Corporate Transparency Act Update – FinCEN Issues Notice of Proposed Rulemaking

On December 15, 2022, the Financial Crimes Enforcement Network (“FinCEN”) issued a Notice of Proposed Rulemaking (the “NPRM”) that would implement provisions of the Corporate Transparency Act (the “CTA”) regarding access to and protection of beneficial ownership information (“BOI”). As previously reported, the CTA drastically expands current BOI reporting obligations in order to combat the illicit use of shell companies and to shift the burden of reporting beneficial owners of such companies from financial institutions and title insurance agents to the involved companies and the government itself.

The NPRM proposes regulations that (1) limit disclosure of BOI to certain authorized recipients, (2) limit use of such information to purposes permitted by the CTA, and (3) protect the security and confidentiality of BOI. Of particular note, financial institutions are among the list of authorized recipients when accessing BOI to fulfill customer due diligence requirements.

FinCEN is accepting comments on the NPRM until February 14, 2023.

Authorized Recipients

The proposed regulations would allow FinCEN to disclose BOI to five categories of authorized recipients:

  1. Federal, State, Local and Tribal Government Agencies;
  2. Law Enforcement Agencies, Judges and Prosecutors;
  3. Financial institutions using BOI to facilitate compliance with customer due diligence requirements under applicable law;
  4. Federal regulators and other appropriate regulatory agencies that supervise financial institutions; and
  5. S. Department of Treasury.

The degree of access to BOI would vary depending on the circumstances and recipient. The first category of authorized recipients, for example, could directly access BOI when engaging in national security, intelligence, or law enforcement activities. Financial institutions, on the other hand, could access such information only to the extent necessary to ensure their compliance with customer due diligence requirements under applicable law.

Security and Confidentiality Requirements

Under the NPRM, FinCEN would further subject each category of authorized recipients to certain security and confidentiality protocols when accessing and handling BOI. These safeguards, according to FinCEN, are meant to protect sensitive personal information while also achieving CTA’s objective of making BOI available to a range of users.  

Financial institutions in particular must comply with certain requirements before FinCEN would disclose a reporting company’s BOI. Under the NPRM, a financial institution must obtain and document the reporting company’s consent before submitting a request to FinCEN for BOI and maintain a record of such consent for five years after it was last relied on. Further, financial institutions are required to develop and implement administrative, technical and physical safeguards that protect the confidentiality of BOI. Finally, the proposed rule would require that financial institutions certify in writing for each BOI request that it: (1) is requesting the information to facilitate its compliance with its customer due diligence requirements, (2) obtained written consent from the reporting company to request the BOI, and (3) has fulfilled all other requirements for requesting BOI.

After obtaining the BOI, the proposed rule requires that financial institutions limit access to such information to the financial institution’s directors, officers, employees, contractors, and agents located in the United States.


The NPRM provides for civil and criminal penalties for knowingly disclosing or using BOI without authorization from FinCEN. Civil penalties include up to $500 for each day a violation continues or has not been remedied and a criminal penalty of up to $250,000 and/or up to 5 years imprisonment. A person who knowingly discloses or uses BOI while violating another law could be subject to an enhanced criminal penalty of up to $500,000 and/or up to 10 years imprisonment.


The NPRM proposes regulations that would require entities accessing and handling BOI to develop security and confidentiality protocols to protect such information. Financial institutions in particular would have to comply with a number of requirements before they make a request for BOI and after they receive it. As such, banks and other financial institutions should make appropriate internal preparations to ensure compliance with this rule. Furthermore, reporting companies should be aware of the authorized entities that will have access to their BOI.


Jump to Page