FinCEN Adopts Final Rule Governing Access to Beneficial Ownership Information
Overview: On December 21, 2023, FinCEN issued its final rule implementing requirements and restrictions for accessing beneficial ownership information (“BOI”) under the Corporate Transparency Act (“CTA”) (the “Access Rule”). The Access Rule sets out how authorized recipients may access and use BOI. It also creates a framework for how those authorized recipients, and FinCEN itself, must maintain the security and confidentiality of the sensitive personal information contained in BOI. Although the final Access Rule is largely unchanged from the proposed rule issued in 2022, there are some important changes. The Access Rule takes effect on February 20, 2024, but its provisions will be phased in over time.
Background
The CTA was enacted in 2021 to curb the use of corporate entities (i.e., shell companies) to hide illicit financial activity. It requires most companies that conduct any business activity in the United States to report to FinCEN information about their ultimate beneficial owners. The CTA also required FinCEN to adopt three key rules to implement certain provisions of the Act. The first of the three was finalized in 2022, addressing the requirements for companies to report their BOI (the “Reporting Rule”). The Reporting Rule, which became effective on January 1, 2024, specifies who must file BOI, subject to a number of exemptions, what must be included in the BOI reports, and the deadline for filing such reports. Under the Reporting Rule, companies that are already required to provide BOI to a federal agency under existing regulatory frameworks are generally exempt from filing BOI reports. Nearly all other companies are required to report their BOI to FinCEN, where the data is collected into a central registry (the “CTA Registry”).
The Access Rule, issued in final form in late December, is the second of the three rulemakings the CTA requires. Under the CTA, FinCEN is authorized to share the BOI that it collects with certain recipients. The Access Rule establishes which parties may request and receive BOI from the CTA Registry (“Authorized Recipients”) and the circumstances in which they may receive the information. It also outlines data protection requirements and oversight measures applicable to BOI received from the CTA Registry.
The Access Rule
The Access Rule authorizes FinCEN to share BOI information with the following categories of Authorized Recipients:
- Federal agencies engaged in national security, intelligence, or law enforcement activities, to the extent that the BOI is requested in furtherance of these activities. “Law enforcement” activities expressly include both criminal and civil investigations and enforcement actions.
- Federal functional regulators, and other appropriate regulatory agencies (including FINRA), requesting BOI that the financial institutions under their supervision have already obtained, to the extent that the request is for the purposes of ensuring cthat supervised institutions’ are complying with customer due diligence (“CDD”) obligations.
- A state, local, and tribal law enforcement agency in connection with a criminal or civil law enforcement investigation, if a court of jurisdiction has authorized the agency to obtain the BOI in connection with such investigation. One of the important differences between the proposed rule and the final rule is that while the proposed rule required such agencies to provide documentation of court authorization to obtain the BOI, the final Access Rule only requires that these agencies certify that they have received court authorization and provide a description of the information covered by the authorization.
- U.S. Treasury Department officers or employees whose official duties require inspection of BOI or who need the information for tax administration purposes.
- Foreign requestors who submit a request through an intermediary federal agency, provided the request is permitted under an international treaty, agreement, or convention, or is made by a law enforcement or judicial authority in a trusted foreign country. FinCEN must consult with the State Department or other relevant government agencies to determine when foreign requestors should be permitted to receive BOI.
- Financial institutions subject to CDD requirements, to the extent that the request is only for the purposes of complying with the institution’s CDD requirements, and provided that the institution has documented the consent of the company that reported the BOI. But another important change from the proposed version of the Access Rule is that the final version expands the definition of CDD requirements to “any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer.” This broader definition goes well beyond the 2016 FinCEN CDD Rule under the Bank Secrecy Act and may include any AML compliance obligation, OFAC screening, or similar obligations under any applicable law.
As required by the CTA, the Access Rule limits an Authorized Recipient’s use of BOI gathered from the CTA Registry to the particular purpose or activity for which it was obtained. Further, any person who receives BOI under the rule may not disclose the information to any other person unless expressly authorized by FinCEN. However, in another change from the proposed version of the rule, the Access Rule allows financial institutions to disclose BOI to directors, officers, employees, contractors, and other representatives outside the U.S. so long as it is not sent to certain prohibited jurisdictions. The general prohibition on further disclosure of BOI continues to apply to an individual even after they leave the position in which they were authorized to receive BOI.
Before one of the domestic agencies listed above as Authorized Recipients may obtain BOI from the CTA Registry, it must first enter into a memorandum of understanding (“MOU”) with FinCEN. The MOU must set forth the security protocols that the agency will implement to protect the integrity and confidentiality of BOI. The Access Rule provides extensive detail about the required provisions of the MOU, such as reporting and employee training requirements, access restrictions and re-disclosure limitations.
For financial institutions, compliance with the data protection requirements of Section 501 of the Gramm-Leach Bliley Act will satisfy the data protection requirements of the Access Rule. This is true even if the institution is not subject to the Gramm-Leach Bliley Act. For each request, a financial institution is required to certify that it is requesting the BOI only to comply with its CDD obligations under applicable law, it obtained the reporting company’s written consent, and it has satisfied the data protection requirements.
What Comes Next
The Access Rule becomes effective February 20, 2024, but initially FinCEN will implement only a pilot program that includes a small number of federal agencies, once they have signed the required MOUs and implemented the attendant policies and procedures. Based on the success of phase one, FinCEN intends to later expand access to the Treasury Department and federal law enforcement and national security agencies. Subsequent phases will incrementally add access for other federal agencies, state, local, and tribal law enforcement agencies, foreign requestors, and financial institutions. FinCEN also has yet to develop the form and procedures that Authorized Recipients will use to request access to BOI, as it is still developing the computer systems that will house the CTA Registry.
FinCEN must also conduct its third required rulemaking under the CTA. This last rule will have great significance for financial institutions: FinCEN must amend the CDD Rule to align it with the BOI Reporting Rule. It must adopt the rule no later than one year after the effective date of the Reporting Rule. Financial institutions can therefore expect a notice of proposed rulemaking on this subject within the calendar year.
Criticisms
Representative Patrick McHenry, chair of the House Financial Services Committee, criticized FinCEN for removing the obligation for law enforcement agencies to provide actual court orders before receiving BOI. Previously, he also complained that the proposed Access Rule did not go far enough to protect the BOI and prevent unauthorized access. The provisions targeted by this complaint are largely unchanged in the final rule. Other critics have pointed out that the Access Rule does not address whether FinCEN will verify the BOI it receives from reporting companies.
Some financial institutions have noted areas that remain unclear. For instance, how can financial institutions properly comply with their CDD obligations if there are discrepancies between the information collected directly from their customers and the information obtained from the CTA Registry? As another example, the final Access Rule extends the types of financial institutions that may access BOI from the CTA Registry to ostensibly include non-depository financial institutions that are subject to AML requirements, such as money services businesses and mortgage companies. However, FinCEN initially will only provide access to such institutions that are subject to the CDD Rule, while it continues to evaluate the access rights of non-depository institutions. Critics have complained that this will create confusion and will limit the practical usefulness of the CTA Registry.
To help alleviate some of the uncertainty, FinCEN joined two interagency statements issued at the same time the Access Rule was finalized addressed to banks and non-bank financial institutions. The statements provide these financial institutions with guidance for navigating the intersection of the Access Rule and the CDD Rule. In particular, the guidance notes that financial institutions are not required to access BOI through the CTA Registry in order to comply with their CDD obligations.
Outlook: Because the Reporting Rule covers an incredibly broad range of legal entities, the CTA Registry will contain substantial amounts of personal information. The Access Rule therefore is an important regulatory measure governing both the protection and use of this sensitive information. The CTA Registry has potential to be a powerful tool for those parties with a need for BOI, but critics remain skeptical of how private sector participants will benefit in practice. Financial institutions and other industry stakeholders should look for the upcoming CDD Rule amendment and further regulatory guidance.
CFPB Proposes Rules to Limit Overdraft and NSF Fees
Overview: On January 17, 2024, the Consumer Financial Protection Bureau (CFPB) issued a proposed rule (the Overdraft Proposal) that would make overdrafts subject to the complex requirements of the Truth in Lending Act (TILA), and likely have the practical effect of setting maximum overdraft fee limits. One week later, the CFPB proposed a rule that would outright prohibit certain non-sufficient funds (NSF) fees (the NSF Proposal). These proposed rules are the latest steps in the Biden Administration’s and CFPB’s efforts to address what they refer to as “junk” fees.
Background
In January 2022, the CFPB launched an initiative to review so-called junk fees associated with bank accounts and other financial products. The CFPB has particularly focused on overdraft and NSF fees in carrying out this initiative. For example, in October 2022, the CFPB issued guidance stating that certain overdraft practices could constitute illegal unfair, deceptive, or abusive conduct. The CFPB also entered into multiple consent orders with banks in 2022 and 2023 that alleged banks’ overdraft and NSF practices violated the law and that required banks to make hundreds of millions of dollars in restitution payment to customers.
To date, the CFPB’s junk fee initiative has focused primarily on characterizing individual banks’ overdraft and NSF practices as unfair, deceptive, or abusive practices. One of the primary reasons for this approach is that under current federal rules, many of the overdraft services that banks provide are not “credit” subject TILA and the rule that implements it, Regulation Z, and the CFPB therefore cannot assert that overdraft services violate the highly technical requirements of TILA and Regulation Z. This treatment of overdraft services dates to 1969, when the Federal Reserve originally promulgated Regulation Z. The Overdraft Proposal would reverse this longstanding regulatory treatment of overdraft services.
The Overdraft Proposal
The Overdraft Proposal would only apply to banks with more than $10 billion in assets (Covered Banks); it would not change the regulatory framework for banks with assets of $10 billion or less. The CFPB estimates that this asset size threshold means that the Proposed Rule would apply to approximately 175 banks.
The Overdraft Proposal would have two primary effects: it would (1) substantially narrow the longstanding Regulation Z exemptions for overdraft services, and (2) establish benchmark limits on the amount of overdraft fees Covered Banks may charge without becoming subject to Regulation Z’s requirements.
Under the Overdraft Proposal, Regulation Z would apply to overdraft services provided by Covered Banks, unless a bank provides overdraft at or below cost. The Overdraft Proposal would accomplish this by removing Regulation Z’s current exemption if a Covered Bank provides an overdraft credit and charges a fee that is “above breakeven.”
Covered Banks would determine whether an overdraft charge is “above breakeven” by either individually calculating their own costs and losses for overdraft services, or by relying on benchmark limits set by the CFPB. The Overdraft Proposal includes four potential alternatives for this benchmark fee limit: $3, $6, $7, and $14. Due to the complexity of individually calculating a bank’s breakeven amount to provide overdraft services, it is likely that if the CFPB includes a benchmark limit in a final version of the Overdraft Proposal, that benchmark will become the de facto cap on overdraft fees. The CFPB is seeking comments on the appropriate amount for this benchmark, and on the appropriate formula for banks to individually determine what constitutes “above breakeven.”
A Covered Bank would still be permitted to charge overdraft fees that exceed the breakeven amount, but only if the bank complied with all of the applicable Regulation Z requirements when providing those overdraft services. This would include providing interest rate disclosures, analyzing customers’ ability to repay, providing periodic statements, and other complex requirements that would likely be challenging to implement in the context of overdraft services.
Comments on the Overdraft Proposal are due by April 1, 2024.
The NSF Proposal
The NSF Proposal would apply more broadly than the Overdraft Proposal, to financial institutions of any size, and to banks as well as non-banks.
The NSF Proposal would impose a complete prohibition on charging NSF fees on transactions that are declined instantaneously. It would cover all instantaneously declined transactions, regardless of transaction method, including debit card, ATM, and person-to-person transactions. The NSF Proposal would deem charging NSF fees in those circumstances an abusive practice, and therefore illegal under the federal Consumer Financial Protection Act. The NSF Proposal would not prohibit NSF fees in other circumstances that are not declined instantaneously, such as returned checks or ACH transactions.
Comments on the NSF Proposal are due by March 25, 2024.
Outlook: The CFPB continues to make overdraft and NSF fees a key regulatory and enforcement priority. Impacted institutions may wish to submit comments on the CFPB’s most recent rule proposals, and should continue to consider whether their fee practices may conflict with the CFPB’s increasingly skeptical view of the legality of overdraft and NSF fees.
______________________________________________________________________________________________________________________
AUTHOR INFORMATION:
Craig Saperstein, a member of Nacha’s Government Relations Advisory Group, is a partner in the Public Policy practice of Pillsbury Winthrop Shaw Pittman LLP in Washington, D.C. In this capacity, he provides legal analysis for clients on legislative and regulatory developments and lobbies congressional and Executive Branch officials on behalf of companies in the payments industry. Deborah Thoren-Peden is a partner and member of the Financial Institutions Team at Pillsbury Winthrop Shaw Pittman LLP. She provides advice to financial institutions, bank and non-bank, and financial services companies. Daniel Wood is a Counsel and member of the Financial Services Regulatory Team. He provides analysis for financial institutions, technology companies, and clients that offer consumer financial products. Brian Montgomery is a Senior Counsel and member of the Financial Services Regulatory Team. He provides analysis for financial institutions, technology companies, and clients that offer consumer financial products. The information contained in this update does not constitute legal advice and no attorney-client relationship is formed based upon the provision thereof.