Beneficial ownership information, the CDD rule & the CTA

According to the Financial Crimes Enforcement Network (FinCEN), the CTA was designed “to protect U.S. national security and strengthen the integrity and transparency of the U.S. financial system.” The rule will help “stop criminal actors, including oligarchs, kleptocrats, drug traffickers, human traffickers, and those who would use anonymous shell companies to hide their illicit proceeds.”

The CTA establishes beneficial ownership reporting requirements for corporations, limited liability companies, and similar entities formed or registered to do business in the U.S. It authorizes FinCEN to collect and share information with authorized government authorities and financial services organizations, subject to effective safeguards and controls.

The CTA is similar to the customer due diligence (CDD) rule – but with some big differences.

FinCEN issued beneficial ownership regulations for legal entity customers in 2016, and this issuance became known as the CDD rule. This rule placed the responsibility of gathering, verifying, and retaining beneficial ownership information (BOI) on financial services organizations when opening an account for an entity meeting the definition of a legal entity customer. With the passage of the William M. Thornberry National Defense Authorization Act for Fiscal Year 2021 (NDAA 2021), the process of gathering, verifying, and retaining BOI will change.

FinCEN has thus far released two notices regarding the CTA. The CTA final rule, issued on Sept. 29, 2022, detailed new requirements for reporting beneficial owners. On Dec. 15, 2022, FinCEN provided more specifics on BOI access and safeguards. A third notice is expected, possibly regarding the beneficial ownership secure system (BOSS).

The CTA requires that FinCEN rescind portions of the CDD rule within one year of the effective date. As a result, the requirement for financial services organizations to identify the beneficial owners of legal entity customers (31 CFR 2020.230(a)) will remain, but the specific requirements for doing so (31 CFR 1010.230(b)-(j)) will be removed to make way for the CTA.

Mapping the CDD rule to the CTA, from a reporting company’s perspective

Let’s look at the who, what, where, and when of the CTA. Note that additional information will be released by FinCEN and changes could occur.

Who

Any entity that meets the definition of a reporting company must report BOI to FinCEN. A reporting company is defined by FinCEN as a domestic or foreign corporation, limited liability corporation (LLC), or other similar entity formed or registered to do business in the United States, including tribal jurisdictions.

As with the CDD rule, the CTA continues to primarily apply to smaller, more lightly regulated entities. For example, it exempts governmental authorities, banks, money service businesses, brokers or dealers in securities, and accounting firms.

CTA requirements define a beneficial owner as an individual who, directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise, exercises substantial control over the entity (known as the control prong) or owns or controls not less than 25% of the ownership interest of the entity (known as the ownership prong).

The CTA also provides a more explicit definition of substantial control for the control prong than previously established in the CDD rule. The definition includes an individual who:

• Serves as a senior officer
• Has authority over the appointment or removal of any senior officer or a majority of a governing board
• Directs, determines, or has substantial influence over important decisions regarding the reporting company’s:
  • Nature and scope
  • Reorganization, dissolution, or merger
  • Major expenditures, issuance of equity, incurrence of significant debt, or approval of operating budget
  • Selection or termination of business lines or ventures, or geographic focus
  • Compensation schemes and incentive programs for senior officers
  • Entry and termination of significant contracts
  • Significant amendments to governance documents 
• Exhibits any other form of substantial control over a reporting company

The definition of beneficial owner does not include:

• A minor child
• An individual acting as nominee, custodian, or agent on behalf of another individual
• An individual acting solely as an employee of a corporation, LLC, or similar entity
• An individual whose only interest is through inheritance
• A creditor of a corporation, LLC, or similar entity unless they meet the requirements of either the control prong or ownership prong

Under the CDD rule, a natural person opening an account on behalf of a nonexempt legal entity completes the report. Under the CTA, the reporting company’s agent makes the report.

What

The statute requires companies to report to FinCEN, for each BO, four pieces of information:

• Full legal name
• Date of birth
• Current residential or business address
• A unique identifying number from an acceptable identification document, or the person’s FinCEN identifier

An acceptable unique identification document must be one of the following:

• A nonexpired passport issued by the U.S.
• A nonexpired identification document issued by a state, local government, or American Indian tribe to the individual
• A nonexpired driver’s license issued by a state

If an individual does not have any of the above documents, a nonexpired passport issued by a foreign government can be accepted.

Finally, there is the FinCEN identifier, which is a unique identifying number that FinCEN can issue to reporting companies to provide instead of BOI for a particular beneficial owner.

In addition to reporting BOI, the CTA requires the filing agent of the reporting company to certify that reported information regarding company applicants is true, correct, and complete. This certification will be entered into the BOSS, simultaneous to BOI, and must be accompanied by the following information regarding the reporting company:

• Full legal name used to establish the company (trade name or “also known as” is not sufficient)
• Street address of the principal place of business (a post office box or the address of a company formation agent or other third party is not sufficient)
• Jurisdiction of formation (state, tribal, or foreign)
• Note: A company identification number, data universal numbering system, or legal entity identifier are not allowed in lieu of a tax identification number (TIN), and foreign reporting companies without a U.S. TIN will be required to provide a foreign TIN

Under the CDD rule, a control prong individual and any ownership prong persons would be entered on the form. Under the CTA, the same is true with the addition of the reporting company’s agent making the report.

Where

FinCEN is developing the BOSS as a centralized system to receive, store, and maintain BOI reporting for the CTA.

The BOSS is expected to meet the Federal Information Security Act compliance level of high, and FinCEN expects the BOSS will be ready to accept filings as of the final rule’s effective date.

Under the CDD rule, BOI is collected on the certification of beneficial ownership (COBO) form. Under the CTA, BOI will be entered into FinCEN’s BOSS.

When

Everything in the CTA is driven by the effective date of Jan. 1, 2024. However, there are a few different time frames to consider depending on whether the reporting company exists prior to the effective date.

Under the CDD rule, BOI was gathered on the COBO form at the time of account opening. Under the CTA, it is as follows:

• For entities created or registered before the effective date, filing of initial reports must be made within one year of the final rule's effective date. Existing entities have until end of day Dec. 31, 2024, to make their initial report.
• For entities created or registered on or after the final rule's effective date, filing is required within 30 calendar days of the earliest of two triggers: 1) the reporting company receives notice that its creation (or registration) has become effective; or 2) a secretary of state or similar office first provides public notice, such as through a publicly accessible registry, that the reporting company has been created or the foreign reporting company has been registered.
• If an entity no longer meets the criteria for an exemption for BOI reporting, it is required to report BOI within 30 days of the date it is no longer exempt.
• If it is determined that BOI data in the BOSS is not accurate, reporting companies are to file an updated or corrected report within 30 calendar days after the date of change, such as a new address, new beneficial owner, or replacement of an existing or new control prong individual.

How the CTA affects beneficial ownership information reporting

The most meaningful change in BOI reporting under the CTA is that it will relieve financial services organizations from the burden of collecting and retaining BOI. As of the CTA effective date, the responsibility for collecting and retaining BOI will reside with the reporting companies and FinCEN. However, financial services organizations will still be responsible for determining whether applicable legal entity customers have completed a BOSS entry under the remaining portion of the CDD rule and any necessary due diligence.

Financial services organizations are authorized to receive disclosed BOI from FinCEN to facilitate compliance with CDD requirements. To accomplish this, the organization must have a reporting company’s consent to request BOI from BOSS. The process requires organizations to obtain and document the consent request and certify as such when entering the system.

FinCEN expects that organizations will establish recordkeeping requirements for consent requests. Allowances are made so organizations can share BOI with counterparties if they are working together to onboard or complete periodic review of a customer, which will reduce the number of consent requests required. However, the redisclosure of BOI is limited in those situations to persons physically present in the United States. If, for example, an organization has a production team outside of the U.S. assisting with onboarding and periodic reviews, it may not use this allowance.

Additionally, financial services organizations must develop and implement reasonable administrative, technical, and physical protections for BOI before they can receive BOI. Security and information handling procedures must comply with Section 501 of the Gramm-Leach-Bliley Act and any other regulations issued to protect nonpublic customer personal information.

FinCEN is developing online training that it expects BOSS users to complete as a condition of creating and maintaining system accounts for access.

Meeting new beneficial ownership information reporting regulations

The CTA will take effect Jan. 1, 2024. In the meantime, financial services organizations can take steps to get up to speed on critical reporting changes and prepare to meet new regulations:

• Update the AML program or policy for the new rule.
• Revise new customer onboarding, periodic review policies and procedures, and process flows to align with changing BOI responsibilities.
• Identify BOSS users and begin online system training as soon as it is available to confirm the organization has access.
• Establish a policy and plan for obtaining consent from potential and existing clients to validate beneficial ownership information in BOSS and comply with the portion of the CDD rule that will remain intact.
• Prepare to address reporting companies that are out of compliance, where no BOSS entry can be located.
• Determine how to use or dispose of legacy CDD rule data and how it will be used to compare against data in the BOSS.
• Establish administrative, technical, and physical safeguards of BOI, and restrict access to appropriate persons.
• Maintain an auditable system of standardized records for requests.