Skip to main content

In Second CTA Rulemaking, FinCEN Outlines Access to Beneficial Ownership Database

Litigation Alert

When Congress passed the Corporate Transparency Act (CTA) in January 2021 and called for the creation of the first comprehensive database of beneficial ownership information for U.S. companies, it had competing goals in mind. First, it wanted to help law enforcement agencies more effectively combat illicit finance through investigations. For this purpose, the database needed to be robust and comprehensive. However, Congress also wanted to ensure that sensitive business data remained confidential and accordingly imposed strict – even criminal – penalties on anyone who improperly disclosed beneficial ownership information. 

The first goal – to create a robust and comprehensive CTA database – was the focus of the first CTA rulemaking from the Financial Crimes Enforcement Network (FinCEN). Rules finalized in September 2022 set forth who had to report beneficial ownership information and what specifically had to be reported. In that final rule (as previously described here and here), FinCEN took an expansive view of who should be considered a beneficial owner subject to reporting requirements, requiring reporting of anyone who owns more than 25 percent of a reporting company or exercises substantial control over the company, which it defined broadly. 

Congress's second goal – to ensure the confidentiality of information reported under the CTA – is the focus of FinCEN's second and most recent rulemaking. In December 2022, FinCEN issued a notice of proposed rulemaking (NPRM) to govern access to the CTA database. It underscored the regulation's aim to ensure that only authorized recipients have access to beneficial ownership information (BOI), that those recipients only use BOI for proper purposes, and that recipients are only permitted to re-disclose information "in ways that balance protection of the security and confidentiality of the BOI with furtherance of the CTA's objective of making BOI available to a range of users."

Under the text of the CTA, FinCEN is permitted to disclose beneficial ownership information to six categories of recipients: (1) federal agencies for use in national security, intelligence, or law enforcement activity; (2) state, local, or tribal law enforcement agencies following court order; (3) foreign law enforcement agencies, prosecutors, or judges following a request from a federal agency; (4) financial institutions subject to customer due diligence requirements, if the reporting company consents; (5) federal functional regulators "and other appropriate regulatory agencies" overseeing financial institutions; and (6) the U.S. Department of the Treasury (Treasury) for specific tasks, including those pertaining to tax administration. The NPRM describes how each of these categories of recipients could get access to the beneficial ownership information required:

  • Federal agency access is based upon the type of activity an agency is conducting, not the identity of the agency itself. For example, the DOJ does not automatically get access to the FinCEN database. It would get access only for national security, intelligence, or law enforcement functions. However, law enforcement activity is defined broadly to include "civil or criminal violations of law." Authorized personnel could conduct searches directly in the database, but would need to submit justifications for the searches, which will be reviewed by FinCEN. 
  • State, local, or tribal law enforcement agencies would only get access if a court of competent jurisdiction authorized the request and the agencies would need to upload the court order. Upon FinCEN's review of the court order and approval of the request, the local agencies could search directly in the database, just like their federal counterparts. 
  • Foreign agencies need to make request through a U.S. federal agency. The request must derive from a law enforcement investigation or prosecution, or from national security or intelligence activity. Foreign requests must either be made pursuant to an international treaty, agreement, or convention or, where no treaty governs, must be an official request by a law enforcement, judicial, or prosecutorial authority of a "trusted foreign country." (This term is not defined in the NPRM, but in the questions inviting comment, FinCEN asks whether and how it should define it.) After providing FinCEN with information about the requestor and, if applicable, the treaty, the requesting federal agency would conduct CTA databases searches on behalf of the foreign entity. In the absence of a treaty, barring specific enumeration of "trusted foreign countries" in later stages of the rulemaking, FinCEN will assess foreign agency requests based on U.S. interests and priorities, including the ability of the requestor to keep beneficial ownership information confidential. 
  • Provided that the reporting company consents, financial institutions are permitted to access the database for "customer due diligence requirements under applicable law," which FinCEN interpreted to mean only FinCEN's customer due diligence regulations, codified at 31 CFR 1010.230 (rather than customer identification program or other regulations). FinCEN is considering whether to include state, local, or tribal due diligence requirements as applicable law and invited comment on that aspect of the rule in particular. 
  • Federal functional regulators: (1) must be authorized by law to assess, supervise, enforce, or otherwise determine the compliance of a particular financial institution with due diligence requirements; (2) may only use the beneficial ownership information for conducting that assessment; and (3) must enter into an agreement with Treasury regarding safekeeping of the information. These requirements track the CTA statutory language and FinCEN proposes that it will only disclose to the federal functional regulators BOI that the financial institution received from FinCEN. (Federal functional regulator is defined by the CTA to include the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Securities and Exchange Commission (SEC), and the Commodity Futures Trading Commission (CFTC)). FinCEN also notes that federal functional regulators can access the database just as any other federal agency if doing so for a national security, intelligence, or law enforcement activity, and doing so would provide much broader access. FinCEN did not include qualifying self-regulatory organizations (SROs) such as the Financial Industry Regulatory Authority (FINRA) or the National Futures Association (NFA) as federal functional regulators, since they are not federal agencies. However, FinCEN proposes authorizing financial institutions to re-disclose to qualifying SROs information that they obtain from FinCEN as long as those SROs meet the requirements set out above for federal functional regulators. 
  • Treasury employees may access the data "for tax administration" (borrowing the Internal Revenue Code definition of this term from 26 U.S.C. § 6103(b)(4)) or if their official duties are such that "the Secretary determines require such inspection or disclosure." FinCEN said that it envisions Treasury using beneficial ownership information not just for tax administration, but also for enforcement actions, intelligence and analytical purposes (including presumably by FinCEN itself), use in sanctions designation investigations, and for identifying property blocked pursuant to sanctions. As we have previously noted, the IRS's Criminal Investigations (IRS-CI) unit, which is part of Treasury, is historically the biggest user of Bank Secrecy Act (BSA) data. Since it is also a law enforcement agency, it appears that FinCEN anticipates it will permit IRS-CI to use CTA beneficial ownership data for any proper purpose. 

In addition to describing how each of these categories of interested persons would obtain access to the BOI FinCEN collects, the proposed rule restricts use of the data by those who obtain access. Under the proposed rule, unless authorized by FinCEN, any person who receives information disclosed under the proposed rule is authorized to use it only for the particular purpose for which it was disclosed. For example, a federal agency that receives information for a national security investigation can use the information only for that investigation and a federal agency that receives information as an intermediary for a foreign agency may use the information only to fulfill the request from the foreign entity. 

Relatedly, FinCEN permits those who receive beneficial ownership information to re-disclose it only in limited circumstances. For example, federal, state, local, or tribal agencies or financial institutions can disclose the information to others in the agency, as can financial institutions, if in furtherance of the same purpose for which the request was made. However, for financial institutions, to avoid inadvertent disclosure abroad, the employees receiving the information must be physically present in the U.S. In addition, FinCEN may authorize disclosure of information obtained by a financial institution to a federal functional regulator or to an SRO as described above. Federal agencies can disclose the information to DOJ in the case of a criminal referral and federal, state, local, and tribal agencies can disclose the information to a court of competent jurisdiction. Finally, FinCEN has authority to authorize other re-disclosure upon receipt of a written request. 

The proposed rule includes detailed regulations regarding security and confidentiality requirements not just for domestic agencies but also for financial institutions and foreign requestors. FinCEN's proposed protocols vary by category of recipient but require the recipients to have procedures for storing information securely with access limited to authorized personnel. 

Finally, FinCEN reminds us that the CTA "enumerate[s] civil and criminal penalties for knowingly disclosing or using BOI without authorization," including civil penalties of $500 for each day a violation continues and criminal penalties of up to five years imprisonment and $250,000 in fines. The CTA also provides for enhanced penalties if an unlawful use or disclosure of BOI is part of a broader pattern of illegal activity.

FinCEN invites comments to this proposal, which must be submitted by February 14, 2023. Since companies must begin reporting beneficial ownership information to FinCEN in January 2024, FinCEN presumably intends to issue a final rule later this year. 

For more information, please contact:

Ian A. Herbert,, 202-626-1496

Joseph A. Rillotta*

*Former Miller & Chevalier attorney

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.