Proposed Reporting Rules Will Require Careful Parsing for Businesses and Revision of CDD Rule for Banks
As we initially blogged, the Financial Crimes Enforcement Network (“FinCEN”) issued on December 7 a Notice of Proposed Rulemaking (“NPRM”) regarding the beneficial ownership (“BO”) reporting requirements of the Corporate Transparency Act (“CTA”). FinCEN’s press release is here; the NPRM is here; and a summary “fact sheet” regarding the NPRM is here.
The CTA requires defined entities – including most domestic corporations and foreign entities registered to do business in the U.S. – to report beneficial owner information (“BOI”) and company applicant information to a database created and run by FinCEN upon the entities’ creation or registration within the U.S. This database will be accessible by U.S. and foreign law enforcement and regulators, and to U.S. financial institutions seeking to comply with their own Anti-Money Laundering (“AML”) and Customer Due Diligence (“CDD”) compliance obligations.
Congress passed the CTA because the ability to operate through legal entities without requiring the identification of BOI is a key AML risk for the U.S. financial system. The CTA seeks to mitigate this risk by reducing an individual’s ability to use corporate structures to conceal illicit activity such as money laundering, financing of terrorism, and other offenses. We often have blogged on the CTA and these impending regulations (see here, here, here, here and here).
The NPRM describes who must file a BOI report, what information must be reported, and when a report is due. Although this blog post is lengthy, it still only summarizes the NPRM, which is 55 pages long in the Federal Register. The NPRM envisions broad and often complicated reporting requirements under the CTA, including an ongoing duty to update any changes in information.
Further, this NPRM addresses “only” BOI reporting. FinCEN will engage in two additional rulemakings under the CTA to (1) establish rules for who may access BOI, for what purposes, and what safeguards will be required to protect such information; and (2) revise and conform FinCEN’s existing CDD rule for financial institutions. As we will discuss, the NPRM undermines hopes that the CTA regulations would simplify the compliance obligations of financial institutions already covered by the CDD rule, which requires covered financial institutions to obtain BOI from certain entity customers. To the contrary, the NPRM indicates that FinCEN will complicate and expand the definitions of the two groups of individuals qualifying as BOs – those exercising “substantial control” and those with a 25% “ownership interest” – and amend the existing CDD rule accordingly, so that the CTA regulations and the CDD rule supposedly align.
The potential application of these regulations is sweeping. FinCEN estimates at least 25 million existing U.S. companies will have to make a report under the CTA when the proposed regulations become effective. And approximately three million new entities created each year in the U.S. potentially will be subject to the regulations going forward. The NPRM does not address the additional amount of foreign entities registered to do business in the U.S. covered by the CTA.
Covered Businesses and Exempt Entities
In promulgating the NPRM, FinCEN adopted the extremely broad definition of “reporting company” in the statute. See 31 U.S.C. § 5336(a)(11). The proposed regulations describe two distinct types of “reporting companies.” The first type is a domestic reporting company and includes corporations, limited liability companies, and any other entities created by filing a document with the appropriate state or Tribal office. The second type is a foreign reporting company and includes corporations, limited liability companies, and other entities formed in a foreign country that have registered to do business in any state or Tribal jurisdiction by filing a document with the appropriate office.
The CTA exempts 23 types of entities from the reporting obligation and delegated to FinCEN authority to propose additional entity exemption. See 31 U.S.C. § 5336(a)(11)(B)(i)-(xxiii). The NPRM does not include any new types of exempt entities and largely adopts the statute word-for-word. The NPRM also attempts to clarify ambiguous language in the definition of four exempted entity types, including the important “large operating companies” exemption for entities with a physical U.S. office; more than 20 “full-time” employees; and which reported more than $5 million in gross receipts or sales on its last U.S. federal tax return.
What Information Must be Provided
The CTA requires each reporting company to submit to FinCEN a report identifying each qualifying BO of the reporting company and each company applicant by: (1) “full legal name,” (2) “date of birth,” (3) “current, as of the date on which the report is delivered, residential or business street address,” and (4) “unique identifying number from an acceptable identification document;” or, if this information has already been provided to FinCEN, by a FinCEN identifier.
Subject to exceptions, the CTA defines the term “beneficial owner” to mean “an individual who, directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise (i) exercises substantial control over the entity; or (ii) owns or controls not less than 25 percent of the ownership interests of the entity.” The NPRM includes the same five exceptions to the definition of BO as the statute, which relate to (1) minor children; (2) nominees or other intermediaries; (3) employees; (4) inheritors; and (5) creditors.
Although the proposed regulations claim to clarify the broad statutory definition of “beneficial owner,” even a cursory reading of the agency’s guidance makes clear that definitional ambiguities remain and that reporting companies will face many challenges. As we will discuss, the NPRM suggests definitions of “substantial control” or “ownership interest” that do not track the definitions of the same terms in the current CDD rule for financial institutions and their entity customers. The NPRM definitions are both broader and less clear.
Beneficial Owner: the “Substantial Control” Prong
The NPRM requires a reporting company to identify any and all individuals who satisfy the “substantial control” prong. The NPRM therefore differs importantly from the CDD rule, which requires that an entity customer report only one BO under the substantial control prong.
Further, the NPRM envisions a potentially broad definition of control, and sets forth three specific indicators of substantial control: (1) service as a senior officer of a reporting company; (2) authority over the appointment or removal of any senior officer or dominant majority of the board of directors (or similar body) of a reporting company; and (3) direction, determination, or decision of, or substantial influence over, important matters of a reporting company. FinCEN explains:
Each of these [three] indicators supports the basic goal of requiring a reporting company to identify the individuals who stand behind the reporting company and direct its actions. The first indicator identifies the individuals with nominal or de jure authority, the second and third indicators identify the individuals with functional or de facto authority, and the catch-all provision recognizes that control exercised in novel and unorthodox ways can still be substantial. This last approach is consistent with the common law tradition and the standards that FinCEN examined, as well as the broader objective of preventing individuals from evading identification as beneficial owners by hiding behind formalisms such as job descriptions, job titles, and nominal lack of authority.
The NPRM provides specific examples of indicators of substantial control, and notes that an individual can exercise substantial control both directly and indirectly. FinCEN concedes that “the CTA may require certain entities to disclose BOI on more and different individuals than they are accustomed to under the control prong of the current CDD Rule[,]” and that “its proposed definition of substantial control diverges from the approach that a number of commenters to the NPRM stated they would prefer, i.e., the approach laid out in the current CDD Rule.”
Beneficial Ownership: the “Ownership Prong”
Under the CTA, a BO is “an individual who, directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise . . . owns or controls not less than 25 percent of the ownership interests of the entity.” The NPRM defines “ownership interest” in such a way to catch even the most creative ownership arrangement between an entity and an individual – but also in a way that likely will create uncertainty and confusion for certain reporting companies attempting to quantify interests in order to identify the appropriate persons as reportable BOs.
Unlike the CDD rule for financial institutions, the NPRM does not limit a 25% ownership interest to only equity ownership, but instead seeks to account for other, less straightforward legal interests to capture other types of BOs. According to FinCEN, “the CDD Rule does not provide transparency with respect to complex ownership structures, extensive use of trusts, voting arrangements among owners, golden shares entitling their owners to voting rights disproportionate to their equity stake, and other mechanisms that can obscure the connection between an individual owner and a reporting company. . . . Instead, the CDD Rule standard could permit obfuscatory behavior.” Although “FinCEN considered the burden this proposed approach would have on reporting companies[,]” the agency “believes that most reporting companies will not have complex ownership structures, and that the few that do previously chose their structures recognizing that costs associated with legal and tax advice and other filing and compliance obligations might be higher as a result. Moreover, in FinCEN’s experience administering the BSA and other AML efforts, small-but-complex entities often are the highest risk for money laundering, terrorist financing, and other illicit financial activity.”
The NPRM therefore groups ownership interests into five types. The first three types are relatively straightforward, e.g., equity and stock interests; a capital or profits interest in a limited or general partnership; and any proprietorship interest.
However, the last two types of ownership interests will create particular challenges. Specifically, the NPRM defines the term “ownership interest” to include any instrument that may be converted, with or without consideration, into any of the three ownership types noted above, as well as any future on any such instrument, or any right to purchase, sell, or subscribe to one of the three ownership types noted above. It is of no consequence for CTA reporting purposes if the arrangement, instrument, etc. is characterized as debt. Finally, an ownership interest includes “[a]ny put, call, straddle, or other option or privilege of buying or selling” any of the items described in any of the other four interest types – even if there is no obligation. FinCEN explains that the proposed debt-conversion-instrument rule is similar to the U.S. SEC’s definition of ‘‘equity security.’’ FinCEN feels that this proposed approach “thwarts” the use of complex ownership structures other than direct equity ownership to obscure a reporting company’s real owners. FinCEN acknowledges that a reporting company would need to “consider all facts and circumstances when making determinations about who owns or controls ownership interests.” Such a vague and broad test will result in difficult judgment calls for certain reporting companies.
Direct or Indirect “Ownership or Control”
Determining whether an ownership interest is owned “indirectly” under the proposed regulations likely will pose a similar challenge. FinCEN appears to be focused on the use of trusts, and the proposed regulations provide “that an individual may directly or indirectly own or control an ownership interest in a reporting company through a trust or similar arrangement.”
Although proposed 31 C.F.R. § 1010.380(d)(3)(ii) provides a greater degree of detail for certain trust ownership arrangements, the proposed regulations still do not explain or clarify the term “indirectly,” which applies across all types of ownership arrangements. Moreover, subsection (ii) is written to state the general rule – that an interest may be owned “directly or indirectly through a variety of means.” (emphasis added). While not an exhaustive list, the proposed regulations include three more “specific” scenarios. But because there can be no more than four reported BOs under the “ownership” prong, complex ownership structures may require some very fine judgment calls regarding exactly who crosses the 25% threshold and represents a “true” reportable BO.
The proposed regulations essentially follow the text of the CTA to provide different definitions for a “company applicant” of a reporting company. However, and importantly, FinCEN explicitly adds that a company applicant includes, in addition to the person filing the entity formation or registration document, “any individual who directs or controls the filing of such document by another person.” Prop. 31 C.F.R. §§ 1010.380(e)(1) and (2).
For FinCEN, “[t]his additional requirement is designed to ensure that the reporting company provides information on individuals that are responsible for the decision to form a reporting company.” (emphasis added). The goal is to prevent the individual who directs or controls the formation of a legal entity from remaining anonymous simply by directing another individual to file the requisite paperwork. The consistent reference to the requirement to identify and provide information on the individual responsible for the formation of the legal entity as an “additional” requirement strongly suggests that reporting companies who employ third parties (such as professional services corporations) should consider listing at least two company applicants.
Identifying Information: Address
The CTA requires that the reporting company provide the BO’s and company applicant’s “residential or business street address.” After weighing alternatives, FinCEN reasons that the BO’s residential address for tax residency purposes is most useful and, therefore, appropriate. For company applicants that provide a business service as a corporate or formation agent, the reporting company would need to report the business address of any company applicant that files a document in the course of such individual’s business. FinCEN explains that requiring the business address of a company applicant to be reported will allow law enforcement to identify patterns of multiple entities created or registered by company applicants working at the same business address.
Identifying Information: Unique Identifying Number or FinCEN Identifier
Under the CTA, the report must include a “unique identifying number from an acceptable identification document;” 31 U.S.C. § 5336(b)(2)(A)(iv)(I). In the penalty section, the CTA provides that it is unlawful to provide “a false or fraudulent identifying photograph or document.” 31 U.S.C. § 5336(h)(1)(A). Based on the inclusion of “photograph or document” in the penalty section, FinCEN reasoned that this indicates “an assumption that identifying photographs or document would be reported.” The proposed regulations assert that FinCEN therefore has authority to collect a scanned copy of an identifying document, along with the document’s number. FinCEN describes many benefits to law enforcement of such photocopy information and generally dismisses concerns of increased burdens on reporting companies.
As an alternative, a BO, company applicant, or reporting company may use a FinCEN identifier. Importantly, an individual or entity applying to obtain a FinCEN identifier must provide FinCEN with the same information a reporting company would have to include for a BO, company applicant, or the reporting company itself. The NPRM explicitly requires that an individual or entity update or correct their FinCEN identifier application within the same time and manner as updated or corrected reports, which we discuss below.
Given the need to update required information, reporting companies may want to require covered individuals to obtain a FinCEN identifier to remove some of the burden to keep all information up to date and file timely updated reports with FinCEN. BOs and company applicants are in the best position to know when their addresses change or their identifying document expires. Clearly, complications may arise when a BO or company applicant are not diligent in submitting updated information to FinCEN because of inattentiveness or lack of knowledge of the requirement.
When Must a Reporting Company File a Report
A reporting company under the CTA must timely submit an initial report. Further, corrected and updated reports may need to be submitted after an initial report. As we discuss, the process laid out by the NPRM could be complicated, particularly for updated reports.
When a reporting company has to submit its initial report to FinCEN depends on whether (1) it was in existence prior to the effective date of the regulations or (2) formed or registered after the effective date. For reporting companies formed or registered after the effective date, the proposed regulations provide that the initial report must be submitted within 14 calendar days of the date the entity was formed or first registered. FinCEN proposes that reporting companies in existence prior to the effective date submit a report not later than one year after the effective date of the regulations. It appears that reporting companies in existence prior to the effective date may need the longer time-period to engage in due diligence and information gathering. This may be a challenge when, e.g., the entity has been in existence for a long period of time and whether anyone controlled or directed the filing of the entity formation documents must be determined.
In addition, the proposed regulations make clear that if an exempt entity becomes subject to the CTA reporting requirement, it is required to file a report with FinCEN within 30 calendar days after the date on which the entity no longer meets the exemption criteria. Conversely, an entity that becomes eligible for an exemption has 30 days to file an updated report. Entities reaching an initial conclusion that they are or are not exempt must, apparently, continuously monitor their exemption qualification – a potentially time-consuming process.
The proposed regulations broadly require a reporting company to file an updated report within 30 calendar days “after the date on which there is any change with respect to any information previously submitted to FinCEN.” This includes any change with respect to who is a BO and “any change with respect to information reported for any particular beneficial owner or applicant.” (emphasis added). This 30-day period appears to begin on the date on which the change occurs, regardless of the reporting company’s actual or constructive knowledge thereof.
A reporting company that “becomes aware or has reason to know that any required information contained in any report . . . was inaccurate when filed and remains inaccurate” must file a corrected report within 14 calendar days of the date on which it becomes aware or has reason to know of the inaccuracy. Prop. 31 C.F.R. § 1010.380(a)(3). FinCEN believes quickly correcting errors is essential for fulfilling Congress’s instruction that BOI reported to the agency be ‘‘accurate, complete, and highly useful.’’ Again, FinCEN anticipates that the 14-day update deadline is a low burden for a reporting company and also incentivizes reporting companies to ensure that information is correct at the time of submission of an initial or updated report.
Penalties for Reporting Violations and Safe Harbor
The CTA provides for civil and criminal penalties for “reporting violations” and an “unauthorized disclosure or use.” Generally, a “reporting violation” is committed if “any person” willfully (1) provides false or fraudulent BOI or (2) fails to report complete or updated BOI. See 31 U.S.C. § 5336(h)(1)(A). Unless authorized, any person who knowingly discloses or knowingly uses BOI obtained through either a report submitted to FinCEN or a disclosure made by FinCEN commits an “unauthorized disclosure or use” violation. 31 U.S.C. § 5336(h)(2). The CTA’s “safe harbor” provision provides that no civil or criminal penalty for a reporting violation applies if the person who filed an incorrect report “voluntarily and promptly” – and in no case later than 90 days after the date the person submitted the report – submits a corrected report. The proposed regulations explain that no civil or criminal penalty applies for an inaccurate report if a corrected report is filed both (1) within 14 days from discovery of the inaccuracy, and (2) the submission date of the corrected report is not more than 90 days from the date the incorrect report was submitted. Moreover, the safe harbor does not apply if, at the time the person submitted the inaccurate report, the person was acting for the purpose of evading the reporting requirements and had actual knowledge that the information in the report was inaccurate. 31 U.S.C. § 5336(h)(3)(C)(i)(II).
Effective Date and Logistical Issues
The NPRM does not propose an effective date but rather seeks comments on the timing of the effective date and any potential factors to be considered. FinCEN seemingly acknowledges that it must balance its desire of identifying the earliest possible effective date (to better advance the goal of the CTA) with the significant challenges to proper and safe implementation, including designing a new IT system. Specifically, the NPRM acknowledges that, prior to the effective date of the regulations, FinCEN first must design and build a new IT system (the Beneficial Ownership Secure System, or “BOSS”) to collect and provide access to BOI. Finally, the NPRM references the major issue of BOI verification, and how it will be accomplished, by simply noting that “FinCEN continues to evaluate options for verification of information submitted in BOI reports.”