Response to the Request of the FinCEN for Comment on its NPRM, Regarding Beneficial Ownership Information Access and Safeguards

Via Electronic Submission
Mr. Himamauli Das
Acting Director
Financial Crimes Enforcement Network
U.S. Department of the Treasury
P.O. Box 39
Vienna, VA 22183

Re: NPRM: Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities (Dec. 16, 2022) – RIN 1506-AB59, RIN 1506-AB49

Dear Director Das:

The New York City Bar Association’s Compliance Committee (the “Compliance Committee”) submits this letter in response to the request of the Financial Crimes Enforcement Network (“FinCEN”) for comment on its Notice of Proposed Rulemaking published on December 16, 2022, regarding Beneficial Ownership Information Access and Safeguards (the “NPRM”). The Compliance Committee has a diverse membership that includes attorneys from law firms, in-house counsel, consultants, compliance professionals at various financial institutions, as well as representatives of federal and state law enforcement, regulatory, and government agencies. We believe the Compliance Committee’s diverse membership enables it to provide a broad and thoughtful view on matters impacting the compliance function of financial institutions.

The NPRM seeks input on questions concerning the implementation of the Corporate Transparency Act (the “CTA”), enacted into law as part of the Anti-Money Laundering Act of 2020, which is itself part of the National Defense Authorization Act for Fiscal Year 2021. The proposed regulations would implement strict protocols on security and confidentiality required by the CTA to protect sensitive beneficial ownership information (“BOI”) reported to FinCEN. Specifically, the NPRM seeks comment on the circumstances in which specified recipients would have access to BOI and the security measures and oversight mechanisms applicable to them. This comment letter focuses on the NPRM provisions and questions related to disclosure of BOI to financial institutions (“FIs”) and how that information may be further used and shared.

I. SUMMARY

The CTA requires “reporting companies” – corporations, limited liability companies, and similar entities, subject to certain statutory exemptions – to submit to FinCEN specified information on, among other things, their beneficial owners. The CTA requires FinCEN in turn to maintain this information in a confidential, secure, and non-public database, and only authorizes disclosure to certain third parties, including FIs to assist in meeting their obligations under FinCEN’s Customer Due Diligence (“CDD”) Rule. This letter provides a response to Questions 12 and 23 of the NPRM, which request comments on who may access BOI and how authorized recipients may use it.

The Compliance Committee fully supports FinCEN’s proposal to leverage information from the BOI database to assist FIs in fulfilling their CDD obligations. Yet the Committee believes that FinCEN should make this useful information available to FIs to address their AML compliance obligations beyond the CDD Rule. The Committee recommends that BOI be accessible to any FI that (i) is required by the Bank Secrecy Act (the “BSA”) and FinCEN regulations to implement and administer an anti-money laundering (“AML”) program, (ii) maintains an information security program to protect the security and confidentiality of the BOI, and (iii) receives proper consent from the legal entity customer to obtain its BOI for purposes of administering the FI’s AML program and fulfilling its concomitant regulatory obligations. The Compliance Committee also recommends that FIs should be permitted to share BOI with their own directors, officers, employees, contractors, and agents within and outside of the United States with limited geographic limitations as determined by FinCEN.

The Compliance Committee believes that sharing BOI in this way has the potential to provide all FIs that must maintain AML programs under the BSA and FinCEN regulations – including money services businesses, certain trust companies, and other FIs that are not subject to the CDD Rule– with the necessary tools to improve and expedite compliance with existing AML obligations and enhance their critical monitoring functions. The Committee believes that greater availability of BOI, so long as the information remains secure, would only help the Department of Treasury pursue its goal of increasing transparency in the U.S. financial system by enabling all FIs to “better identify funds
that come from corrupt sources or abusive means.”[1] It would also be consistent with the CTA’s aim to inhibit “malign actors [from] conceal[ing] their ownership of corporations, limited liability companies, or other similar entities in the United States to facilitate illicit activity, including money laundering, the financing of terrorism, proliferation financing, serious tax fraud, human and drug trafficking, counterfeiting, piracy, securities fraud, financial fraud, and acts of foreign corruption,” and stop “money launderers and others involved in commercial activity [from] intentionally conduct[ing] transactions through corporate structures in order to evade detection.”[2]

II. THE COMPLIANCE COMMITTEE’S RESPONSE TO QUESTION 12 OF THE NPRM

Should FinCEN expressly define “customer due diligence requirements under applicable law” as a larger category of requirements that includes more than identifying and verifying beneficial owners of legal entity customers? If so, what other requirements should the phrase encompass? How should the broader definition be worded? It appears to FinCEN that the consequences of a broader definition of this phrase would include making BOI available to more FIs for a wider range of specific compliance purposes, possibly making BOI available to more regulatory agencies for a wider range of specific examination and oversight purposes, and putting greater pressure on the demand for the security and confidentiality of BOI. How does the new balance of those consequences created by a broader definition fulfill the purpose of the CTA?

The NPRM limits “customer due diligence requirements under applicable law” to the CDD Rule, which requires certain FIs to identify and verify beneficial owners of legal entity customers. As currently drafted, the proposed regulation therefore unnecessarily limits how BOI may be used and the types of FIs that may use BOI.

First, FIs would be unable to utilize BOI to comply with AML obligations outside of those required by the CDD Rule, including customer identification, transaction monitoring, and suspicious activity reporting. Such a limitation would needlessly prevent FIs from utilizing this important resource to independently verify information that a customer is providing to them throughout the lifecycle of the customer relationship. Because FIs already receive this type of information from their legal entity customers, there is no actual confidentiality concern or other legitimate reason to limit access to the BOI database for CDD purposes.

Second, the BOI database would only be accessible to FIs subject to the CDD Rule, namely federally regulated banks and federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities. This limitation would prevent money services businesses, certain trust companies, and other FIs required to implement and administer an AML program from being able to access and utilize the BOI database thereby creating an unnecessary gap in the United States’ protections against financial crimes and terrorist financing. It is also unclear whether and how due diligence vendors – that currently play an integral role in the administration of many FIs’ AML programs – would be able to access the BOI database under the current proposed regulation.

Neither of these limitations square with the CTA’s goals to “protect vital United States national security interests; protect interstate and foreign commerce; [and] better enable critical national security, intelligence, and law enforcement efforts to counter money laundering, the financing of terrorism, and other illicit activity.”[3] Indeed, the U.S. government already shares much more sensitive information with all types of FIs through 314(a) Requests based on the FIs’ obligation to keep the information confidential. But unlike BOI under the NPRM, FIs are free to use information in a 314(a) Request to help satisfy AML compliance obligations, including determining whether to establish or maintain a customer account or engage in a transaction.

In the Compliance Committee’s view, “customer due diligence requirements under applicable law” should therefore be defined more broadly to allow for more AML compliance activity than that which is mandated under the CDD Rule. To this end, the Committee specifically recommends that BOI be accessible to any FI that (i) is required by the BSA and FinCEN regulations to implement and administer an AML program, (ii) maintains an information security program to protect the security and confidentiality of the BOI, and (iii) receives proper consent from the legal entity customer to obtain its BOI for purposes of administering the FI’s AML program and fulfilling its concomitant regulatory obligations.

This recommendation addresses FinCEN’s confidentiality and security concerns by recognizing both the legal entity customer’s consent to the use of the BOI for AML compliance activities and the information security controls that all FIs are required to have in place. And more importantly, this recommendation empowers all FIs to utilize the BOI database to fulfill their critical AML functions.

III. THE COMPLIANCE COMMITTEE’S RESPONSE TO QUESTION 23 OF THE NPRM

FinCEN proposes to require FIs to limit BOI disclosures to FI directors, officers, employees, contractors, and agents within the United
States. Would this restriction impose undue hardship on FIs? What are the practical implications and potential costs of this limitation?

Under FinCEN’s proposed regulation, FIs will be required to limit BOI disclosures to their directors, officers, employees, contractors, and agents within the United States. This restriction would prohibit multinational FIs from sharing BOI with their head office, branch offices, or due diligence vendors if they are located outside of the United States, thereby making it unnecessarily difficult to administer and oversee an effective multinational AML program. For example, if a beneficial owner of a legal entity customer were subject to sanctions by a foreign jurisdiction but not by the United States, a multinational FI may not be able to effectively conduct due diligence and monitor that customer if the FI’s head office, branch offices, and due diligence vendors were prohibited from receiving BOI from its U.S. affiliates. And this restriction would complicate the review, drafting, and filing of suspicious activity reports (“SARs”) if FIs were required to shield BOI from their head office, branch offices, and due diligence vendors that are located abroad. In this sense, this limitation would create blind spots and compliance gaps within multinational FIs. This limitation would also be unnecessary because information from the BOI database is likely identical to information that the multinational FI is already obtaining from the legal entity customer unless of course that customer is falsely or incorrectly reporting the information, which the FI would be able to identify if it had that BOI. This alone demonstrates how information from the BOI database would be a particularly valuable independent check for multinational FIs on their multinational legal entity customers.

The Compliance Committee therefore specifically recommends that FIs should be permitted to share BOI with their own directors, officers, employees, contractors, and agents within and outside of the United States with limited geographic restrictions taking into consideration jurisdictions that already have memoranda of understanding and law enforcement information sharing programs with the United States. Such an approach would be consistent with the information security controls already required of FIs and FinCEN’s permissive approach to information sharing in the 314(a) context. If FinCEN determines that some geographic limitation is necessary, the Compliance Committee believes FinCEN’s proposed geographic restrictions on information sharing in its SAR pilot program provide a responsible framework.[4]

The Compliance Committee appreciates the opportunity to comment on the NPRM. If we can be of any further assistance in this regard, please feel free to contact us.

Respectfully submitted,

Patrick T. Campbell
Co-Chair, Compliance Committee

Adam B. Felsenthal
Co-Chair, Compliance Committee

Drafting Subcommittee:

The Compliance Committee is grateful to Jonathan A. Forman and Jessica T. Mingrino from Baker & Hostetler LLP for their assistance in drafting the letter, as well as Compliance Committee members Clark Abrams, A.J. Bosco, Dianna Hernandez, and Brandon Smith.