On February 14, 2023, both the American Bankers Association (“ABA”) and the Bank Policy Institute (“BPI”) submitted comments to the Financial Crimes Enforcement Network (“FinCEN”) on FinCEN’s notice of proposed rulemaking (“NPRM”) relating to access to beneficial ownership information (“BOI”) reported to FinCEN under the Corporate Transparency Act (“CTA”). While both organizations had similar comments, mainly being that the proposed limits on FIs’ ability to use BOI retrieved from the database contradicts the CTA’s objective, the ABA recommended that FinCEN entirely withdraw the NPRM. Below, we break down each organization’s comments and strong critiques regarding the NPRM.
The CTA mandates that covered entities—which includes most domestic legal entities and most foreign organizations registered to do business in the United States—report BOI and company applicant information to a database run by FinCEN upon the entities’ creation or registration in the United States. As the NPRM indicates, five broad categories of recipients will have access to the database under certain circumstances and requirements:
- Federal, state, local, and Tribal government agencies;
- Foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities;
- Financial institutions (“FIs”) using BOI to facilitate compliance with their own Customer Due Diligence (“CDD”) Rule requirements and which have received the reporting company’s prior consent;
- Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing FIs for compliance with the CDD Rule; and
- U.S. Department of Treasury, which will have “relatively unique access” to BOI tied to an officer or employee’s official duties requiring BOI inspection or disclosure, including for tax administration.
Both organizations warn that FIs’ limited ability to search for and use BOI from the database under the proposed terms of the NPRM would be inefficient because it would result in further costs of compliance to ensure that BOI database information is separated from BOI obtained directly from customers. Both comments also recommend that FIs should be able to share BOI retrieved from the database with other FI personnel. And both comments request FinCEN to explicitly state that FIs are not affirmatively required to access the database.
The ABA’s View: “Fatally Flawed”
The ABA – along with 51 state banking associations – found the NPRM to be “fatally flawed” and stresses that it would not meet the CTA’s objective of combatting illicit finance through the database while reducing the regulatory burdens on both small businesses and regulated entities. The ABA’s overall recommendation is for FinCEN to “withdraw the current proposal” and engage with the financial services industry at large to develop an entirely new proposal.
The ABA argues that the NPRM creates a framework in which banks’ access to the database would be so limited “that it will effectively be useless.” One primary problem in the view of the ABA is that FinCEN has proposed that banks will not be permitted to run open-ended queries in the BOI database or receive multiple search results. Rather, banks would be required to submit identifying information specific to a reporting company and receive in return an electronic transcript with that entity’s BOI. Further, banks will not be able to run searches specific to individuals who may be beneficial owners of multiple entities. According to the ABA, the NPRM compounds these limitations by further precluding FIs from using BOI more broadly to fulfill other Bank Secrecy Act (“BSA”) regulatory requirements beyond just the CDD Rule, such as monitoring transactions, maintaining a Customer Identification Program (“CIP”), and identifying and reporting suspicious activity. The ABA also notes that FIs should be able to use the BOI data base to perform OFAC screening and compliance.
According to the ABA (and BPI), a key concern is that there is no assurance that the BOI present in the database will be reliable – because FinCEN has stated that it will not verify the accuracy of the BOI reported to FinCEN by entities under the CTA. Thus, as ABA explains, the NPRM would not enhance banks’ general CDD Rule compliance, but rather would impose further costs and create an inefficient allocation of resources across FIs’ AML compliance programs. As the ABA notes, the CDD Rule “simply requires banks to identify and verify the identity of the beneficial owners of their legal entity customers – it does not require banks to verify that those individuals are, in fact, beneficial owners.” The ABA is clearly concerned that FinCEN will impose such a verification obligation upon FIs: “if FinCEN is contemplating changing the amended CDD Rule to require banks to verify the status of the beneficial owners provided by their customers, i.e., whether they are, in fact, the customer’s beneficial owners, we would be strongly opposed to it.”
Additionally, the ABA explains that the prohibition on a FI sharing BOI to components of the same FI located outside of the United States contradicts the information-sharing goals of the Anti-Money Laundering Act of 2020 (“AMLA”). Many FIs outsource certain CDD Rule and CIP compliance functions to components or agents located abroad.
For next steps, the ABA recommends that FinCEN engage with key stakeholders, like banks and small businesses, to “develop a new proposal that would establish a more efficient and effective regulatory framework for both banks and reporting companies.” To that end, the ABA recommends that any new proposal:
- Allow banks to use BOI more broadly to discharge their responsibilities under the BSA;
- Allow banks to share BOI with bank personnel across their enterprises, including abroad;
- Clarify that banks are not required to access the database, particularly given the current differences between BOI collected under the CDD Rule and BOI collected under the CTA, and because FinCEN’s proposed BOI reporting form for the CTA allows reporting companies to often forgo providing key information;
- Consider modern technological solutions that would provide a secure and efficient means of accessing the database;
- Include a safe harbor from liability for FIs that use BOI obtained from the database; and
- Amend the existing CDD Rule to provide that banks are not required to collect and maintain BOI for all legal entity customers, or that banks can do so on a risk basis.
Although BPI does not argue, like the ABA, that the entire NPRM should be scrapped and re-written, it shares many of the ABA’s concerns.
First, BPI believes that the final rule should expressly state that FIs have no affirmative requirement to access BOI in the database. BPI estimates that, considering the burden of the proposed rule, FinCEN expressly assumes that FIs will seek to access BOI in every instance where a “legal entity customer” qualifying as a “reporting company” opens a new account. In BPI’s view, providing in the final rule’s text that FIs have no affirmative duty to access the database would clarify any confusion. “Further, FinCEN should instead expressly permit, and encourage, institutions to determine on the basis of risk when to access the registry and how to use the information obtained.”
FIs’ Limited Ability to Use Database Information
Next, and like the ABA, BPI suggests to FinCEN that the NPRM’s scope of permitted use and sharing of BOI from the database is too limited for FIs. According to BPI, the NPRM would “substantially limit inter-affiliate sharing of registry information and would prevent institutions from sharing this information with personnel, branches or affiliates abroad, thereby requiring the information be separated from, and not used in, numerous enterprise-wide illicit finance risk management processes.”
For example, the CTA requires that registry information be used for CDD activities, without limiting the specific CDD activities for which the information could be used. Under the NPRM, however, FIs could only use registry information to “identify and verify beneficial owners of legal entity customers.” BPI notes that FIs’ CDD programs extend well beyond identifying and verifying beneficial owners of legal entity customers. These programs include activities like “performing customer risk rating; monitoring transactions; conducting sanctions screening; [and] identifying politically exposed persons and undertaking PEP screening.” According to BPI, under the NPRM’s narrow interpretation of the CDD activities that may be performed with registry information, it is unclear how access to the database would “enable financial institutions to meaningfully improve their illicit finance risk management activities.”
BPI further argues that these limitations contradict the CTA in general. The CTA permits FIs to access BOI in the registry “to facilitate . . . compliance . . . with [CDD] requirements under applicable law.” BPI notes that the CTA does not define “applicable law” and that the CTA’s legislative history supports Congress’s intention that BOI be available to FIs for purposes of facilitating compliance with all contours of CDD programs, not just identifying and verifying beneficial owners of legal entity customers. Thus, BPI proposed that FinCEN should interpret the CDD activities that FIs may undertake registry information “as broadly as possible.”
Significant Burdens: Dual Reporting
In addition, BPI believes that implementation of the NPRM’s restrictions on use of registry information would impose “significant burdens on financial institutions and reporting companies.” As BPI explains, complying with these proposed limitations on use and sharing of BOI from the database, which do not apply to BOI obtained from a customer, would result in FIs spending “vastly more to develop and implement new systems.” Specifically, one BPI member estimates costs between $1 million and $3 million to develop new systems and to prevent current systems from absorbing BOI retrieved from the database.
If FinCEN declines to broaden the extent to which FIs may use and share BOI, BPI suggests that FinCEN should expressly permit FIs “to use and share registry BOI more broadly with the consent of the applicable customer.” In BPI’s view, the persons who have the most interest in the security and confidentiality of registry information are reporting companies and the individuals whose personal information is actually reported. Thus, reporting companies and the relevant individuals (who can dictate how their information is used) should be permitted to decide how the BOI is used after it is reported to FinCEN.
Ability to Rely on Database Information that is Already Reliable
Separately, BPI argues that FIs should be expressly permitted to rely on BOI that they obtain from the database, just as the CDD Rule allows FIs to rely on the BOI certifications from their customers in the absence of known facts that call into question a certification’s reliability. According to BPI, permitting this reliance would reduce the need for institutions to require their legal entity customers to provide them with information directly, which would promote the CTA’s objective to reduce burdens on reporting companies. Moreover, like the ABA, BPI recommends that FIs should not be required to verify BOI they obtain from the registry, and that FinCEN should already ensure, in the first instance, that the registry is “accurate, complete, and highly useful.”
Lastly, BPI recommends general enhancements around accessing the registry, like simplifying and clarifying requirements around accessing registry information, handling judicial process, obtaining customer consent, and enabling automated FI institution access to the registry.