Rule Regarding Access to Beneficial Ownership Information Takes Effect

On February 21, 2024, FinCEN published a Small Entity Compliance Guide to aid in compliance with the Corporate Transparency Act’s (“CTA”) Beneficial Ownership Information (“BOI”) Access and Safeguards Rule (“Access Rule”).  The Compliance Guide is called the Small Entity Compliance Guide only because federal law requires that the federal government issue guidance specifically directed at facilitating smaller business’s compliance efforts.  Notwithstanding the title, the Compliance Guide will assist financial institutions (“FIs”) of all sizes with understanding FinCEN’s expectations for access to the BOI database once such access is approved.

BOI Access for Financial Institutions — Not Yet, But it Will Happen

In the Compliance Guide, FinCEN acknowledges that FIs do not yet have access to the BOI database, due to the decision to take a phased-in approach to access.  FIs will be the final group granted access to the database.  FinCEN also reminds FIs that they will be revising the Customer Due Diligence (“CDD”) rule this year to align with the CTA rule.  When the CDD rule is revised, FinCEN will update the Compliance Guide to provide additional information on FI access to the database. 

Restrictions on the Use of BOI

The Access Rule imposes certain restrictions on how FIs may access, use, and disclose BOI obtained from FinCEN.  Under the rule, FIs may use BOI to fulfill CDD and other BSA-related requirements, but they may not use BOI for their general business or commercial activities.  Additionally, prior to obtaining any BOI from FinCEN, FIs must obtain consent from the customer.  FIs with CDD requirements under applicable law will have access to BOI. 

FinCEN provides the following examples of permissible uses of BOI:

  • Customer identification requirements;
  • Enhanced Due Diligence required under the BSA;
  • Uses that facilitate compliance with sanctions imposed by OFAC, such as for sanctions screening; and
  • Anti-money laundering/countering the financing of terrorism (“AML/CFT”) related requests, reviews, and investigations.

Limits on Disclosure of BOI Obtained from FinCEN

Generally, a director, officer, or other employee of a FI may not disclose BOI obtained from FinCEN.  However, there are three limited circumstances in which a FI may disclose BOI:

  1. To another director, officer, or other employee of the same FI for the particular purpose or activity for which the BOI was initially requested;
  2. To the FI’s Federal functional regulator or self-regulatory organization that has entered into a memorandum of understanding with FinCEN; or
  3. As authorized by FinCEN in a prior written authorization, or by protocols or guidance that FinCEN issues.

Data Protection and Supervision Requirements

The Access Rule requires FIs to develop and implement certain safeguards to protect the security and confidentiality of BOI, including:

  • Abiding by geographic restrictions and not storing or disclosing BOI received from FinCEN to persons physically located in the People’s Republic of China, the Russian Federation, or other jurisdictions determined by the Department of State to be a state sponsor of terrorism or subject to financial and economic sanctions;
  • Notifying FinCEN within 3 business days of receiving a subpoena or demand to disclose BOI from any foreign government;
  • Implementing and applying procedures established to protect customers’ nonpublic personal information under section 501 of the Gramm-Leach-Bliley Act; and
  • Obtaining consent from customers prior to initially requesting a customer’s BOI from FinCEN.

FIs will be required to certify to FinCEN when requesting BOI that they are requesting the information to facilitate their compliance with customer due diligence requirements, have obtained and documented consent from the customer, and have complied with all other requirements under the Access Rule.  FinCEN will reject any request for BOI by a FI that fails to meet any of FinCEN’s access requirements or if the information is requested for an unlawful purpose.


Penalties for unauthorized disclosure include civil penalties of $500 for each day a violation continues or has not been remedied, and criminal penalties of up to $250,000, imprisonment for up to five years, or both.  Enhanced criminal penalties may be implemented if a person commits a violation while violating another law of the United States or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period.

For questions about these new rules, the CTA, or AML compliance generally, including customer due diligence and beneficial ownership rules, contact the authors of this article or another member of the McGuireWoods Financial Services & Securities Enforcement team, Government Investigations and White Collar Litigation team, Tax & Employment Benefits team, or the Corporate & Private Equity team.