Breaking Down the New BOI Access Rule
Hello, Compliance friends! As we promised in our first blog post, this Compliance Blog will provide updates on important developments relating to credit union compliance. I’m a confessed Bank Secrecy Act (BSA) nerd, so naturally I’ve decided to focus my first post on a major recent development relating to BSA compliance: the recent final rule from the Financial Crimes Enforcement Network (FinCEN) relating to credit unions’ ability to access information reported under the Corporate Transparency Act. Let’s dive right in!
Background
If you haven’t been following this issue that closely, allow me to refresh your memory. On January 1, 2021 Congress passed the Corporate Transparency Act of 2020 (CTA), which was part of a much larger defense spending bill. The bill noted that criminals will often use legal entities as “shell companies” to further their criminal schemes, and how the opaque nature of corporate ownership often made it difficult for law enforcement to unmask who was truly pulling the strings. To combat the use of shell companies, the CTA imposed a new requirement that legal entities would have to report their Beneficial Ownership Information (BOI) directly to FinCEN. The agency would create a database of ownership information, which could be accessed by certain parties, such as law enforcement or financial institutions, when needed.
FinCEN has been working over the past few years to implement the CTA and has been doing so in stages. The first stage was the “BOI reporting” rule. The final rule for this phase was published in September 2022 and took effect earlier this month on January 1, 2024. This rule imposed the requirement for “reporting companies” – defined as corporations, LLCs and other entities created by filing documents with a secretary of state or similar office – to report their BOI to FinCEN. Companies that are formed in 2024 will have 90 days to report their BOI to FinCEN. Companies formed in 2025 and beyond will only have 30 days to report their BOI. Reporting companies that were in existence before January 1, 2024 will have until January 1, 2025 to report their BOI. The FinCEN website provides resources for reporting companies to use when deciphering the reporting requirements. Notably, credit unions are not reporting companies under the rule. However, their legal entity members may be required to comply with the BOI reporting rule, as will many Credit Union Service Organizations (CUSOs) and third-party partners.
The new BOI access rule
On December 22, 2023, FinCEN published the final rule for the “BOI access” rule, which is the second stage of CTA implementation. The rule will take effect on February 20, 2024, and governs who can access the BOI once it’s been reported to FinCEN, as well as the process for doing so.
The final rule focuses significant discussion on how certain government agencies can access BOI, such as certain federal agencies and state or local law enforcement. However, for our purposes the important provisions are the ones discussing the ability of financial institutions – which includes credit unions – to obtain BOI. For the rest of this blog I’ll use the term “credit unions” rather than discussing “financial institutions” more broadly. Here are some important things to note:
Consent Required. The rule requires a credit union to obtain the consent of the reporting company before FinCEN will allow the credit union to access that company’s BOI. According to the preamble, the consent is not merely a one-time consent, but rather it can be used to obtain BOI on subsequent occasions, such as when opening additional accounts.
The preamble also notes that the rule affords credit unions discretion in the manner used to obtain consent, and notes that credit unions “are able to leverage existing onboarding and account maintenance processes to obtain reporting company consent.” Thus, credit unions may want to work the consent process into part of their account onboarding procedures for legal entity members. According to the rule, this consent “must be documented but need not specifically be in writing.”
Finally, the preamble notes that the rule does not address a number of details that credit unions may want to consider, such as: the mechanism through which consent can be provided or revoked, which company representatives may provide or revoke consent on the company’s behalf, when corporate changes would require obtaining new consent, or how the credit union should handle a legal entity member that refused to provide consent to access their BOI.
Acceptable Uses of BOI. The most obvious use case for BOI would be to comply with section 1010.230 of the FinCEN Regulations. That provision requires a credit union, when opening an account for a legal entity member, to obtain and verify information regarding the identity of the entity’s beneficial owners. However, the final rule permits credit unions to obtain BOI (with consent of the reporting company, of course) to satisfy “customer due diligence requirements under applicable law.” While that includes section 1010.230, the rule defines that term to include:
“any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer.”
Thus, the rule expands the use of BOI to any BSA, anti-money laundering (AML) requirement for which obtaining and verifying BOI is “reasonably necessary.” According to the preamble of the rule, this includes customer identification program (CIP) requirements, suspicious activity report (SAR) filing obligations, and compliance requirements involving the Office of Foreign Assets Control (OFAC). The preamble also notes that use of BOI would not be appropriate for non-BSA functions, such as credit underwriting.
Requesting BOI from FinCEN. In addition to requiring credit unions to certify that they’ve obtained the consent of the reporting company and need the BOI to satisfy “customer due diligence” requirements, the rule also requires a credit union to follow certain standards for safeguarding the BOI obtained. The rule prohibits sharing the information with certain foreign parties, and also requires a credit union to “develop and implement administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, and integrity of such information.” This includes subjecting the BOI to the same information security procedures the credit union has established to comply with the Gramm-Leach-Bliley Act.
Verification not addressed. Existing beneficial ownership requirements in section 1010.230 require credit unions to obtain and verify a legal entity’s BOI. While obtaining BOI from FinCEN can help with obtaining the BOI, the final rule does not address if a credit union can consider that BOI to be “verified” or if the credit union should take additional steps to verify it. Instead, FinCEN basically punted this discussion for now, stating:
“Although verification is not addressed in this rule, FinCEN appreciates the comments on this topic and is carefully considering the suggestions provided. FinCEN agrees that verification is an important part of its overall efforts to ensure that the BOI reported to it is “accurate, complete, and highly useful” and continues to assess options to verify BOI taking into consideration practical, legal, and resource challenges.”
Looking Ahead
This new rule will take effect on February 20, 2024. However, the final rule notes that access will be provided in stages, and that financial institutions will be “the last category of users that will receive access to” BOI stored by FinCEN. The rule does not say exactly when access will become available, but notes that “FinCEN anticipates providing additional information on the timing and details regarding this phased implementation approach in early 2024.” It is worth noting that the existing requirements regarding beneficial ownership – found in section 1010.230 – continue to apply. FinCEN is planning to update those requirements in a future rulemaking, which will be the third stage of CTA implementation. Unfortunately, that rulemaking may be far off, as the agency has not published a proposed rule on the topic yet. For now, the requirements of section 1010.230 remain unchanged.
The rule notes that credit unions may request to access BOI in furtherance of compliance with that section, but credit unions are not required to do so. Thus, whether a credit union wants to adopt policies and procedures regarding requesting BOI from FinCEN’s database, or whether the credit union should continue to use its pre-2024 process for obtaining and verifying BOI (or some combination of those two options) will be a business decision for each credit union to make.