Who would have access to BOI?

FinCEN’s proposal limits access to BOI to federal agencies engaged in national security, intelligence, or law enforcement activities; state, local, and tribal law enforcement agencies with court authorization; financial institutions with CDD requirements and regulators supervising them; foreign law enforcement agencies, prosecutors, judges, and certain others. (Treasury officials will have a unique degree of access to BOI.)

Under the proposed regulation, financial institutions will have direct access to FinCEN’s database. However, their access will be limited – FinCEN may only disclose BOI to financial institutions that request such information for purposes of complying with their CDD obligations (i.e., certain banks, broker dealers, futures commissions merchants and mutual funds, but not money services businesses). They will be required to submit a specific reporting company’s identifying information and, in turn, will receive an electronic transcript with that entity’s BOI. It’s noteworthy that FinCEN’s restrictions on who can access the sensitive and confidential BOI stand in contrast to the approaches of various countries outside the U.S., including the United Kingdom, where public access is permitted.

How will BOI need to be protected?

The Access Rule also specifies how recipients of the BOI will need to protect against unauthorized disclosure, including storing the information in a secure system to which only authorized personnel have access and only for authorized purposes. Audit requirements will apply as will requirements to certify compliance with the statute and proposed regulations. FinCEN also will require authorized recipients to maintain key information about specific BOI searches or requests. The Access NPRM also provides that unauthorized disclosure of BOI is unlawful. To protect against abuse, federal agency users will be required to submit “brief justifications” for their searches and explain how those searches further a “qualifying activity.”

FinCEN still has much to do to complete the UBO regime, including finalizing the proposed Access Rule, revising its CDD rules, developing the BOSS database and the BOI Report, and crafting substantive rules to verify BOI. Nevertheless, financial institutions should begin now to consider policies and procedures that will address their anticipated new UBO requirements, including when and how they will request written customer consent for access to BOI.

1This “Access Rule” follows the final rule that FinCEN issued last September requiring most legal entities created in or registered to do business in the U.S. to report information about their beneficial owners to FinCEN.