Takeaways from the Second (Proposed) Rule on Access: Who’s in the BOIs’ Club?

Welcome back to our series on the Corporate Transparency Act (CTA). If you’re just joining us, here’s a quick recap: Congress passed the CTA, a landmark framework requiring companies (corporations, LLCs, and other legal entities) to report their beneficial ownership information (BOI) to a non-public government database. Treasury’s Financial Crimes Enforcement Network (FinCEN) then published a Final Reporting Rule on September 29, 2022, identifying who must report what and when. The whole regime goes into effect on January 1, 2024. To learn more, take a look at our first alert on the Final Reporting Rule and our one-page reference guide. You can also check out our recent webinar with Wenting Yu, Scott Sugino, Will Pao, and former FinCEN Deputy Director AnnaLou Tirol.

That should bring you up to date. Now…

On December 15, 2022, FinCEN released the second rule, outlining who has access to BOI. This rule is still only a proposal, so written comments may be submitted to the Federal Register through February 14, 2023. FinCEN should finalize the Access Rule by the end of 2023, before the effective date of the Reporting Rule, which is January 1, 2024. FinCEN also expects its beneficial ownership IT system to be live by then.

The proposed Access Rule lays out who can see BOI and why. Under the proposal, authorized recipients include: (1) federal agencies engaged in national security, intelligence, or law enforcement activity; (2) state, local, or Tribal law enforcement with authorization from a “court of competent jurisdiction”; (3) foreign agencies involved in a law enforcement investigation, or national security or intelligence activity; (4) financial institutions subject to customer due diligence (CDD) requirements; (5) regulatory agencies that supervise compliance with CDD and (6) certain Treasury officers and employees. Recognizing that BOI is sensitive information, FinCEN has laid out significant safeguards and protocols for accessing and storing BOI, as well as penalties for unauthorized disclosure and use. For more details about the proposed rule, see FinCEN’s Fact Sheet.

Although the proposed Access Rule largely (and unsurprisingly) tracks the CTA, some of the topics that FinCEN has asked for comment on are intriguing:

1. BOI will be used for “national security” and “foreign relations” activities.

The proposed rule allows federal agencies engaged in “national security activity” to receive BOI to further that activity. “National security activity” is defined as “activity pertaining to the national defense or foreign relations of the United States, as well as activity to protect against threats to the safety and security of the United States.” What this means is not entirely clear. A wide range of activities can be construed as “pertaining to the national defense or foreign relations.” For instance, it seems likely that the State Department would have access to BOI under “foreign relations,” and that the Defense Department could use BOI to protect the “safety and security of the United States.” But what about other agencies that also play a national security or foreign relations role? Energy? Certainly the Committee on Foreign Investment in the United States could seek access to assist with foreign investment reviews. The Commerce and Treasury Departments may also find such information relevant in enforcing (respectively) U.S. export control and economic sanctions laws.

And what does this type of access mean for reporting companies and beneficial owners? Let’s say you or your company has submitted information to these agencies to obtain, for example, a license, ruling, or some approval; they could compare your submission to the BOI that you sent to FinCEN. You might face some questions. Suffice it to say that your BOI may end up in some places you did not expect it to. FinCEN is inviting comment specifically on this definition. 

2. Taxes will be a priority. Foreign tax authorities are also likely to gain access to BOI.

FinCEN has been explicit that BOI will add “critical data” to “tax investigations,” among other activities, and that the CTA made BOI available to Treasury for “tax administration purposes.” You can expect that the IRS will request your BOI and review it alongside your filed tax returns, so be aware of what you’ve submitted and what you plan to submit. Remember that the rules require certain categories of BOI to be reported, including full legal name, DBA, date of birth, and a residential or business address. In addition, BOI might be disclosed to foreign tax authorities. Foreign government access is similarly scoped to national security, intelligence, and law enforcement activities, but a foreign tax authority might make a successful request under those criteria to get a gander at your BOI.

3. Financial institutions (FIs) have some insights, but questions remain.

Now that the two rules are out, we know a few more details about FI access to BOI. First, rather than having broad access to the IT system to run queries, FIs will have to submit a request to FinCEN and receive an “electronic transcript” in return. Second, FIs (not FinCEN) will be responsible for obtaining reporting company consent to search BOI. But what should an FI do if the reporting company does not consent to a search? What if there are discrepancies between the BOI transcript and the FIs customer file? The CDD Rule revision should lay out what an FI needs to do in these circumstances, and FIs will be expected to review and amend internal policies once we know more. When can we expect the proposed CDD rule? The final CDD revision is due by January 1, 2025, and FinCEN will be busy in 2023 (see below), so it may be a while before the third rule appears. 

On the critical issue of whether FinCEN will verify the BOI it receives, FinCEN says that it is continuing to evaluate its options “within the legal constraints in the CTA.” Since BOI reports will be “submitted electronically through an online interface,” verification may not be simple. Learning who sat in front of a computer and clicked “Submit” on an online form is nearly impossible. Reporting companies may use third parties or other representatives to submit their BOIs. No one government agency, federal or state, is the authoritative source for all the BOI FinCEN will collect. The information used to form a company varies from state to state. We may have to wait until the final Access Rule, or even the CDD rule, to better understand what FinCEN is able to verify. Only then can we understand what FIs can (and can’t) do with BOI.

4. Get your reporting and compliance questions together now, but assume you will have to make some decisions without knowing all the answers.

If you’ve paid attention to the Reporting Rule, you probably have questions about your company’s obligations. You may be working with your counsel to identify sensitive issues surrounding disclosures, and you may have come up with questions for FinCEN. Prepare those now, but be ready to implement a Plan B. FinCEN has an enormous list of deliverables for 2023. The small bureau handles 13,000 regulatory inquiries a year and could receive two to three million CTA inquiries in the first year of reporting. FinCEN says that it “continues to face resource constraints” in CTA implementation and may need to make “trade-offs.” Bottom line: You may need to make decisions about compliance with incomplete information. 

The CTA is here, and we’ll do our best to help you understand what it means for you and your company. Contact the professionals at O’Melveny if you have questions. 

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Greta Lichtenbaum, an O’Melveny partner licensed to practice law in the District of Columbia, AnnaLou Tirol, an O’Melveny partner licensed to practice law in California, William K. Pao, an O'Melveny partner licensed to practice law in California, Wenting Yu, an O'Melveny partner licensed to practice law in California and New York and Scott Sugino, an O'Melveny partner licensed to practice law in California and Illinois, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2022 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.