FinCEN Finalizes its Rule on Access to Beneficial Ownership Information

The Access Rule provides the categories of persons with whom FinCEN may share BOI, the circumstances under which those recipients may access BOI, how such recipients may use and disclose BOI, and the required security and confidentiality standards for recipients. 

The Access Rule takes effect on February 20, 2024, and is the second of three rulemakings implementing the CTA. It follows the Beneficial Ownership Information Reporting Requirements Rule (the Reporting Rule), which took effect on January 1, 2024. The Reporting Rule requires in-scope entities to provide to FinCEN, among other things, certain identifying information about the entity and its beneficial owners.²

A key aspect of the Access Rule is the finalization of the categories of government agencies, regulators, and financial institutions that may access the BOI reported to FinCEN in accordance with the Reporting Rule. Specifically, the Access Rule authorizes FinCEN to share BOI with those who fall into any of the following categories (subject to certain criteria): 

• U.S. Federal agencies engaged in national security, intelligence, or law enforcement activity.
• U.S. State, local, and Tribal law enforcement agencies. 
• Foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities.
• Federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing financial institutions for compliance with customer due diligence requirements under applicable law.
• U.S. Treasury Department officers and employees.

One final category of authorized recipients, which is the focus of this update, are financial institutions subject to customer due diligence (CDD) requirements. 

Access to BOI by Financial Institutions

The Access Rule authorizes FinCEN to disclose BOI to a financial institution, but only if (i) the financial institution will use the BOI to facilitate compliance with its CDD requirements under applicable law and (ii) the financial institution has obtained the relevant reporting company’s consent for such disclosure.

In response to feedback to the notice of proposed rulemaking (the Proposed Rule), FinCEN included in the final Access Rule an expanded definition of “customer due diligence requirements under applicable law,” which, under the final rule, encompasses “any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer.” 

In its Proposed Rule, FinCEN narrowly interpreted the CTA’s reference to “[CDD] requirements under applicable law” to include only FinCEN’s 2016 rule related to Customer Due Diligence Requirements for Financial Institutions (the 2016 CDD Rule). If this had been finalized, the Access Rule would have permitted only financial institutions covered by the 2016 CDD Rule – i.e., banks, mutual funds, broker or dealers in securities, futures commission merchants, and introducing brokers in commodities – to access BOI from FinCEN. In addition, it would have seemingly allowed these covered financial institutions to request and use BOI only for compliance with its CDD requirements. 

However, by expanding the scope of “customer due diligence requirements under applicable law” in the final Access Rule, FinCEN effectively expanded the types of financial institutions that may potentially access BOI to include any financial institution that is required to maintain an AML program, such as money services businesses (MSBs). In addition, the requirements in connection with which a financial institution may request BOI now include adherence to its broader anti-money laundering and counter-terrorist financing (AML/CTF) obligations under the Bank Secrecy Act, the scope of which extends to AML/CTF program implementation, customer identification, filing Suspicious Activity Reports, and enhanced due diligence requirements, as well as compliance with U.S. economic sanctions programs and requirements. These are likely welcomed changes for the many commenters who objected to the narrower interpretation of customer due diligence requirements.  

Still, there are some limits on a financial institution’s use of BOI. In particular, for a financial institution to receive BOI, it must be reasonably necessary for the institution to obtain or verify BOI of legal entity customers to satisfy the applicable requirements, and a financial institution that receives information disclosed by FinCEN under the Access Rule is generally authorized to use it only for the particular purpose or activity for which it was disclosed. Thus, general business or commercial use of BOI is not authorized. As an example, FinCEN noted that assessing whether to extend credit to a legal entity, or in establishing the price of that credit, is not a permitted use of BOI.   

Finally, in connection with its release of the Access Rule, FinCEN also issued two interagency statements – one for banks and the other for non-bank financial institutions – to give guidance on the relationship between the Access Rule and FinCEN’s current CDD requirements.³  Of note, FinCEN stated that the Access Rule does obligate financial institutions to access BOI and that there is no supervisory expectation that they do so. That said, if a financial institution decides to access and use BOI from FinCEN, compliance with the CTA and the Access Rule is required. 

What Comes Next

Although the Access Rule will take effect on February 20, 2024, financial institutions will not be able to access BOI from FinCEN immediately. Instead, FinCEN plans to roll out access to BOI gradually, starting with key Federal government agency users, Treasury Department offices, and certain Federal law enforcement and national security-related agencies, before extending access to other Federal and state, local, and Tribal Law agencies and partners. Financial institutions will be the last group of authorized recipients to receive access to BOI. 

Then, even when FinCEN opens access for financial institutions, FinCEN will initially limit access to certain types of institutions. FinCEN has the authority to decide who can access BOI and when, and stated that it will use this authority to initially give access to BOI only to covered financial institutions under the 2016 CDD Rule. This means that other financial institutions, such as MSBs, may have to wait even longer to access BOI. 

While waiting for access, financial institutions can prepare themselves by ensuring they have adequate safeguards to protect BOI. Specifically, before receiving any BOI, a financial institution must first ensure that it has developed and implemented administrative, technical, and physical safeguards reasonably designed to protect the BOI. According to FinCEN, meeting the standards of section 501 of the Gramm-Leach Bliley Act⁴ and its implementing regulations will satisfy the Access Rule’s safeguarding requirements. 

Finally, financial institutions should also keep an eye on FinCEN’s guidance and statements related to the CTA and Access Rule, as there are still some unresolved issues, especially related to compliance with the CTA and the Access Rule and how they affect a financial institution’s AML/CFT and CDD obligations. For example, FinCEN has not explained how financial institutions should deal with any differences between the CDD information they receive from their corporate customers directly and the BOI they may obtain from FinCEN. Perhaps FinCEN will address these issues in its third rulemaking under the CTA, which will revise its CDD rule. Financial institutions (and other stakeholders) should therefore stay informed and continue to monitor FinCEN’s implementation of the CTA.  

^[3] FinCEN, Board of Governors of the Federal Reserve System Federal Deposit Insurance Corporation National Credit Union Administration Office of the Comptroller of the Currency, and State Bank and Credit Union Regulators, Interagency Statement for Banks on the Issuance of the Beneficial Ownership Information Access Rule (December 21, 2023), https://www.fincen.gov/sites/default/files/shared/Interagency_Statement_for_Banks_On_the_Issuance_of_the_Access_Rule_12.15.2023.v2.pdf; FinCEN, Statement for Non-Bank Financial Institutions on the Issuance of the Beneficial Ownership Information Access Rule (December 21, 2023), https://www.fincen.gov/sites/default/files/shared/Statement_for_Non_Bank_Financial_Institutions_Issuance_of_the_Access_Rule_12.15.2023.v3.pdf.

^[4] 15 U.S.C. 6801(b).