On December 21, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Financial Crimes Enforcement Network (FinCen), the National Credit Union Administration, along with state bank and credit union regulators (collectively, the agencies) announced issuance of the final Access Rule regarding access by authorized recipients to beneficial ownership information (BOI) that will be reported to FinCen, pursuant to the Corporate Transparency Act (CTA). In their announcement, the agencies emphasized that the Access Rule does not create new regulatory requirements or supervisory expectations for banks and that banks’ responsibilities under the Customer Due Diligence (CDD) Rule and Bank Secrecy Act (BSA) remain unchanged. However, the agencies did note that if banks access and use BOI, they must comply with the requirements of the CTA and the Access Rule.

As background, the United States does not currently have a centralized store of information about who owns and operates legal entities. As set out in the Notice of Proposed Rulemaking, U.S. law enforcement officials have noted for years how the lack of access to that information remained a significant gap in the United States’ anti-money laundering (AML)/countering the financing of terrorism (CFT) framework. The Access Rule is the second of three rulemakings planned to implement the CTA. The first such rulemaking, the BOI Reporting Rule, required certain corporations, limited liability companies, and others created or registered to do business in the United States to report information about their beneficial owners to FinCEN. Those reporting requirements take effect on January 1, 2024, and that same day FinCEN will launch its BOI technology system to securely collect, process, and store that information.

The Access Rule attempts to balance the need to create a useful database for authorized BOI recipients while protecting this sensitive information from unauthorized disclosure. Therefore, the Access Rule requires that: (1) only authorized recipients have access to BOI; (2) authorized recipients use that BOI only for purposes permitted by the CTA; and (3) authorized recipients re-disclose BOI only in ways that balance the confidentiality of the BOI with furtherance of the CTA’s objective. The Access Rule also provides a framework to ensure that BOI reported to FinCEN, and received by authorized recipients, is subject to strict cybersecurity controls, confidentiality protections, and robust oversight measures.

With these requirements, FinCEN will permit certain federal, state, local, and tribal officials to obtain BOI for use in furtherance of statutorily authorized activities such as those related to national security, intelligence, and law enforcement. Financial institutions with customer due diligence requirements will have access to BOI to facilitate compliance with those requirements, as will the federal regulators that supervise those institutions. The Access Rule will take effect on February 20, 2024, and FinCEN will begin providing access to BOI in phases to authorized government agencies and financial institutions that meet the requirements.

In the near future, FinCEN will undertake a rulemaking to revise FinCEN’s 2016 CDD Rule as required by the CTA, which stipulates that FinCEN revise the 2016 CDD Rule within one year of the BOI reporting requirements taking effect. In particular, FinCEN is statutorily required to revise the 2016 CDD Rule to: (1) bring it into conformity with the AML Act as a whole, including the CTA; (2) account for financial institutions’ access to BOI reported to FinCEN “in order to confirm the beneficial ownership information provided directly to the financial institutions” for AML/CFT and customer due diligence purposes; and (3) reduce unnecessary or duplicative burdens on financial institutions and legal entity customers. The question of whether financial institutions are required to access BOI as part of their CDD Rule obligations is expected to be addressed in FinCEN’s forthcoming revisions to the 2016 CDD Rule.