Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities

February 14, 2023

Policy Division
Financial Crimes Enforcement Network
P.O. Box 39
Vienna, VA 22183

Re: Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities – RIN 1506-AB49/AB59

Dear Acting Director Das:

The National Association of State Credit Union Supervisors (NASCUS)[1] submits this letter in response to the Financial Crimes Enforcement Network’s (FinCEN) notice of proposed rulemaking and request for comment; Beneficial Ownership Information Access and Safeguards, and use of FinCEN Identifiers for Entities (BOI Access Rule)[2].

Section 6403 of the Corporate Transparency Act (CTA)[3], enacted into law as part of the Anti-Money Laundering Act of 2020 (AML Act), requires FinCEN to promulgate regulations regarding access by authorized recipients to beneficial ownership information (BOI) reported to FinCEN. NASCUS would like to take the opportunity to address specific areas of importance to state supervisory authorities and financial institutions.

Access by State Regulatory Authorities

The NPRM addresses access capabilities of federal functional regulators and “other appropriate regulatory agencies” only when assessing a covered entity’s compliance with Customer Due Diligence (CDD) requirements under applicable law, and only if the reporting company first consents. NASCUS will address the “consent” to allow access in more detail in another section of our comments.

FinCEN’s regulations already define the term “federal functional regulator” to include six agencies identified in the AML Act, including the National Credit Union Administration (NCUA). However, FinCEN is not proposing to define “other appropriate regulatory agencies” at this time and believes the existing requirements[4] that such an agency be “authorized by law to assess, supervise, enforce, or otherwise determine the compliance of such FIs with customer due diligence requirements under applicable law” sufficiently defines this category.

Additionally, the NPRM indicates the regulatory agencies would only have access to BOI that their supervised institutions received from FinCEN during a particular period, as opposed to data that might reflect subsequent updates. FinCEN indicates that the agency “continues to evaluate options for verifying reported BOI.” “Verification” means confirming the reported BOI submitted to FinCEN is accurately associated with a particular individual, casting doubt for financial institutions (FIs) and regulators about the ability to rely upon the information in the system.

While the referenced definition appears to encompass state credit union regulators, and state supervisory authorities (SSAs), the intent to include SSAs (and other state prudential regulators of covered entities) should be made clear. It is important to note that generally, the majority of federally insured state-chartered credit unions (FISCUs) are examined, on an annual basis, exclusively by their SSA. FinCEN must ensure that SSAs, at a minimum, have equal access to that of federal financial regulators.

Consent from Institutions

Under the proposed rule, as previously noted, FinCEN would require financial institutions to obtain the business entity or “reporting company’s” consent in order to request and obtain the reporting company’s BOI from the database. FinCEN is seeking comment on the requirement of consent and is specifically seeking comment regarding … “ what barriers financial institutions may face in fulfilling such a requirement, as well as any other considerations.” NASCUS questions the necessity of such a requirement. If FinCEN is requiring a financial institution to search this database, which remains unknown, it is unclear what purpose requiring a financial institution to obtain consent would achieve.

FinCEN proposes under section 1010.955(d)(2)(iii):

Consent to obtain information. Before making a request for information regarding a reporting company under paragraph (b)(4)(i) of this section, the financial institution shall obtain and document the consent of the reporting company to request such information. The documentation of the reporting company’s consent shall be maintained for 5 years after it is last relied upon in connection with a request for information under paragraph (b)(4)(i) of this section. 

It should be noted, as the industry awaits amendments to the CDD rule, there are currently two existing regulations in which financial institution customers, or members in the case of credit unions, must provide a form of certification or acknowledgment at the time of account opening. These existing requirements are discussed in the current Customer Identification Rule[5] as well as the certification requirement under appendix A to the current Customer Due Diligence Rule.[6]  Until the CDD rule expectations are finalized, as required by the CTA, FinCEN should remove the proposed requirement for financial institutions to obtain the consent of an entity, from final rulemaking.

Customer Identification Program vs. Customer Due Diligence

The NPRM states that FinCEN considered interpreting the phrase “customer due diligence requirements under applicable law” more broadly to cover a range of activities beyond compliance with legal obligations to identify and verify beneficial owners of legal entity customers.[7] It is also noted that FinCEN’s Customer Identification Program (CIP)[8] regulations could be considered CDD requirements.

FinCEN opted not to propose this broader approach. However, FinCEN is seeking comment on whether a broader reading of the phrase “customer due diligence requirements” is warranted under the CTA and, if so, how CDD should be defined to provide regulatory clarity, protect the security and confidentiality of BOI, and minimize the risk of abuse.”

NASCUS would like to point out the significant parallel requirements between that of CIP and CDD and would strongly encourage FinCEN to incorporate a broader reading of CDD to encompass CIP requirements.

  • 1010.220 of the CIP regulation lays the groundwork for CDD requiring a financial institution with an anti-money laundering program[9] “must implement a written Customer Identification Program appropriate for the bank’s size and type of business that, at a minimum, includes each of the requirements of paragraphs (a)(1) through (5) of this section. The CIP must be a part of the anti-money laundering compliance program.”

Identifying a customer through CIP is a precursor to conducting CDD on that customer. § 1010.220(2) addresses the specific identifying information that a financial institution must obtain from each customer before opening an account, including name, date of birth, address, and identification number, which includes business entities.

A broader reading of CDD to include CIP and the ongoing CDD requirements of §1010.210(b)(5) would permit financial institutions to confirm beneficial ownership information provided to financial institutions to facilitate the compliance of the financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law.

Limiting CDD requirements to only that of identifying and verifying beneficial ownership of legal entity customers is contrary to the goal of the CTA and also ignores a key requirement of the 2016 Customer Due Diligence Rule, which is the requirement to “conduct ongoing monitoring to identify and report suspicious transactions, and on a risk basis, to maintain and update customer information.” Additionally, excluding CIP from the broader definition of CDD further negates the requirement under the 2016 CDD rule that a financial institution’s CDD policies procedures, and processes, “be commensurate with the bank’s BSA/AML risk profile, with an increased focus on higher risk customers.”

The customer’s risk profile is determined at account opening as part of CIP.

It is also important to address that the definition of CDD will be dependent upon what the regulatory requirements will be on FIs when the CDD rule is amended.

Clarification is Necessary

The 2016 CDD rule requires that a financial institution’s policies and procedures include standards for conducting and documenting analysis associated with due diligence for resolving issues when insufficient or inaccurate information is obtained. As currently proposed, the initial reporting of BOI would provide a single report of the information at that point in time the account is opened.  However, the CTA and the final rule for reporting BOI for legal entities provided for updating the initial report “if there is any change with respect to required information previously submitted to FinCEN concerning a reporting company or its beneficial owners, including any change with respect to who is a beneficial owner or information reported for any particular beneficial owner.”[10]

There is nothing in the NPRM addressing whether financial institutions will receive notice from FinCEN when an already queried reporting company corrects or amends its BOI, nor is there anything in the NPRM that addresses whether a financial institution has an obligation to report if there is a discrepancy between the information provided by the reporting company at account opening versus the information obtained in the database, or what should be done to remedy such discrepancies.

Metaphorically speaking, FinCEN has put the second step before the first with this rulemaking, especially for financial institutions and their regulatory agencies. Absent an amended CDD rule financial institutions are left with a significant amount of uncertainty. Not only do they not know what the requirements will be in terms of accessing the database, FIs do not know what their obligations will be, if any, to rely on the database. Nor do they know what potential new obligations they may have under an amended CDD rule.

Additionally, how will ongoing due diligence be conducted if this will remain a requirement in the amended CDD rule and if access to the database is strictly limited to the information obtained at the time of account opening? How would such limited access be beneficial to the purpose of the CTA to protect the U.S. financial system from being used for money laundering and other illicit activities?

Newly proposed section 5336(b)(1)(F) states that BOI should be highly useful to institutions to “facilitate the compliance of the financial institutions with anti-money laundering, countering the financing of terrorism, and customer due diligence requirements under applicable law.” If a reporting company files amended or corrected BOI with FinCEN, will FinCEN send a report to the FI? This seems unlikely. Will the reporting company be required to notify their respective FIs of any change?

If broader regulatory requirements are imposed under the amended CDD rule FIs will need much greater access to the database than what is currently proposed. Regulatory agency access should be the very same. Additionally, FIs will need to update risk assessment processes and procedures as well as policies and systems and train appropriate staff, which begs the question, will the number of staff who can access the information be limited per FI? How will regulatory agencies conduct an appropriate examination for CDD if data is limited or inconsistent?


We thank FinCEN for the opportunity to submit the above comments for consideration during the development of a final rule regarding Beneficial Ownership Information Access. NASCUS encourages the agency to consider the essential role financial institutions and their regulatory agencies play in identifying and combatting financial crimes in a final rulemaking.


Sarah Stevenson
Vice President, Regulatory Affairs

[1] NASCUS is the professional association of the nation’s forty-five state credit union regulatory agencies that charter and supervise over 1900 state credit unions. NASCUS membership includes state regulatory agencies, state-chartered and federally-chartered credit unions, and other important stakeholders in the state system. State-chartered credit unions hold over half of the $2.2 trillion assets in the credit union system and are proud to represent nearly half of the 129 million members.

[2] 87 Fed. Reg. 77404 (December 2022)

[3] 31. U.S.C. 5336(c)

[4] 31. U.S.C. 5336(c)(2)(C)(i)

[5] 31 CFR 1020.220 Customer Identification Requirements for Banks

[6] 12 CFR 1010.230 Beneficial Ownership Requirements for Legal Entity Customers

[7] 87 Fed. Reg. 77415

[8] 31 CFR 1020.220 Customer Identification Requirements for Banks

[9] 12 U.S.C. 1786(q)(1)

[10] 31 CFR 1010.380(b)