies 
and the provision of a safe harbor are connected to the issue, also 
raised by commenters, of the extent to which financial institutions may 
rely on BOI obtained from FinCEN for the purpose of fulfilling their 
regulatory customer due diligence requirements. As explained above, 
revisions to the 2016 CDD Rule and its requirements will be the subject 
of a future rulemaking. However, FinCEN appreciates the consideration 
of these issues, as reflected in the comments already submitted, and 
FinCEN will take them into account in the context of that future 
rulemaking.
    Finally, with respect to the comments that raised concerns about 
regulatory expectations, FinCEN continues to work closely with Federal 
functional regulators on how financial institutions are examined with 
respect to their use of the BOI database to facilitate compliance with 
customer due diligence requirements under applicable law, including the 
2016 CDD Rule and its revision. As part of this effort, FinCEN will 
continue consulting with the Federal functional regulators on whether 
to issue guidance in this area.
ii. Information Technology Systems Issues
a. Access--In General
    Comments Received. Several commenters made general comments on 
access to beneficial ownership information reported to FinCEN. Two 
commenters made statements that access to BOI should be simple, 
uncomplicated, and timely. One commenter stated that the beneficial 
ownership database should be built so that it maximizes access to 
authorized users with eventual public access in mind. Another commenter 
stated that the final rule should clarify that the structure and nature 
of the access protocols in the CTA are meant to facilitate auditable 
and technologically-enabled access to the BOI database, and that access 
will generally not be considered by FinCEN on a case-by-case basis. One 
commenter stated that any required certifications should be filed 
electronically.
    Another commenter stated that BOI should be available in bulk, 
noting that bulk data formats will allow users to find patterns or red 
flags relating to beneficial ownership, or to assess and improve data 
quality. Another commenter requested that financial institutions have 
the ability to submit required certifications and access BOI on a bulk, 
automated basis. This commenter noted that if access to the BO IT 
system requires manual submissions on a customer-by-customer basis, 
this would be unnecessarily cumbersome and would adversely impact the 
ability of financial institutions to use information from the database 
effectively and efficiently for illicit finance risk management.
    Two commenters requested that FinCEN clarify what information 
authorized users will receive from the BO IT system, and that such 
information should include the chain of ownership between the reporting 
company and the beneficial owners. Several commenters requested 
clarification as to whether authorized users will have access to the 
underlying BOI when a FinCEN identifier is included in a beneficial 
ownership information report in lieu of the personal identifying 
information of a beneficial owner or company applicant. One commenter 
suggested that this be explicit in the regulatory text. Another 
commenter explained that if a bank relies on a BOI report with FinCEN 
identifiers in lieu of know-your-customer/customer identification 
program information, it will be unable to fully conduct customer due 
diligence or enhanced due diligence.
    Another commenter noted that FinCEN should provide BOI in a 
structured data format, and recommended that FinCEN adopt the 
Beneficial Ownership Data Standard (BODS) as the common data standard 
for BOI stored in the IT system so that the data is compatible with 
other jurisdictions' BOI databases. One commenter suggested that one 
authorized access be assigned to each entity, and that each entity 
should be held responsible for controlling who uses that access. 
Another commenter stated that ensuring limited access to beneficial 
ownership data is essential to help with public confidence in the 
system and for compliance purposes and encouraged FinCEN to think about 
how to prevent, mitigate, and manage potential data breaches that could 
occur, including how affected parties will be notified and how remedies 
can be implemented within reasonable timelines. This commenter also 
suggested that FinCEN should have the highest protective protocols in 
place for the database and that access to the database should be 
tracked, so that FinCEN is aware at all times of who has access to the 
database and who is making requests. Further, given the sensitive 
nature of BOI and the limited uses for which BOI obtained from FinCEN 
might be used, one commenter requested that FinCEN consider providing 
financial institutions with confirmation that BOI was obtained from 
FinCEN.
    Response. FinCEN appreciates the need to provide automated, user-
friendly access to the BO IT system, and is developing the BO IT system 
against those parameters and the requirements set forth in the CTA. 
Notably, the CTA does not provide for public access to BOI, and the 
modalities for authorized users to access BOI reflect that fact. With 
respect to comments regarding bulk access to BOI, FinCEN does not, at 
this time, anticipate providing bulk data exports of BOI to authorized 
users. However, FinCEN expects that financial

[[Page 88777]]

institutions will use Application Programming Interfaces (APIs) to 
access BOI, and that the BO IT system will accommodate the use of APIs 
for this purpose (including the submission of required certifications).
    Regarding comments that FinCEN should avoid engaging in case-by-
case reviews of BOI access requests, FinCEN notes that this is 
generally consistent with the proposed access modalities for the six 
categories of authorized users. Although FinCEN had initially proposed 
a case-by-case review mechanism for State, local, and Tribal law 
enforcement agency requests for BOI, it has eliminated that requirement 
from the final rule. FinCEN will review certain requests for BOI from a 
``trusted foreign country'' on a case-by-case basis, but believes that 
the case-by-case handling of those requests is warranted given their 
nature (i.e., they are requests from a foreign government that are not 
governed by an existing treaty, agreement, or convention) and the fact 
that foreign governments, per the CTA, must submit requests for BOI 
through an intermediary Federal agency and will not have direct access 
to the BO IT system.
    Two commenters requested that FinCEN clarify what information 
authorized users will receive from the BO IT system, and that such 
information should include the chain of ownership between the reporting 
company and the beneficial owners. Other commenters requested 
clarification as to whether authorized users will have access to the 
underlying BOI when a FinCEN identifier is included in beneficial 
ownership information report in lieu of the personal identifying 
information of a beneficial owner or company applicant.
    FinCEN will disclose to authorized users the information that 
reporting companies are required to report under 31 CFR 1010.380(b). 
This means that authorized users will receive information about (1) the 
reporting company, (2) its beneficial owners, and (3) any company 
applicants. For the reporting company, authorized users will receive a 
transcript with (1) the full legal name and any trade or ``doing 
business as'' names of the reporting company, (2) the complete current 
address of the reporting company, (3) the State, Tribal, or foreign 
jurisdiction of formation of the reporting company, (4) for a foreign 
reporting company, the State or Tribal jurisdiction where the foreign 
reporting company first registers, and (5) the IRS Taxpayer 
Identification Number or foreign tax identification number of the 
reporting company. For beneficial owners or company applicants, 
authorized users will receive a transcript with (1) the full legal name 
of the individual, (2) the individual's date of birth, (3) a complete 
current address, and (4) the unique identifying number and the issuing 
jurisdiction from an acceptable identification document (i.e., a non-
expired U.S. passport, a non-expired identification document issued to 
the individual by a State, local government, or Indian tribe for the 
purpose of identifying the individual, a non-expired driver's license 
issued to the individual by a state, or a non-expired passport issued 
by a foreign government to the individual). Images of individuals' 
identification documents will be made available to Federal agencies 
engaged in law enforcement, national security, or intelligence 
activities, or to State, local, or Tribal law enforcement agencies. 
Information associated with a FinCEN identifier that has been reported 
in a beneficial ownership information report will be included in the 
BOI transcripts made available to authorized users. Lastly, FinCEN 
intends to mark BOI reports to identify them as originating from 
FinCEN's BO IT system.
    In respect of data format, FinCEN evaluated existing data 
standards, which includes Extensible Markup Language (XML), and the 
Open Ownership (OO) data standards when developing its beneficial 
ownership data standards. To the extent possible, FinCEN did use those 
standards in the OO data catalog that could be incorporated consistent 
with the CTA.
    The BO IT system will adhere to FISMA (Federal Information Security 
Management Act) ``High'' standards, which require implementing the 
highest level of security controls for a system at the unclassified 
level, to help protect against the loss of confidentiality, integrity, 
or availability of information. For the BO IT systems, FinCEN is 
responsible for implementing Executive Order 14028 (``Improving the 
Nation's Cybersecurity''), Treasury's Zero Trust mandates, Continuous 
Diagnostic Mitigation Program, and other Federal directives to protect 
systems and information. In addition, Treasury has established a Cyber 
Review Board, which has established the Treasury Incident Coordination 
Process (T-ICP) to appropriately escalate any data breaches and 
compromises.
b. IT System Search Capabilities
    Comments Received. FinCEN received comments both on how all 
authorized users would conduct searches for BOI in the IT system, and 
more specific comments about how financial institutions would conduct 
searches. Multiple commenters requested that all users be able to 
search using a wide range of search fields or that FinCEN adopt a 
layered approach in which some users would be able to conduct wider 
ranging searches while others would be more limited. One commenter also 
requested that users be able to search for historical BOI on a single 
reporting company. Commenters also highlighted the need for information 
on how authorized users can access BOI and requested that FinCEN 
provide guidance for users in conducting searches in the form of pre-
populated forms, templates, guidance documents, FAQs, or an ``access 
toolkit.''
    With respect to financial institution access, several commenters 
argued that the proposed level of financial institution searching 
capabilities is far too restrictive and should mirror that of law 
enforcement agencies so financial institutions can conduct broad and 
open-ended queries. One commenter stated that financial institutions 
should be able to broadly search throughout the BOI database to learn 
more about a specific customer's beneficial owners and their 
connections to other companies in order to strengthen their customer 
due diligence compliance.
    Many commenters also requested that FinCEN adopt technologies that 
would facilitate immediate, on-demand access to BOI that would be 
compatible with financial institutions' systems, and the most common 
request was for FinCEN to allow the use of APIs to access the IT 
system. Some commenters asked FinCEN to clarify that FinCEN would not 
manually review and approve each request to search the database, as 
this could overwhelm FinCEN's capabilities considering the number of 
search requests. Many commenters requested an automated system for 
financial institutions to certify their requests for access and be 
approved by FinCEN so that they could conduct bulk searches instead of 
individual searches, and they argued that the proposal in the NPRM of a 
single ``electronic transcript'' per BOI search would be costly and 
inefficient. Commenters also requested that FinCEN make changes to the 
information FinCEN requires from financial institutions to conduct 
searches, and one commenter argued that FinCEN should require that 
financial institutions use a reporting company's FinCEN identifier as 
an added security measure. Finally, related to financial institution 
searches of the database, a few commenters asked that, prior to January 
1, 2024, FinCEN clarify how financial institutions would be informed 
when their queries match or

[[Page 88778]]

fail to match data in the database, and how FinCEN will handle query 
errors and mismatches generally. One commenter provided specific 
suggestions for a matching system that FinCEN could use.
    Response. As explained in the proposed rule, FinCEN expects that 
there will be differing levels of access to the BO IT system, depending 
on the type of authorized BOI recipient.
    Domestic agency users (i.e., Federal agencies engaged in national 
security, intelligence, and law enforcement activity; Treasury officers 
and employees who require access to BOI to perform their official 
duties or for tax administration; and State, local, and Tribal law 
enforcement agencies) will be able to access and query the BO IT system 
directly. This type of access would permit authorized individuals 
within an authorized recipient agency to log in, run queries using 
multiple search fields, and review one or more results returned 
immediately. This broad access to the BO IT system will allow domestic 
agency users to conduct a wide range of searches using a variety of 
search fields. FinCEN believes this broad, flexible access for domestic 
agency users is necessary to enable them to use BOI effectively to 
facilitate investigations or other activities for which they may obtain 
BOI.
    As discussed in the proposed rule, such broad search capabilities 
within the BO IT system require domestic agencies to clearly understand 
the scope of their authorization and their responsibilities under it. 
That is why the proposed rule establishes protocols for requirements, 
limitations, and expectations with respect to searches by domestic 
agencies of the BO IT system. As part of these protocols, each domestic 
agency would first need to enter into an MOU with FinCEN before being 
allowed access to the system. Several commenters also requested that 
FinCEN provide guidance to users on how to conduct searches. FinCEN 
expects to offer guidance and training for all authorized users on the 
use of the BO IT system, similar to the trainings it provides to law 
enforcement and others on access to BSA data.
    As noted in the proposed rule, other categories of authorized BOI 
recipients will have more limited search capabilities. Foreign BOI 
recipients will have no access to the BO IT system, as their requests 
will flow through an intermediary Federal agency. Financial 
institutions and their regulators (Federal functional regulators and 
other appropriate regulatory agencies) would both have direct access to 
the BO IT system, albeit in more limited form than domestic agency 
users. The difference in access between domestic government agencies 
and financial institutions is explained by the provisions of the CTA, 
which require the consent of the reporting company before a financial 
institution may obtain the company's BOI from FinCEN. FinCEN 
anticipates that once a financial institution has obtained that 
consent, the financial institution would submit identifying information 
specific to that reporting company and receive in return an electronic 
transcript with that entity's BOI. FinCEN anticipates that financial 
institutions will be able to obtain a transcript immediately after 
submitting the search request; financial institutions' search requests 
will not be subject to manual review. Because of the need to limit 
financial institution access to those BOI transcripts for which it has 
reporting company consent, FinCEN believes that it would not be 
consistent with this statutory requirement to allow financial 
institutions to broadly query the BO IT system, which may result in the 
financial institutions obtaining information about other reporting 
companies or beneficial owners for which they do not have consent. One 
commenter suggested that FinCEN require financial institutions to use a 
reporting company's FinCEN identifier for the search as an added 
security measure. FinCEN notes, however, that reporting companies are 
not required to obtain FinCEN identifiers, and not all reporting 
companies will request them.
    With respect to Federal functional regulators and other appropriate 
regulatory agencies exercising supervisory functions, the CTA allows 
these agencies to request from FinCEN BOI that the financial 
institutions they supervise have already obtained from FinCEN, but only 
for assessing a financial institution's compliance with customer due 
diligence requirements under applicable law. FinCEN expects regulators 
acting in this supervisory capacity to be able to retrieve any BOI that 
the financial institutions they supervise received from FinCEN during a 
particular period, but they will not be able to broadly search the BO 
IT system. However, Federal functional regulators and other appropriate 
regulatory agencies responsible for bringing civil enforcement actions 
will be able to avail themselves of the broader search functionality 
described above for domestic agency users.
c. Notification of Updates or Changes to BOI
    Comments Received. Several commenters argued that the final rule 
should provide more clarity on whether FinCEN will provide financial 
institutions with the updates to BOI that reporting companies provide 
when there are changes to that company's BOI. These commenters 
specifically asked that FinCEN create a mechanism for automated updates 
of BOI to financial institutions when reporting companies change their 
BOI. Commenters argued that such automated updates would meet the 
requirements of the CTA that BOI provided to FinCEN is ``highly 
useful'' and assists financial institutions in meeting their customer 
due diligence and AML/CFT obligations. A few commenters requested that 
FinCEN develop a ``push'' notification system for the automated 
updates, and others requested a system in which financial institutions 
could sign up for updates when they first queried the database for a 
reporting company's BOI. Commenters also suggested that financial 
institutions could be given a choice to ``opt out'' at any point, such 
as when a financial institution's customer withdraws consent for 
searches of its BOI.
    Response. FinCEN appreciates the commenters' suggestions regarding 
the BO IT system functionality. FinCEN will consider these suggestions 
as a possible future enhancement to the BO IT system.
d. Inability and Loss of Access
    Comments Received. Several commenters asked FinCEN how financial 
institutions should continue meeting their customer due diligence 
obligations in the event of an unexpected event that results in loss of 
access to the BO IT system, such as a system outage or cyberattack that 
causes the system to be inaccessible. One commenter asked for FinCEN to 
clarify whether access to the system would be limited to business days 
and whether financial institutions would be prohibited from opening 
accounts during times of inaccessibility.
    Response. FinCEN anticipates that the BO IT system will be 
available for access 24 hours a day and 7 days a week. When there are 
planned system outages for regular maintenance activities or period of 
unexpected system unavailability, FinCEN will provide appropriate 
notification to users. Questions pertaining to the use of BOI for 2016 
CDD rule compliance will be addressed in FinCEN's forthcoming proposed 
rule to revise 31 CFR 1010.230.
e. Verification of Beneficial Ownership Information
    In the preamble to the proposed rule, FinCEN stated that it 
continues to

[[Page 88779]]

review the options available to verify BOI within the legal constraints 
in the CTA. It also clarified that in the term ``verification,'' as 
FinCEN uses it in this context, means confirming that the reported BOI 
submitted to FinCEN is actually associated with a particular 
individual.
    Comments Received. FinCEN received several comments on the issue of 
verification of the beneficial ownership information it will receive 
under 31 CFR 1010.380. Commenters argued that FinCEN is required by the 
CTA to verify information in the BO IT system, and that such 
verification is necessary to ensure the BOI reported to FinCEN is 
``accurate, complete, and highly useful'' consistent with the CTA. Some 
commenters urged FinCEN itself to verify data in the BOI database, 
while others suggested that verification should involve coordination 
with other governmental agencies and that such coordination is required 
by the CTA. Suggested verification mechanisms included checks against 
the Consular Consolidated Database maintained by the Department of 
State, the National Law Enforcement Telecommunications System, the U.S. 
Postal Service, and Departments of Motor Vehicles. One commenter noted 
that any verification method should be efficient and not burdensome to 
businesses.
    Some commenters noted the experience of other countries in 
verifying information in their beneficial ownership registers, and that 
FinCEN's proposal did not meet the verification requirements set forth 
by FATF. Others noted that FinCEN's definition of ``verification'' was 
unduly narrow and should be expanded to include verifying both that 
identifying information submitted is for an actual person and that the 
BOI is related to the named reporting company. Multiple commenters 
argued that verification, by ensuring BOI was accurate and complete, 
would reduce burden for financial institutions (or concomitantly, that 
failing to verify BOI would increase burden by imposing additional 
compliance costs on financial institutions). Commenters also argued 
that BOI would not be useful for financial institutions without 
verification. Multiple commenters suggested that FinCEN explore 
verification using privacy-protected data sharing mechanisms such as a 
Zero-Knowledge Proof which match certain data elements without 
requiring any of the parties to exchange or disclose the underlying 
data.
    With respect to the timing of verification, one commenter suggested 
that cross-checking information should happen at the time an entity is 
formed and that financial institutions should therefore not have to 
collect the information but instead access the FinCEN database to 
assist in customer due diligence. Other commenters suggested that 
information should be verified upon submission to FinCEN. One commenter 
noted that FinCEN could increase the usefulness of the database by 
sanctions screening BOI against OFAC's Specially Designated Nationals 
and Blocked Persons List and alerting users who access such BOI.
    Response. Although verification is not addressed in this rule, 
FinCEN appreciates the comments on this topic and is carefully 
considering the suggestions provided. FinCEN agrees that verification 
is an important part of its overall efforts to ensure that the BOI 
reported to it is ``accurate, complete, and highly useful'' and 
continues to assess options to verify BOI taking into consideration 
practical, legal, and resource challenges.
f. Other IT System Issues
    Comments Received. FinCEN received additional comments pertaining 
to the functionality or use of the BO IT system. Two commenters 
suggested that FinCEN should make the BO IT system compatible with 
other countries' databases. Others suggested that FinCEN provide a 
proof of registration page when a BOI report is successfully filed. 
Another commenter noted that the proposed rule does not address whether 
authorized users may make copies of the BOI reports they obtain from 
the BO IT system. One commenter recommended that FinCEN develop an 
interactive database which discloses generic BOI database query trends.
    Response. FinCEN appreciates these ideas and will take them into 
consideration as it continues to implement the CTA.
iii. The Proposed BOI Reporting Form
    Comments Received. While not the subject of this proposed rule, 
FinCEN received several comments on the proposed Beneficial Ownership 
Information Report (BOIR), which is the form that FinCEN will use to 
collect beneficial ownership information from reporting companies 
pursuant to 31 CFR 1010.380. Commenters were critical of checkboxes on 
the proposed BOIR form that would provide a mechanism for reporting 
companies to indicate when they are unable to obtain certain 
information about the reporting company's beneficial owners and company 
applicants. Several of these commenters requested that FinCEN remove 
all such checkboxes. Two commenters expressed concern with the quality 
and reliability of BOI if reporting companies are allowed to indicate 
that they are unable to identify beneficial owners entirely or provide 
only certain information associated with beneficial owners. One 
commenter stated that the checkboxes would act as a roadblock to banks' 
compliance with customer due diligence obligations and principles. One 
commenter stated that inclusion of the checkboxes supports financial 
institutions' voluntary use of BOI. One commenter stated that 
submission of declarations where the reporting company does not know 
who its beneficial owners are should not be permitted outside 
exceptional circumstances and that in such circumstances, the reporting 
company should submit supporting evidence and an explanation why the 
person is anonymous or their identity is unknown.
    Response. As part of its obligations under the Paperwork Reduction 
Act of 1995 (PRA), FinCEN separately solicited public comment on the 
proposed BOIR form through a 60-day PRA notice, issued on January 17, 
2023.\197\ Given that the BOIR form is outside the scope of this 
rulemaking and was instead the subject of the 60-day PRA notice, FinCEN 
considered the comments it received on the form as part of its 
consideration of the comments received in response to the 60-day PRA 
notice. Pursuant to the PRA, on September 29, 2023, the Department of 
the Treasury, on behalf of FinCEN, published a 30-day PRA notice, which 
considered these comments and proposed a revised approach to the BOIR 
form.\198\ OMB approved the proposed BOIR form on November 27, 2023.
---------------------------------------------------------------------------

    \197\ 88 FR 2760 (Jan. 17, 2023).
    \198\ 88 FR 67443 (Sept. 29, 2023).
---------------------------------------------------------------------------

iv. Outreach and Guidance
    Proposed Rule. FinCEN acknowledged in the proposed rule that 
implementation of the final rule will require additional engagement 
with stakeholders to ensure a clear understanding of the Access Rule's 
requirements, including through guidance and FAQs, help lines, and 
other communications. In question 29 in the Access NPRM, FinCEN asked 
what specific issues FinCEN should address via public guidance or FAQs 
as well as whether there were specific recommendations on engagement 
with stakeholders to ensure that the authorized recipients--in 
particular, State, local, and Tribal authorities and small and mid-
sized financial

[[Page 88780]]

institutions--are aware of requirements for access to the BO IT system.
    Comments Received. FinCEN received a variety of comments in 
response to the outreach questions in the Access NPRM. Commenters noted 
that a Small Entity Compliance Guide and FAQs, available well in 
advance of any effective date, would be useful for authorized users of 
the BO IT system. Training videos and step-by-step guides for each type 
of authorized recipient, including an online tip platform, would also 
improve CTA effectiveness. Commenters also suggested the importance of 
having educational materials for foreign requesters available in as 
many languages as feasible. Those commenters stated that the guidance 
on foreign access should include examples, templates, forms, and other 
materials that can streamline the process as much as possible. Several 
commenters suggested developing guidance and educational materials for 
financial institutions, Certified Public Accountants, and Secretary of 
State offices that could be provided to their customers and 
constituents. One commenter specifically highlighted a variety of 
national law enforcement and tribal association annual conferences 
where FinCEN should present and be available to educate participants on 
access to, and the utility of, the BO IT system. Regarding engagement 
with potential foreign requesters, one commenter suggested that FinCEN 
consider discussing access requirements with the key foreign partners 
of Federal agencies. One commenter recommended that FinCEN use clear 
font styles and sizes, avoid small footnotes and legalese, and use 
contrasting colors.
    Final Rule. As with the Reporting Rule published on September 30, 
2022,\199\ FinCEN envisions committing significant resources upon 
publication of the final Access Rule to prepare for and enable 
successful implementation. FinCEN anticipates that these resources will 
be used to conduct outreach, as well as draft and issue guidance, user 
guides, FAQs, and other educational materials. FinCEN recognizes the 
need to ensure that reporting companies, authorized users, and other 
stakeholders have a thorough understanding of the beneficial ownership 
Reporting and Access Rules and their requirements, both before and 
after the effective date of the rules. FinCEN also remains mindful of 
the imperative to minimize burdens on reporting companies, financial 
institutions, and authorized users while also fulfilling the CTA's 
directives for establishing an effective reporting and access 
framework. FinCEN appreciates that outreach and education is an 
important element of the effort to reduce compliance burdens and 
enhance the utility of the BO IT system. In addition to its planned 
outreach and educational efforts, FinCEN continues to track inquiries 
coming into its Regulatory Support Section and will draw on those 
inquiries when planning outreach and drafting future guidance and 
educational materials.
---------------------------------------------------------------------------

    \199\ 87 FR at 59548.
---------------------------------------------------------------------------

    FinCEN notes that 31 U.S.C. 5336(g) requires the Director of 
FinCEN, in promulgating regulations carrying out the CTA, to reach out 
to the small business community and other appropriate parties to ensure 
efficiency and effectiveness of the process for the entities subject to 
the CTA's requirements. FinCEN has engaged in such outreach throughout 
the Access rulemaking processes. As noted in the Access NPRM, FinCEN 
conducted more than 30 outreach sessions to solicit input on how best 
to implement the statutory authorizations and limitations regarding BOI 
disclosure. Participants included representatives from Federal 
agencies, state courts, state and local prosecutors' offices, Tribal 
governments, financial institutions, financial SROs, and government 
offices that had established BOI databases. Topics discussed included 
how stakeholders might use BOI, potential IT system features, 
circumstances in which potential stakeholders might need to re-
disseminate BOI, and how different approaches might help further the 
purposes of the CTA. These conversations helped FinCEN refine its 
thinking about how to create a useful database for stakeholders while 
protecting BOI and individual privacy.
    FinCEN intends to continue its substantial outreach to 
stakeholders, including Federal and state law enforcement officials, 
Indian Tribes, trade groups, and others, to ensure coordinated efforts 
to provide notice and sufficient guidance to all potential authorized 
users. FinCEN will also provide guidance materials and training 
materials for authorized users of the BO IT system.
    FinCEN appreciates the suggestions on how to minimize burden to 
State, local, and Tribal authorities and make the use of the BO IT 
system as effective as possible. FinCEN currently administers access to 
the FinCEN Query system and would build on its experience and contacts 
with law enforcement agencies and others in administering access to and 
providing training on BOI access.

I. Other Access NPRM Comments

i. Inspector General Complaint Process
    Comments received. One commenter stated that the proposed rule 
lacked any acknowledgement of the user complaint process established in 
the CTA.\200\ The CTA provides that the Inspector General of the 
Department of the Treasury, in coordination with the Secretary of the 
Treasury, shall provide public contact information to receive external 
comments or complaints regarding the beneficial ownership information 
notification and collection process or regarding the accuracy, 
completeness, or timeliness of such information. The CTA also requires 
the Inspector General to make a periodic report to Congress on user 
complaints and any resulting recommendations to ensure the beneficial 
ownership information reported to FinCEN is accurate, complete, and 
highly useful.\201\
---------------------------------------------------------------------------

    \200\ 31 U.S.C. 5336(h)(4).
    \201\ Id.
---------------------------------------------------------------------------

    Response. FinCEN is cognizant of the CTA's requirements with 
respect to the user complaint process. FinCEN acknowledged Treasury 
OIG's role in this process in the final beneficial ownership Reporting 
Rule, noting that the Treasury OIG had established an email inbox 
([email protected]) to receive such complaints.\202\ 
FinCEN expects that officers and employees of OIG, as officers and 
employees of the Department of the Treasury, would have access to BOI 
in the BO IT system for any official duties that require access to 
information in that system, including for purposes of fulfilling the 
Treasury OIG's responsibilities under the user complaint process as 
outlined in the CTA.
---------------------------------------------------------------------------

    \202\ 87 FR 59498, 59508.
---------------------------------------------------------------------------

ii. Effective Date
    Proposed Rule. FinCEN proposed an effective date for the Access 
Rule of January 1, 2024, to align with the date on which the Reporting 
Rule at 31 CFR 1010.380 becomes effective.\203\ FinCEN explained in the 
proposed rule that a January 1, 2024, effective date is intended to 
provide the public and authorized users of BOI with sufficient time to 
review and prepare for implementation of the rule.\204\
---------------------------------------------------------------------------

    \203\ 87 FR 77404, 77425.
    \204\ Id.
---------------------------------------------------------------------------

    Comments Received. Several commenters expressed concern about the 
January 1, 2024, effective date. One commenter stated that it is 
unlikely that FinCEN will be able to promulgate a final access rule by 
the end of 2023 or

[[Page 88781]]

that the related BO IT system will be built, tested, and operational by 
the end of 2023. The commenter noted that it is unlikely that 
authorized users will have met the regulatory obligations that are 
prerequisites to their ability to access BOI by that date. The 
commenter suggested that FinCEN should set out a manageable, realistic 
timeline extending past January 1, 2024, and communicate this timeline 
to all stakeholders. Another commenter expressed concern about a ``go 
live'' date of January 1, 2024,\205\ and the ability of FinCEN and 
financial institutions to make the necessary implementation 
preparations by that date given resource constraints. This commenter 
suggested that FinCEN delay the effective date of the beneficial 
ownership rules and consider a staged implementation approach. Finally, 
another commenter expressed concern that the effective date of FinCEN's 
beneficial ownership rules will coincide with a regulatory action by 
the Consumer Financial Protection Bureau, which would overwhelm 
financial institution compliance staff.
---------------------------------------------------------------------------

    \205\ The commenter actually referred to January 1, 2025, but 
FinCEN believes this was a typographical error intended to refer to 
January 1, 2024.
---------------------------------------------------------------------------

    Final Rule. This final rule will be effective February 20, 2024. 
However, the effective date of the Reporting Rule remains January 1, 
2024, and FinCEN continues to target January 1, 2024, for the release 
of the BO IT system. Given the publication date of this final rule in 
advance of January 1, 2024, and FinCEN's phased implementation approach 
outlined in section II.D.iii, FinCEN believes authorized users will 
have sufficient advance notice of the requirements of this rule. FinCEN 
appreciates these comments and pragmatic suggestions and will make 
adjustments to its implementation plans if circumstances warrant.
    With respect to concerns about potential overlap with another 
significant regulatory action, FinCEN notes that under the Reporting 
Rule, existing reporting companies will have one year (until January 1, 
2025) to file their initial beneficial ownership reports. FinCEN also 
notes that there is no requirement in the rule that authorized users of 
the BO IT system access the system immediately upon the effective date 
of this rule. The final CTA-related rulemaking to revise FinCEN's 
customer due diligence rule must occur no later than one year after the 
effective date of the Reporting Rule, or January 1, 2025, and this 
process will likely extend into 2024.\206\
---------------------------------------------------------------------------

    \206\ CTA, section 6304(d).
---------------------------------------------------------------------------

iii. Budget and Staffing
    Proposed Rule. The preamble of the proposed rule included a 
discussion of FinCEN's resource constraints with respect to 
implementation of the CTA.\207\ FinCEN noted in that discussion that 
without the availability of additional appropriated funds to support 
this project and other mission-critical services, FinCEN may need to 
identify trade-offs, including with respect to guidance and outreach 
activities, and the staged access by different authorized users to the 
database.
---------------------------------------------------------------------------

    \207\ 87 FR 77404, 77408.
---------------------------------------------------------------------------

    Comments Received. One commenter made note of this discussion in 
the proposed rule and requested a fuller explanation of the staged 
access approach. This same commenter also observed that FinCEN would 
likely receive an exponentially greater number of inquiries and 
requests for technical support from filers and users of the BO IT 
system than it currently handles and that FinCEN will need to hire and 
train hundreds of support personnel in the next twelve months. Another 
asked what ``staged access'' means and noted that the final rule should 
address specifics about this and how it will impact community banks. 
Finally, one commenter suggested that FinCEN address its resource 
constraints by considering a professional internship program to address 
short term staffing needs to support CTA implementation.
    Response. As previewed in the proposed rule, FinCEN has undertaken 
efforts to identify options to implement the requirements of the CTA 
within its current resources. One of several options to manage 
implementation in the current resource-constrained environment is to 
implement a phased rollout of access to the BO IT system--meaning that 
different groups of authorized users would obtain access to the system 
at different times in a set timeframe. As discussed further in section 
II.D.iii, to manage smoothly the draw on resources that this process 
will demand, FinCEN will take a phased approach to providing access to 
the BO IT system.
    FinCEN continues to move expeditiously to put in place the 
necessary infrastructure to implement the CTA and to provide adequate 
guidance and support to reporting companies and authorized users of the 
BO IT system. To this end, FinCEN is currently working to implement and 
staff a dedicated beneficial ownership contact center to field both 
substantive and IT-related inquiries. FinCEN has also hired additional 
full-time staff who will be assigned to support the beneficial 
ownership portfolio and has procured additional contractor support for 
FinCEN's CTA implementation efforts. Any changes to FinCEN's plans to 
implement the CTA will be clearly communicated to the public and 
stakeholders.

IV. Severability

    If any of the provisions of this rule, or the application thereof 
to any person or circumstance, is held to be invalid, such invalidity 
shall not affect other provisions or application of such provisions to 
other persons or circumstances that can be given effect without the 
invalid provision or application.

V. Regulatory Analysis

    This section contains the final regulatory impact analysis (RIA) 
for this final rule; it estimates the anticipated cost of the BOI 
access requirements to the public, among other items. The final rule 
imposes requirements on domestic agencies, foreign requesters, and 
financial institutions when they elect to access FinCEN's BOI database. 
The requirements and the associated costs vary depending on whether the 
affected entity is a domestic agency, foreign requester, or financial 
institution. To estimate costs associated with accessing beneficial 
ownership information in accordance with the final rule, FinCEN assigns 
an hourly burden to each requirement in the rule and uses an estimated 
wage rate to determine a per-entity expected cost of following that 
requirement. Where appropriate, FinCEN varies the hourly burden and 
wage according to the entity type and the size of the entity. To 
approximate an upper bound of aggregate expected costs, FinCEN 
multiplies the per entity costs computed as described by the total 
number of expected affected entities. These expected costs do not 
represent fees that affected entities need to pay to access beneficial 
ownership information, as no such fees are imposed by the final rule. 
Instead, the costs as estimated below reflect the dollar value FinCEN 
assigned, where possible, to the estimated time burden associated with 
the rule's requirements.
    Many of the rule's benefits are not as readily quantifiable, in 
part because the rule sets forth access requirements for obtaining BOI 
that is not yet available,\208\ and because expected use (and hence 
benefits) by at least some

[[Page 88782]]

parties cannot be reliably estimated before the CTA's required revision 
to the 2016 CDD Rule has been finalized.\209\ Other important expected 
benefits of the rule are not reliably quantifiable because an attempt 
to isolate the incremental benefits uniquely attributable to this rule 
would be inherently speculative, and even if such discrete increments 
could be identified, assigning a dollar value to items such as national 
security or public faith in the integrity of the U.S. financial system 
is impracticable. The rule, nevertheless, is generally expected to 
improve investigations by law enforcement and assist other authorized 
users in a variety of activities. To the extent that this increased 
efficiency in information gathering can be proxied by reduced search 
costs,\210\ FinCEN quantified these expected benefits to certain 
affected parties in the NPRM and in the RIA below. The potential 
improvements in the breadth, scope, and efficiency of investigations 
and other activities by authorized users should in turn strengthen 
national security, enhance financial system transparency and integrity, 
and align the United States more closely with international AML/CFT 
standards. The RIA includes a discussion of these qualitative benefits 
and quantifiable efficiency gains which may accrue to domestic agencies 
alongside the quantitative discussion of costs.
---------------------------------------------------------------------------

    \208\ BOI will be collected pursuant to 31 CFR 1010.380, 
finalized under the Reporting Rule, which will be effective January 
1, 2024.
    \209\ FinCEN would need to know how access to BOI under the rule 
will impact financial institutions' customer due diligence 
obligations, which FinCEN will not be able to assess until its 
revises the 2016 CDD Rule. Thus, FinCEN will instead assess the 
value that BOI access has to financial institutions in the 
regulatory analysis of FinCEN's upcoming revisions to the 2016 CDD 
Rule. Throughout the analysis, FinCEN notes issues that may be 
affected by the required revision to the CDD rule.
    \210\ In this analysis, ``search cost'' refers to the cost 
associated with obtaining beneficial ownership information. See. 
discussion in section V.A.ii.g. about monetizing the time component 
of search costs.
---------------------------------------------------------------------------

    FinCEN has made efforts to assess the expected costs and benefits 
of the rule realistically, but notes that the rule relates to access to 
newly required information that is not yet available; thus, the 
estimates are based on several assumptions where FinCEN lacks certain 
direct supporting data. FinCEN further notes that the analysis of 
expected costs and benefits, as previewed in the NPRM and discussed 
below, is performed over annual increments that assume a fully 
operational framework, one in which all potentially affected parties 
access a database that includes BOI reports from all reporting 
companies that are in existence as of the Reporting Rule's effective 
date.\211\ This framing is not expected to specifically depict the 
costs or benefits corresponding to the first, or subsequent, calendar 
year(s) following the adoption of the final rule, given the phased 
nature of related regulatory implementation.\212\ However, FinCEN is 
utilizing this approach because it imposes the fewest extraneous 
assumptions about how phased regulatory implementation impacts the 
expected economic effects.
---------------------------------------------------------------------------

    \211\ The Reporting Rule requires such entities to report BOI 
within one year of the effective date.
    \212\ The phased implementation is discussed in section 
II.D.iii. of the preamble.
---------------------------------------------------------------------------

    FinCEN acknowledges that during initial implementation, while 
entities begin to gain access to BOI and initial BOI reports are 
populated in the database, the anticipated aggregate costs and benefits 
of the rule may be lower that the estimates presented below. FinCEN 
further acknowledges that during this period, the balance of costs to 
benefits may also differ such that the relative economic value 
(benefits scaled by costs) of the rule as discussed below could be 
overestimated. However, as the methodological approach of the RIA, in 
the NPRM and below, conservatively ascribes no quantifiable benefits to 
financial institutions as a subgroup of authorized users while 
nevertheless incorporating an estimated full cost burden of access to 
them, it is unlikely that the aggregate net benefits in the RIA are 
overstated because in practice the benefit to participating financial 
institutions is expected to be nonzero.
    FinCEN has described its cost estimates in detail to inform the 
public about the rule and its impact and has analyzed the final rule as 
required under Executive Orders (E.O.s) 12866, 13563, and 14094, the 
Regulatory Flexibility Act, the Unfunded Mandates Reform Act, and the 
Paperwork Reduction Act. FinCEN's analysis assumes the baseline 
scenario is the current regulatory framework, in which there is no 
general Federal beneficial ownership information disclosure requirement 
and therefore no access to this information. Thus, any estimated costs 
and benefits as a result of the rule are new relative to maintaining 
the current framework. It has been determined that this regulation is a 
``significant regulatory action'' under section 3(f)(1) of E.O. 12866, 
as amended. Pursuant to the Regulatory Flexibility Act, FinCEN's 
analysis concluded that the rule will have a significant economic 
impact on a substantial number of small entities. Furthermore, pursuant 
to the Unfunded Mandates Reform Act, FinCEN concluded that the rule 
will result in an expenditure of $177 million or more annually by 
State, local, and Tribal governments or by the private sector.\213\
---------------------------------------------------------------------------

    \213\ The Unfunded Mandates Reform Act requires an assessment of 
mandates that will result in an annual expenditure of $100 million 
or more, adjusted for inflation. The U.S. Bureau of Economic 
Analysis reports the annual value of the gross domestic product 
(GDP) deflator in 1995, the year of the Unfunded Mandates Reform 
Act, as 71.823, and as 127.224 in 2022. See U.S. Bureau of Economic 
Analysis, ``Table 1.1.9. Implicit Price Deflators for Gross Domestic 
Product'' (accessed Friday, June 2, 2023). Thus, the inflation 
adjusted estimate for $100 million is 127.224/71.823 x 100 = $177 
million.
---------------------------------------------------------------------------

    Because the rule is a significant regulatory action under section 
3(f)(1) of E.O. 12866, FinCEN prepared and made public a preliminary 
RIA, along with an Initial Regulatory Flexibility Analysis (IRFA) 
pursuant to the Regulatory Flexibility Act, on December 16, 2022.\214\ 
FinCEN received multiple comments about the RIA and the IRFA, which are 
addressed in this section. FinCEN has incorporated additional data 
points, additional cost considerations, and responses to other points 
raised by commenters into the final RIA, which is published in its 
entirety following a narrative response to the comments.
---------------------------------------------------------------------------

    \214\ See 87 FR 77426-77454.
---------------------------------------------------------------------------

A. Executive Orders 12866, 13563, and 14094

    E.O.s 12866, 13563, and 14094 direct agencies to assess costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, and public health and 
safety effects; distributive impacts; and equity). E.O. 13563 
emphasizes the importance of quantifying both costs and benefits, 
reducing costs, harmonizing rules, and promoting flexibility. It has 
been determined that this regulation is a significant regulatory action 
under section 3(f)(1) of E.O. 12866, as amended. Accordingly, this 
final rule has been reviewed by the Office of Management and Budget 
(OMB).
i. Discussion of Comments to the RIA
    FinCEN received several comments related to the Access NPRM RIA. 
The majority of these comments focused on the estimated costs for 
financial institutions to comply with the proposed access requirements. 
A smaller group of comments raised points on other aspects of the 
NPRM's RIA, primarily on the cost analysis.

[[Page 88783]]

a. Comments Related to Costs to Financial Institutions
    Comments generally stated that the access requirements will be 
burdensome for financial institutions. Time and resources will be 
required to adjust to the rule's requirements for financial 
institutions to access BOI. In particular, a comment noted that 
compliance costs will include training relevant staff, changing 
policies and procedures, enhancing information security, and educating 
senior management and customers, and that these costs are significant 
and should not be overlooked or underestimated. Comments also stated 
that banks would need to hire or reallocate personnel if the rule is 
implemented as proposed. FinCEN generally agrees with comments 
observing that time and resources that will be required for financial 
institutions to adjust to the rule's requirements. FinCEN aims in this 
analysis to accurately estimate the burden of implementing requirements 
to access BOI.
    Comments also discussed the estimates in the NPRM for financial 
institution costs. One comment stated that the estimates were generally 
inaccurate and were not reasonable. Comments provided specific feedback 
on the following financial institution cost estimates:
    Administrative, Technical, and Physical Safeguards. A few 
commenters stated that the NPRM's estimate of the costs for financial 
institutions to establish administrative and physical safeguards to 
protect accessed BOI was far too low--one comment called it 
``exponentially off''--and needed to be revisited. One commenter stated 
that financial institutions would need to spend vastly more than 
estimated to develop and implement new systems, with ongoing costs that 
would include training on how to treat BOI from FinCEN differently than 
other BOI a financial institution may collect. The commenter estimated 
it would cost between $1 million and $3 million to develop new systems 
or adapt existing systems to comply with the proposed rule and to 
prevent BOI obtained from FinCEN from ``flowing'' into other financial 
institution monitoring systems or to affiliates outside of the United 
States. The commenter notes this cost could double if financial 
institutions are only able to access BOI on a manual, and not 
automated, basis.
    Relatedly, a commenter stated that FinCEN significantly 
underestimates the costs financial institutions will incur to update 
processes and IT systems to comply with the proposed rule. The 
commenter stated that financial institutions would need to 
``reengineer'' their existing processes and technology to comply with 
the limitations on sharing outside of the United States and to 
segregate BOI from FinCEN from standard customer documentation. The 
commenter did not provide a cost estimate. A commenter reminded FinCEN 
to be mindful that modifying existing procedures to accommodate 
requests and other related issues will take time and resources and 
requested FinCEN write the final rule in a clear and straightforward 
manner.
    Finally, a commenter expressed concern that BOI reported to FinCEN 
will not be accurate or reliable, forcing banks to shoulder the 
majority of the burden in implementing the CTA by acting as 
``regulatory quality control.'' Commenters stated that if financial 
institutions are required to rely on BOI reported to FinCEN, the 
quality and reliability of customer risk profiles would be undermined 
unless the financial institutions maintain duplicate systems of BOI 
financial institutions receive directly from their customers and 
identify discrepancies between the two data sources.
    In response to these comments, FinCEN increased the burden estimate 
of financial institutions establishing administrative and physical 
safeguards. FinCEN retains its estimate for IT costs.
    As explained in section III.H.ii.e. although this rule does not 
address the verification of BOI reported to FinCEN, FinCEN agrees that 
verification is an important part of its overall efforts to ensure that 
the BOI reported is ``accurate, complete, and highly useful'' and 
continues to assess options to verify BOI taking into consideration 
practical, legal, and resource challenges. Regardless of exactly how 
FinCEN ultimately addresses verification, FinCEN does not anticipate 
that the final rule will require financial institutions to need to 
separate BOI obtained from FinCEN and BOI obtained from customers under 
their existing customer due diligence processes, as some commenters 
suggested would be necessary if FinCEN retained a strict prohibition on 
financial institutions using or storing BOI obtained from FinCEN 
outside the United States; therefore, FinCEN is not estimating the 
burden for financial institutions to reallocate resources or create 
duplicative systems to separately store BOI obtained from FinCEN. 
FinCEN also notes that financial institutions will have the ability to 
submit multiple search requests simultaneously through an automated 
process, lessening costs associated with manual searches by financial 
institutions.
    Customer Consent. Under the rule, financial institutions must 
obtain and document the consent of a reporting company customer prior 
to accessing BOI about that customer. Multiple commenters stated that 
FinCEN's estimate for the burden of obtaining this customer consent was 
too low and not reasonable; one comment called the estimate ``patently 
absurd.'' Commenters noted that this process would involve multiple 
steps, including identifying all applicable forms, drafting and 
reviewing appropriate consent language, and updating or establishing 
new processes and procedures. A commenter noted that updating online 
forms, which is the format that many banks use for account opening 
documents, requires technical development work and testing, among other 
tasks. The commenter stated that small banks will require less than the 
estimated 10 hours, but the majority of institutions will require 
significantly more time to implement the requirement. Another commenter 
stated that the NPRM estimate disregarded the time and attention 
necessary to devote on an ongoing basis to meeting this requirement. 
Another commenter noted that costs could also arise if a customer does 
not give consent or revokes consent, because the financial institution 
would be required to expend resources to monitor on an ongoing basis 
which customers have consented. A commenter estimated it would take 
10,000 hours of personnel time, and potentially 100,000 hours in the 
largest institutions, to update account opening policies, procedures, 
processes, and forms to include the customer consent requirement. A 
commenter noted that large banks will be able to absorb these costs but 
predicted small and mid-sized banks will turn to service providers.
    FinCEN changed the burden estimate for obtaining customer consent 
based on these comments. FinCEN increased the initial burden for 
updating forms and procedures to account for this requirement and 
considered the multiple steps this will require based on comments. 
FinCEN also added an ongoing maintenance cost for this requirement to 
account for the necessity to change or update procedures. FinCEN 
assesses, however, that this ongoing maintenance cost is relatively 
minimal. FinCEN is not estimating costs related to obtaining customer 
consent more than once, but will assess if such a cost should be 
considered in the future CDD Rule revision. FinCEN is not assessing a 
cost related to a customer not providing or revoking consent. FinCEN

[[Page 88784]]

believes that the tracking of such information would be included in the 
existing cost estimates related to customer consent. Additionally, 
FinCEN expects that few customers will not provide consent given that 
providing BOI and general consent for financial institutions to access 
information from other sources are both routine requirements that 
customers anticipate and accept.
    Customer consent was the focus of one of the regulatory 
alternatives analyzed in the NPRM. Under this alternative, FinCEN, 
rather than financial institutions, would have obtained the required 
consent from reporting companies before financial institutions could 
access those companies' BOI.\215\ A commenter stated that the cost 
savings to financial institutions would be much larger in practice than 
FinCEN estimated in the NPRM's alternative analysis, and that FinCEN's 
reason for rejecting this alternative--that financial institutions are 
better positioned to obtain consent (and track consent revocation) 
given their direct customer relationships and ability to leverage 
existing onboarding and account maintenance processes--does not make 
sense. FinCEN retains this alternative scenario but notes that the 
related cost savings estimate has changed given the changes to the 
financial institution burden estimates throughout the analysis.
---------------------------------------------------------------------------

    \215\ See 87 FR 77427-77428.
---------------------------------------------------------------------------

    FinCEN, however, rejects the commenter's claim that the NPRM's 
reasoning was nonsensical. As explained in section III.E.ii.d above, 
FinCEN remains convinced that financial institutions are better 
situated than FinCEN to obtain and document a reporting company's 
consent given financial institutions' direct customer relationships. By 
contrast, FinCEN believes considerable delay could result if it were 
itself to take on direct management of the consent process. For this 
reason and as further explained in section III.E.ii.d above, FinCEN 
declines to adopt the alternative of FinCEN collecting customer 
consent.
    Training. A few commenters stated that the estimated cost of 
training financial institution employees who will access BOI under the 
rule was underestimated. A commenter stated that the NPRM estimates did 
not account for lost productivity to the financial institution while 
employees are attending training sessions. However, FinCEN notes the 
use of a wage rate for financial institution employees implicitly 
accounts for lost productivity to the institution of employees working 
on the rule's requirements rather than other items.
    Commenters stated that in addition to those directly accessing 
FinCEN's BOI database, all employees that interact with BOI through 
account opening or customer interactions would also need to participate 
in training. This training would most likely not be centralized and 
would be spread over departments and branches in financial 
institutions. A commenter stated that the increased cost due to 
training contradicts Congress' intent for the CTA to minimize burden on 
financial institutions. A commenter stated this burden could be 
alleviated by keeping the registration and requirements simple. A 
commenter also stated that training would be necessary to inform 
financial institution employees on how to treat BOI obtained from 
FinCEN separately from BOI obtained through other means.
    FinCEN has concluded that these comments overstate the burden 
imposed by the rule. The final rule (31 CFR 1010.955(d)(2)(ii)) 
requires financial institutions to develop and implement 
administrative, technical, and physical safeguards reasonably designed 
to protect BOI as a precondition for receiving BOI. But, as explained 
in section III.E.ii.c, FinCEN is authorizing financial institutions to 
satisfy this requirement by applying security and information handling 
procedures under section 501 of Gramm-Leach-Bliley Act and applicable 
regulations for nonpublic customer personal information to BOI. The 
Federal functional regulators have implemented the requirements of the 
Gramm-Leach-Bliley Act in different ways, but they all generally 
reference providing related training.\216\ Thus, FinCEN does not expect 
BOI training to be unduly burdensome because training to protect 
nonpublic customer personal information is already part of a financial 
institutions' Gramm-Leach-Bliley Act requirements.\217\ As explained in 
section III.E.ii.c, FinCEN thus anticipates that financial institutions 
will determine how best to train personnel who will have access to BOI 
but who will not interact with the BO IT system.
---------------------------------------------------------------------------

    \216\ See generally Interagency Guidelines, supra note 91, p. 
95.
    \217\ As discussed, the final rule does not require financial 
institutions to separate BOI obtained from FinCEN and BOI obtained 
from customers under their existing customer due diligence 
processes. Thus, training on how to segregate BOI obtained from 
different sources should not be necessary, and FinCEN accordingly 
does not need to account for the costs of such training.
---------------------------------------------------------------------------

    Nonetheless, financial institutions will need to provide some 
training to ensure that relevant financial institution personnel access 
BOI in a manner consistent with this rule. As part of estimating the 
cost of this training, the NPRM included an estimate of the number of 
employees that would access BOI at both small and large financial 
institutions. Commenters stated that these estimates were too low and 
depended on many assumptions, including an assumption that the 
connection to the BO IT system is fast and easy for the user with 
minimal manual intervention. Commenters proposed alternative estimates. 
A commenter assumed that banks would have between 5 and 15 percent of 
employees involved in customer due diligence processes (the percentage 
varied depending on financial institution size), and used December 2021 
FDIC bank data to estimate that 3,586 small banks will have between 1.5 
to 10 people, and an average of 4 to 5 people, performing customer due 
diligence, and 1,263 large banks will have between 5 and 5,000 people, 
and an average of 26 to 27 people, performing customer due diligence. 
Another comment from a bank industry representative stated that a 
member estimated it has hired 50 full-time equivalent employees to 
address the existing CDD Rule requirements, and additional employees 
would be needed for the proposed rule. Similarly, another commenter 
estimated that some large banks will need to hire up to 40 or 50 
additional staff to manage the technical process associated with BOI. A 
financial institution comment stated that they would like to have at 
least 20 or 25 staff members (out of 40 full-time staff) available to 
access this data, which would be a minimum of 3 staff per location.
    FinCEN appreciates the estimates provided by commenters and has 
incorporated changes to the analysis based on these comments. However, 
FinCEN notes that the assumption that connection to the BO IT system is 
fast and easy for the user is in line with FinCEN's expectations. 
Financial institutions will also not need to access the BO IT system 
manually if they access via API.
    Requests for BOI and Related Certification Costs. Commenters raised 
questions about the assumptions related to the NPRM's estimate of the 
number of annual requests for BOI from financial institutions. The NPRM 
included this estimate to calculate the cost burden of the proposed 
rule's requirement that financial institutions certify that each 
request for BOI meets certain requirements. A commenter stated that 
FinCEN's reliance on

[[Page 88785]]

estimates of annual new entity accounts from the 2016 CDD Rule was 
wrong because: (1) the CDD Rule requires the collection and 
verification of BOI for every new customer and every existing customer 
opening a new account; (2) the definition of legal entity customer 
under the CDD Rule is broader than the definition of reporting company 
under the CTA; and (3) the use of an average for a diverse set of 
financial institutions may not be appropriate. Another commenter 
questioned the assumption that financial institutions will seek to 
access BOI every time a new legal entity customer that qualifies as a 
reporting company opens a new account because another part of the NPRM 
stated that the proposed rule would not impose an obligation to access 
BOI. Another commenter claimed that most banks expect that the total 
annual costs of certifying their compliance when making BOI requests 
will be significantly higher than FinCEN's estimate, but did not 
provide an alternative cost estimate.
    FinCEN retains the methodology used in the NPRM, which results in 
an estimated range of 5 million to 6 million annual requests for BOI 
from financial institutions. FinCEN proposed the upper bound of 6 
million based on the 2016 CDD Rule's regulatory analysis. The comments 
identified several reasons why the actual number of requests may 
differ, but FinCEN maintains it is appropriate to provide an upper 
bound estimate based on the CDD Rule. FinCEN agrees with commenters 
that this final rule does not impose an obligation to access BOI. 
However, FinCEN uses this upper bound estimate to illustrate potential 
costs to financial institutions if the financial institutions access 
BOI at the rate estimated in the current CDD Rule. FinCEN also 
acknowledges the point raised by another commenter regarding 
differences between the CDD Rule and Reporting Rule. If the future CDD 
Rule revision includes a different estimate for the number of annual 
requests for BOI per year, FinCEN will note that change, and its effect 
on financial institution costs, in that revision.
    Other Financial Institution Costs. Commenters recommended that 
audit and legal review costs to financial institutions be incorporated 
into the RIA. There are no audit requirements for financial 
institutions in the rule; however, FinCEN understands that in practice 
financial institution audits will include reviewing the safeguards 
implemented to protect accessed BOI. FinCEN clarifies in the analysis 
that the administrative safeguards burden estimate includes audit and 
legal review of such safeguards, and increases the burden estimate 
accordingly. A commenter also stated that the costs to financial 
institutions should be presented on a per account basis, and that the 
amount per account would be a few hours of an operations specialist 
work (at $50 per hour rate) to access BOI, corroborate it, address any 
remediation of errors in the BOI, and supervise the process, totaling 
$100-$200 per account opening in maintenance fees. FinCEN believes that 
the per institution cost estimate methodology used in the NPRM is 
appropriate and retains it here. The per account cost estimate would 
not capture fixed costs of establishing new procedures, and other 
requirements, that are necessary at the institutional level to comply 
with the rule.
    A commenter noted that complying with the rule's security and 
confidentiality requirements for BOI access will require significant 
time and resources for small businesses (presumably meaning small 
financial institutions), and that this will put such small businesses 
at a disadvantage compared to large companies with more resources. 
FinCEN considers the cost of the rule to small financial institutions 
in the Regulatory Flexibility Act section of the analysis, below. A 
commenter requested that FinCEN publish Small Entity Compliance Guides 
and FAQs to assist such entities with compliance. FinCEN anticipates 
issuing a Small Entity Compliance Guide pursuant to section 212 of 
Small Business Regulatory Enforcement Fairness Act (SBREFA) to assist 
small entities in complying with the BOI access requirements.
b. Comments Related to Government and Reporting Company Costs
    A handful of commenters raised other cost issues outside of those 
that pertained specifically to financial institutions. Regarding other 
estimates in the NPRM's RIA, one commenter stated that the cost 
estimate for State, local, and Tribal law enforcement agencies failed 
to include the number of hours such agencies would spend on the 
proposed written justification requirement. FinCEN did consider this 
burden in the NPRM and estimated that submitting a request to FinCEN 
for BOI would take one employee approximately 15 minutes, or 0.25 
hours, per request. For State, local, and Tribal agencies, FinCEN 
estimated an additional 20 to 30 hours of burden per request to obtain 
a court authorization in the NPRM. Therefore, State, local, and Tribal 
requests were estimated to have 20.25 to 30.25 hours of burden per 
request because of the court authorization and written certification 
requirements.\218\ FinCEN changed this estimate in the analysis given 
changes to the final rule's requirements.\219\
---------------------------------------------------------------------------

    \218\ FinCEN clarifies that this requirement is a certification 
and not a justification.
    \219\ 31 CFR 1010.955(d)(1)(ii)(B)(2).
---------------------------------------------------------------------------

    A commenter stated that the NPRM RIA did not address significant 
burdens on reporting companies that would have to provide BOI to both 
financial institutions and FinCEN. The commenter stated that such a 
burden would be duplicative and unnecessary. FinCEN expects that 
consideration of such burden will be included in the future CDD Rule 
revision, which will discuss the current requirements that financial 
institutions identify and verify the beneficial ownership information 
of their legal entity customers. Finally, a commenter agreed with the 
estimates of FinCEN's costs in the NPRM, noting the estimates appeared 
reasonable.
c. Comments Related to Benefits
    A few commenters stated that access to BOI would not have a benefit 
for financial institutions. These commenters stated that the 
requirements would impose additional compliance costs without enhancing 
customer due diligence processes and could result in duplicative 
processes. A commenter stated this would result in an inefficient 
allocation of resources across AML compliance programs. Another 
commenter stated that resources would be reallocated away from risk-
based activities that more effectively mitigate illicit finance risks.
    As in the NPRM, FinCEN is not attempting to estimate the benefits 
of this rule to financial institutions. To do so, FinCEN would need to 
know how access to BOI under the rule will impact financial 
institutions' customer due diligence obligations, which FinCEN will not 
be able to assess until its revises the 2016 CDD Rule. Thus, FinCEN 
will instead assess the value that BOI access has to financial 
institutions in the regulatory analysis of FinCEN's upcoming revisions 
to the 2016 CDD Rule.\220\ As explained in section II.B, mandatory 
revisions to the 2016 CDD Rule include: (1) bringing the rule into 
conformity with the AML Act as a whole, including the CTA; (2) 
accounting for financial institutions' access to BOI reported to FinCEN 
``in order to confirm the beneficial ownership information provided 
directly to'' financial institutions for AML/CFT and customer due 
diligence purposes; and (3) reducing unnecessary

[[Page 88786]]

or duplicative burdens on financial institutions and legal entity 
customers.\221\
---------------------------------------------------------------------------

    \220\ CTA, Section 6403(d)(1).
    \221\ CTA, Section 6403(d)(1)(A)-(C).
---------------------------------------------------------------------------

d. Comments on Other Topics
    A commenter recommended that FinCEN require secretaries of state 
and similar offices to incorporate collection of BOI into their 
registration processes, and then submit this information to FinCEN. The 
commenter noted that while this option was explored and rejected in the 
Reporting Rule, it could possibly be implemented in the long term and 
would minimize burden. As noted in the Reporting Rule, FinCEN rejected 
this alternative in part due to concerns raised by comments from 
several State authorities.\222\ FinCEN will continue to explore other 
avenues to coordinate with secretaries of state and similar offices on 
beneficial ownership matters and to minimize burden.
---------------------------------------------------------------------------

    \222\ 87 FR 59559 (Sept. 30, 2022).
---------------------------------------------------------------------------

ii. Final Regulatory Impact Analysis
a. Overview of the RIA
    The RIA begins with a summary of the rationale for the final rule, 
three regulatory alternatives to the final rule, and findings from the 
cost and benefit analysis (sections (b)-(d)). Section (e) describes the 
type and number of entities expected to be affected by the rule. 
Section (f) provides a detailed cost analysis (including discussions of 
each requirement's quantifiable costs) that considers costs to domestic 
agencies (including SROs), foreign requesters, financial institutions, 
and FinCEN. Section (g) is a detailed discussion of benefits. Section 
(h) summarizes the overall impact of the quantifiable portions of the 
rule.
    Changes to the analysis or assumptions are clearly specified, as 
well as references to comments that are incorporated into the RIA. In 
the course of this discussion, FinCEN describes its estimates, along 
with any non-quantifiable costs and benefits.\223\ In response to 
comments, FinCEN has made the following changes to its estimates: 
increased the number of SROs that may access BOI; increased the hourly 
burden for financial institutions to establish administrative and 
physical safeguards by 200 percent; increased the hourly burden for 
financial institutions to obtain and document customer consent by 400-
600 percent in year 1 \224\ and an additional 10 to 20 hours in 
subsequent years; \225\ and increased the expected number of financial 
institution employees requiring training to 4 to 5 for small financial 
institutions and 25 to 30 for large financial institutions. FinCEN also 
decreased the hourly burden estimate for written certification of 
requests by State, local, and Tribal law enforcement agencies, and 
described additional requirements for financial institutions, 
consistent with changes made to this requirement in the final rule. 
FinCEN also made changes to update data, underlying sources, and 
estimates with more recent information, if available.
---------------------------------------------------------------------------

    \223\ Throughout the analysis, FinCEN rounds estimates for 
entity counts to the nearest whole number, and any wage and growth 
estimates to the nearest 1 or 2 decimal places. Calculations may not 
be precise due to rounding, but FinCEN expects this rounding method 
produces no meaningful difference in the magnitude of FinCEN's 
estimates or conclusions.