03/29/2024 | Press release | Distributed by Public on 03/29/2024 07:10
Mar 29, 2024
Categories:
The Corporate Transparency Act (CTA)[1] is designed to combat the use of shell company structures to obscure the identities of individuals engaging in criminal activities, such as terrorism, drug trafficking, money laundering, and corporate fraud. The CTA empowers the U.S. government to collect the beneficial ownership information of legal entities doing business in the United States. Although the CTA's intended target is corporate fraud and criminal activity, the legislation's sweeping scope has caught companies' information security and data privacy compliance efforts in the crossfire.
The CTA is intended to combat nefarious activity through the creation of a new database to be administered by the Financial Crimes Enforcement Network ("FinCEN"). This database will be assembled from reports submitted to FinCEN from CTA-covered entities, also known as "reporting companies." Reporting companies must disclose their "beneficial owners" to FinCEN. That information includes the name, date of birth, current residential address and unique identifying number from an acceptable document (such as a state driver's license, U.S. or foreign passport) and a photographic image of the same document for each beneficial owner. This beneficial ownership information must be collected and housed by all reporting companies in connection with this data's ultimate disclosure to FinCEN.
For reporting companies, the new data responsibilities pose management and information security risks. Beneficial owners may also have concerns about the security of their data, particularly since the CTA disclosures involve material typically identified as sensitive personal information in a host of state privacy laws, many of which restrict the ways in which recipients or custodians of the data are permitted to use it.
What, exactly, can the government do with the sensitive data it collects on individuals as part of the CTA reporting process? FinCEN has issued a rule prescribing appropriate uses for CTA-generated data.[2] Under the rule, acceptable recipients of this information include "law enforcement, intelligence, and national security professionals," and certain financial institutions. The information itself will be collected and administered in FinCEN's "beneficial ownership information technology system" which will, it asserts, "securely collect, process, and store that [personal data]."[3]
Different rules of access apply to each category of authorized recipients. For example, federal government agencies will have access to the information so long as their representatives certify that the requested data will be used "in furtherance" of national security, intelligence, or law enforcement activity. Foreign requests, by contrast, must come from law enforcement officials in the relevant jurisdiction who apply to FinCEN for access to the information after being sponsored by a related U.S. law enforcement agency pursuant to an international treaty or similar instrument.
U.S. government agencies must "satisfy several security and confidentiality requirements" before accessing the data, including "establishing standards and procedures to protect the security and confidentiality of [the information], entering into an agreement with FinCEN specifying those standards and procedures, establishing and maintaining a secure system for storing [the information], establishing and maintaining auditable request records, restricting access to [information], conducting audits, and providing FinCEN with reports and certifications." Financial institutions requesting information under the CTA must "apply[] to [the information] the same security and information handling procedures they use to protect customers' nonpublic personal information in compliance with section 501 of the Gramm-Leach-Bliley Act and its implementing regulations."[4]
Once an authorized recipient receives information obtained from CTA compliance, it is prohibited from re-disclosing it to third parties. However, there are eight exceptions to the CTA's re-disclosure prohibition that are further set forth in the FinCEN rule. Under these exceptions, information may be re-disclosed as follows:[5]
Not all of the categories of authorized recipients will have immediate access to CTA-related information. FinCEN is phasing access to the data over time, beginning with federal agency requesters in 2024 and finishing with financial institutions at some point in the future. If you have any questions or concerns about the CTA or the personal data you are required to submit in connection with forming an entity under federal regulations, the lawyers at Frost Brown Todd are well-positioned to assist you and your business.
Frost Brown Todd will also continue to monitor all governmental agencies' future work as they issue regulations and guidance related to the CTA. Please contact the authors or any attorney with our Corporate Transparency Act Team if you have any questions or concerns.
[1] 31 U.S.C. § 5336.
[2] Fin. Crimes Enf't. Network, FinCEN Issues Final Rule Regarding Access to Beneficial Ownership Information (Dec. 21, 2023).
[3]Id.
[4]Id.
[5] All citations to the Code of Federal Regulations Title 31.
[6] The "federal functional regulators" are: the Board of Governors of the Federal Reserve System; the Office of the Comptroller of the Currency; the Federal Deposit Insurance Corporation; the National Credit Union Administration; the Securities and Exchange Commission; and the Commodity Futures Trading Commission. 31 C.F.R. §1010.100(r).