A First Look Into Your Financial Institution’s Access to Beneficial Ownership Information

FinCEN has released an initial Small Entity Compliance Guide for Beneficial Ownership Information Access and Safeguards Requirements. Although the Guide is not very detailed at this point, here is what your small financial institution should know as of now.

On December 22, 2023, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued the Beneficial Ownership Information Access and Safeguards Rule (“Access Rule”) to implement provisions of the Corporate Transparency Act that authorized certain individuals to obtain access to identifying information associated with reporting companies, their beneficial owners, and their company applicants. The Access Rule sets the requirements for small entities that have the authority to obtain beneficial ownership information (“BOI”) from FinCEN, including small financial institutions.  

At this time, financial institutions do not have access to BOI. According to FinCEN, a phased approach is being implemented and financial institutions will likely be the final group to be granted access. FinCEN has issued statements that the Access Rule does not create a new regulatory requirement for banks or non-bank financial institutions to access BOI, nor does it create a supervisory expectation that they do so. However, under the Corporate Transparency Act, FinCEN is required to revise the current Customer Due Diligence Rule.

Once financial institutions are granted access, they will be subject to restrictions on the use and re-disclosure of BOI obtained. Financial institutions can only use BOI to fulfill customer due diligence requirements, which includes a legal requirement designed to counter money laundering or the financing of terrorism if it is reasonably necessary for the financial institution to identify (and verify the identity of) beneficial owners of legal entity customers. The BOI should not be used for a financial institution’s general business or commercial activities, such as determining whether to extend credit to a legal entity. According to FinCEN, examples of permissible uses of BOI include:

• Customer identification requirements (e.g., “Know Your Customer”);
• Enhanced Due Diligence required under the BSA (e.g., 31 C.F.R. § 1010.610);
• Suspicious Activity Report (SAR) filing;
• Uses that facilitate compliance with sanctions imposed by Treasury’s Office of Foreign Assets Control (OFAC), such as for sanctions screening; and
• Anti-money laundering/countering the financing of terrorism (AML/CFT) - related requests, reviews, and investigations.

For a financial institution to request a customer’s BOI from FinCEN, the financial institution will be required to first obtain and document the customer’s consent. The financial institution will only have to receive the customer’s consent prior to the initial request for the BOI and then can rely on the consent to retrieve BOI on subsequent occasions. FinCEN leaves it to the discretion of each financial institution to determine appropriate procedures and mechanisms for revocation or expiration of customer consent. However, the documentation of the consent must be maintained for five years after it was last relied on to make a BOI request to FinCEN.

In order to be granted access to BOI, financial institutions will be subject to security and confidentiality requirements designed to protect the security, confidentiality, and integrity of the BOI. For example, financial institutions subject to the Gramm-Leach-Bliley Act will be required to apply the procedures that the institution has established to protect customers’ nonpublic personal information under section 501 of the Gramm-Leach-Bliley Act to BOI. FinCEN will review each request to obtain BOI to ensure that the financial institution is only requesting the information to facilitate its customer due diligence requirements, that the financial institution received the customer’s consent prior to making a request, and that the financial institution fulfilled all other requirements under the Access Rule.

Failure to comply with the Access Rule may subject the financial institution to both civil and criminal violations. The Corporate Transparency Act provides civil penalties for reporting violations in the amount of $500 for each day a violation continues or has not been remedied, while criminal penalties include fines of not more than $10,000, imprisonment for not more than 2 years, or both.

Financial institutions should expect further guidance on the Access Rule at a later date. The initial Small Entity Compliance Guide can be found at: https://www.fincen.gov/sites/default/files/shared/BOI_Access_and_Safeguards_SECG_508C.pdf.