Skip to Content

FinCEN’s Latest UBO Rule

22 Feb 2023

Financial institutions will have limited access to FinCEN’s beneficial ownership information.

Gathering and verifying information on ultimate beneficial owners (UBOs) is an increasingly vital part of a financial institution’s KYC requirements. As FinCEN’s ultimate beneficial ownership regime continues to unfold regulatorily, it is also developing the IT system that will be used to store beneficial ownership information: the Beneficial Ownership Secure System (BOSS).

Last December, FinCEN issued a notice of proposed rulemaking (NPRM) asking for comment on a new rule, known as the “Access Rule,” which will govern the circumstances under which information stored in BOSS may be disclosed, and how it must be protected.1 The regulation specifies how government officials will use beneficial ownership information (BOI) in order to support law enforcement, national security, and intelligence activities. It also describes how certain financial institutions would access such information in order to fulfill customer due diligence requirements, which include identifying and verifying the beneficial owners of legal entity customers.

Who would have access to BOI?

FinCEN’s proposal limits access to BOI to federal agencies engaged in national security, intelligence, or law enforcement activities; state, local, and tribal law enforcement agencies with court authorization; financial institutions with CDD requirements and regulators supervising them; foreign law enforcement agencies, prosecutors, judges, and certain others. (Treasury officials will have a unique degree of access to BOI.)

Under the proposed regulation, financial institutions will have direct access to FinCEN’s database. However, their access will be limited – FinCEN may only disclose BOI to financial institutions that request such information for purposes of complying with their CDD obligations (i.e., certain banks, broker dealers, futures commissions merchants and mutual funds, but not money services businesses). They will be required to submit a specific reporting company’s identifying information and, in turn, will receive an electronic transcript with that entity’s BOI. It’s noteworthy that FinCEN’s restrictions on who can access the sensitive and confidential BOI stand in contrast to the approaches of various countries outside the U.S., including the United Kingdom, where public access is permitted.

How will BOI need to be protected?

The Access Rule also specifies how recipients of the BOI will need to protect against unauthorized disclosure, including storing the information in a secure system to which only authorized personnel have access and only for authorized purposes. Audit requirements will apply as will requirements to certify compliance with the statute and proposed regulations. FinCEN also will require authorized recipients to maintain key information about specific BOI searches or requests. The Access NPRM also provides that unauthorized disclosure of BOI is unlawful. To protect against abuse, federal agency users will be required to submit “brief justifications” for their searches and explain how those searches further a “qualifying activity.”

FinCEN still has much to do to complete the UBO regime, including finalizing the proposed Access Rule, revising its CDD rules, developing the BOSS database and the BOI Report, and crafting substantive rules to verify BOI. Nevertheless, financial institutions should begin now to consider policies and procedures that will address their anticipated new UBO requirements, including when and how they will request written customer consent for access to BOI.

1This “Access Rule” follows the final rule that FinCEN issued last September requiring most legal entities created in or registered to do business in the U.S. to report information about their beneficial owners to FinCEN.