FinCEN Final Rule: Beneficial Ownership Information Access and Safeguards

Final Rule Summary FinCEN: Beneficial Ownership Information Access and Safeguards

NASCUS Legislative and Regulatory Affairs Department
January 26, 2024

The Financial Crimes Enforcement Network (FinCEN) issued a long-awaited final rule implementing the Corporate Transparency Act (CTA) access and safeguard provisions. Per the CTA, the Access Rule provides access to Beneficial Ownership Information (BOI) under six categories of recipients. The final rule also aims to ensure that:

  1. Only authorized recipients have access to BOI;
  2. Authorized recipients use that BOI only for purposes permitted by the CTA; and
  3. Authorized recipients re-disclose BOI only in ways that balance the protection of the security and confidentiality of the BOI with furtherance of the CTA’s objective of making BOI available to a range of users for purposes specified in the CTA.

The final rule also provides a framework to ensure that BOI reported to FinCEN, and accessed by authorized recipients, is subject to strict cybersecurity controls, confidentiality protections, and restrictions, and includes robust audit and oversight measures.

The final rule is effective February 20, 2024.


Who will have access to BOI?

The final rule allows disclosure of BOI to authorized recipients under six categories:

  • Federal government agencies if used in furtherance of national security, intelligence, or law enforcement activity;
  • State, local, and Tribal law enforcement for use in criminal or civil investigations;
  • Foreign requests used for the furtherance of foreign national security, intelligence, or law enforcement activity;
  • Financial institutions subject to customer due diligence (CDD) requirements if the financial institution is utilizing BOI to meet their CDD requirements;
  • Federal functional regulators and other appropriate regulatory agencies, including state supervisory authorities acting in a supervisory capacity assessing financial institutions for compliance with customer due diligence requirements;
  • Treasury personnel whose duties require BOI inspection or disclosure or for tax administration purposes.

For this summary, we will focus on financial institution (FI) and regulatory agency access.

Financial Institutions

Accessing BOI

The final rule indicates FIs are not required to access the BOI database. The rule also does not identify what an FI’s obligations may be once the 2016 CDD Rule is revised.  However, the final rule states that FI’s may “obtain BOI in order to facilitate compliance with the customer due diligence requirements.” FinCEN explains, “[t]he revised regulation now specifies that the clause ‘customer due diligence requirements under applicable’ includes ‘any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer.’”

Ultimately, the final rule expands the use of BOI by FIs to any BSA or AML requirement for which obtaining and verifying BOI is “reasonably necessary” as noted above, and permits FIs to obtain BOI to “help discharge its AML/CFT obligations under the BSA, including its AML program, customer identification program (CIP), SAR filing, and enhanced due diligence requirements. The final also permits FIs to access BOI to facilitate compliance with sanctions imposed by OFAC.

It is important to note, the final rule states use of BOI should be “directly related to a financial institution’s compliance with a legal obligation that is designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States.” FIs are not permitted to use BOI from FinCEN when making a credit decision to a legal entity. Nor are FIs permitted to utilize BOI for general business or commercial uses, such as client development, as it is not considered to be consistent with AML/CFT or national security purposes.


Before an FI can request BOI information from FinCEN, the FI must obtain and document the prior consent of the reporting company. Regarding this consent, FinCEN explains “reporting company consent must be documented, but need not specifically be in writing.” Financial institutions may satisfy this requirement through any lawful method of obtaining consent from the reporting company, however, because FinCEN is allowing this flexibility for documentation of consent, there is not a safe harbor provision for any particular method used to obtain the consent.

It is also important to note that FinCEN still must promulgate the proposed form for FIs to request BOI from the agency.


The final rule also requires that FIs obtaining BOI from FinCEN must implement “administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, and integrity of such information.” The final rule allows financial institutions to satisfy these requirements by applying the security and information handling procedures used to comply with the Gramm-Leach-Bliley Act (GLBA). Which credit unions and banks are already subject to.


In our comments to FinCEN, NASCUS stressed the need for clarification surrounding a financial institution’s obligation to verify and subsequently report a discrepancy with BOI information should they access the BOI system. Unfortunately, the final rule does not address this and states:

“Although verification is not addressed in this rule, FinCEN appreciates the comments on this topic and is carefully considering the suggestions provided. FinCEN agrees that verification is an important part of its overall efforts to ensure that the BOI reported to it is “accurate, complete, and highly useful” and continues to assess options to verify BOI taking into consideration practical, legal, and resource challenges.”

Existing CDD requirements under 1010.230 require financial institutions to obtain and verify a legal entity’s BOI. Forthcoming proposed amendments to the existing CDD rule will hopefully address this issue as well as others.

Regulatory Agencies

BOI obtained from FinCEN will be accessible to regulatory agencies, including state supervisory agencies (SSAs) that “assess, supervise, enforce, or otherwise determine” compliance of financial institutions with AML/CFT. These agencies may also use BOI that their supervised institutions have already obtained from FinCEN to conduct “the assessment, supervision, or authorized investigation” in connection with a financial institution’s use of BOI obtained from FinCEN to comply with BSA requirements of countering money laundering and terrorist financing.

Before accessing the system, SSAs will be required to enter into an agreement with FinCEN for this access. The agreement or Memorandum of Understanding (MOU) with FinCEN must specify the standards, procedures, and systems that the agency will be required to maintain to protect BOI. The final rule also imposes specific requirements for each request, requiring agencies to limit (as much as able) the amount of BOI they seek.

Rollout of Access to BOI Database

The final rule indicates access to the BOI database will be rolled out in stages. Beginning in 2024, the first stage will be a pilot program for a handful of key Federal agency users as required MOUs, policies, and procedures are completed. The second stage will be extended to Treasury Department offices and certain Federal agencies engaged in law enforcement and national security activities with existing Bank Secrecy Act (BSA) MOUs (e.g., FBI, IRS-CI, HSI, and DEA). Subsequent stages will extend access to additional Federal agencies engaged in law enforcement, national security, and intelligence activities, as well as key State, local, and Tribal law enforcement partners; and then to additional State, local, and Tribal law enforcement partners; in connection with foreign government requests. Financial institutions and their supervisors will be included in the final access stage.

The final rule includes financial institutions in the last stage as FinCEN expects the timing of their access will coincide with the upcoming revisions to FinCEN’s 2016 Customer Due Diligence (CDD) Rule. FinCEN is required to update the CDD Rule in the third stage of CTA implementation.

FinCEN anticipates providing additional information on the timing and details regarding the phased-in implementation early in 2024. NASCUS will keep members updated as additional guidance and information is issued.