Pub. 13 2023-2024 Issue 4

Beneficial Ownership: Final Rule and Its Impacts on AML Programs

The latest final rule on beneficial ownership information (BOI) reporting gives financial institutions and their business clients more details about what’s required. Here’s a rundown of what’s behind the new rules, the latest BOI registry details and how anti-money laundering (AML) programs can prepare.

Why Is Beneficial Ownership Reporting Required?

Effective Jan. 1, 2024, many companies are required to begin reporting to the U.S. government information about beneficial ownership or who ultimately owns or controls them. U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) recently issued a new regulation on the requirements, including how AML staff will access the information through a new federal beneficial ownership information (BOI) registry.

However, much of the process has not been finalized or is broad in terms. This uncertainty is confusing financial institutions and their business clients.

What’s clear so far is that the Corporate Transparency Act (CTA) mandated the creation of a database for obtaining and holding BOI for certain U.S. entities. As described below, approximately 35 million reporting entities will have a year to provide information on their beneficial owners to FinCEN’s new registry.

The CTA was aimed at satisfying global criticism, particularly from the Financial Action Task Force (FATF), that the U.S. is a haven for money launderers due to a lack of transparency and loopholes allowing shell companies to hide the true nature and ownership of a business. The more critical potential outcome of BOI reporting is assisting law enforcement in solving financial crime.

BOI Reporting Responsibilities: Who and When

What changes will reporting entities see now that FinCEN has launched the federal BOI registry?

FinCEN has published two rulemakings regarding the registry and related requirements. Below is a short recap of each. The descriptions aren’t all-inclusive and don’t constitute legal advice.

The Final Rule for Beneficial Ownership Reporting, issued in Sept. 2022, establishes definitions for reporting provisions of the FinCEN BOI database. Some key provisions of this rule for the beneficial ownership changes in 2024 include the following:

  • The rule is effective as of Jan. 1, 2024.
  • Reporting companies created or registered before Jan. 1, 2024, have one year (i.e., Jan. 1, 2025) to file their initial BOI reports.
  • Reporting companies created or registered after Jan. 1, 2024, have 90 days after receiving notice of their creation or registration to file their initial BOI reports.
  • Updates to a company’s BOI must be filed within 30 days of the change.
  • Reporting entities that fail to register the BOI information as mandated could face federal penalties, as not registering is a criminal offense.
  • Reporting companies are defined as a corporation, limited liability corporation (LLC) or any entity created by filing a document with a secretary of state or similar office, whether domestic or foreign.
  • Entities with more than 20 employees and more than $5 million in reported gross receipts or sales are exempt from reporting, subject to other criteria.
  • Other legal entities, including certain trusts, are excluded from the definitions as filing a document with a secretary of state or similar office does not create them. (Excluding trusts in the final rule could leave a significant loophole for money launderers to use to hide true beneficial owners.)
  • The definition of a beneficial owner is anyone who owns or controls at least 25% ownership of a reporting company as well as those with “substantial control.” Substantial control is defined as anyone who can make important decisions on behalf of the entity. This definition is different from existing customer due diligence (CDD) rules that took effect in 2018. As explained further below, financial institutions should comply with the 2016 regulatory definition of beneficial owners.

Who Can Access BOI Registry Information?

The second FinCEN rule describing changes to reporting on ownership is the Beneficial Ownership Information Access and Safeguards Final Rule, which was issued in Dec. 2023. This rule implements the CTA provision establishing guidelines for who may access BOI through the registry, for what purposes and for safeguards to ensure that the information is protected. FinCEN said the rule for the beneficial ownership registry balances the statutory requirement to create a database with the need to safeguard BOI from unauthorized use. The final rule includes requirements for disclosing information about beneficial ownership to financial institutions and other specific groups.

Three key provisions of the BOI registry access rule that are especially relevant to AML programs cover the following topics:

  1. Authorized recipients of beneficial ownership information: Financial institutions are one of five groups of authorized BOI recipients that will have access to the FinCEN registry. Compared to the original proposed rule, the final access rule broadens the purposes for which financial institutions may use BOI. Institutions are allowed to use BOI for all of their AML/CFT programs, including customer due diligence, sanctions screening, enhanced due diligence efforts and investigations and reporting of suspicious activity. This gets to the heart of the CTA’s purpose: deterring illicit financial activity. Other categories of authorized recipients are:
    • Certain domestic agencies, including law enforcement.
    • Certain foreign agencies and other authorities.
    • Certain regulatory agencies.
    • Certain officers and employees of the U.S. Department of Treasury.

  2. When financial institutions will gain access to BOI: FinCEN’s scaled approach for providing access to the BOI registry begins Feb. 20, 2024. Financial institutions will be the last group to gain access, and the timeline is undetermined.

    Once they are given the go-ahead by FinCEN, banks and credit unions are required to obtain consent from the reporting customer, the FI’s client, before accessing the information. The final access rule does not dictate how to receive consent and allows for flexibility based on differences in FIs across the nation.

    Financial institutions will have to certify to FinCEN that they obtained consent, although the certification format has not yet been disclosed. FIs must also certify that they are protecting the data by adhering to all aspects of the Gramm-Leach-Bliley Act.

  3. Verification of BOI: Verification of information that a reporting entity provides to FinCEN is briefly mentioned in the final reporting rule.

    The rule states that the beneficial owners will be verified as living persons. However, they will not be verified as being the true beneficial owner for that particular company. This is in line with the current CDD regulations. However, FinCEN confirmed that verification of BOI is an integral part of its overall efforts and continues to assess options to verify BOI. More is expected on this later.

What’s Next for BOI Reporting Regs

The next expected rulemaking will revise FinCEN’s CDD rule to align current regulations with the first two rules. One important aspect to reconcile between the 2016 CDD rule and the new final rule is the definition of the “control” prong. The new beneficial ownership information rule requires companies to file information for each beneficial owner. Under the existing CDD rule, companies must only name one person with significant control.

The Anti-Money Laundering Act of 2020 (AMLA) requires this final piece of the beneficial ownership regulation to be issued no later than one year after the effective date (Jan. 1, 2024) of the BOI Reporting Rule. However, FinCEN has missed more than one regulatory deadline, so this realignment may come later than expected. Additionally, the CDD rule was effective in 2018 — two years after the regulation was finalized. As a result, it’s unclear whether FIs will face any near-term deadlines related to this issue.

Immediate Changes for Banks and Credit Unions?

For financial institutions in the U.S. and their AML programs, the bottom line is that very little has changed at this point:

  • The existing CDD and beneficial ownership requirements that took effect with the 2016 CDD rule still apply. FinCEN’s draft of a rule realigning the CDD rule with the new BOI definitions and requirements is expected sometime in 2024.
  • Banks and credit unions are not responsible for their business clients complying with the new BOI reporting requirements.
  • Beginning Feb. 20, 2024, staged access to the registry will begin, but FIs will be the last group added and the date hasn’t been determined.
  • FIs must certify that the BOI will be held securely and that the FI has received approval from the reporting entity to access their ownership details. FinCEN has not given guidance on obtaining BOI access consent and so far is leaving that up to individual FIs. Now is the time to begin considering how to request consent, whether via a change in disclosures or a more targeted method.
  • Be prepared to write procedures around access to the BOI database once more details are rolled out.

Educate Clients on BOI Changes and Fraudsters

As noted above, financial institutions are not responsible for client compliance with beneficial ownership information reporting. BOI registration is the responsibility of the 35 million reporting companies. However, most of these firms are likely unaware of the new requirements and may not even be familiar with FinCEN.

Even if familiar with the requirements, many company owners won’t know how to register because detailed guidance isn’t written. There is no finalized reporting form or instructions on how to register. FinCEN Director Andrea Gacki said during a briefing on the final access rule that the form will most likely not be confirmed until at least February 2024.

Mandated reporting can be confusing for businesses that have never been under this type of government requirement. It’s important for them to understand the role of BOI registration in safeguarding the U.S. financial system and our global reputation.

FinCEN is conducting outreach to educate businesses by holding national briefings and issuing fact sheets, a Q&A and videos. It also has a Small Entity Compliance Guide for BOI reporting. Banks and credit unions are encouraged to direct clients to the FinCEN website for comprehensive information.

Additionally, Director Gacki said at the recent ABA FinCrime Conference that FinCEN welcomes assistance from financial institutions in educating their clients. Collaboration on education is crucial. Proactively engaging with business clients on BOI requirements establishes trust while also demonstrating proficiency in navigating new regulations. Remember, failure to register BOI could lead to federal penalties for reporting entities. Safeguarding your business clients from such risks not only ensures compliance but also enhances overall goodwill.

Financial institutions and their business customers or members should also be aware that illicit actors are already trying to take advantage of uncertainty around the BOI changes. FinCEN warned recently of fraudulent attempts to obtain personal information from reporting entities. The fraudulent emails or letters may be titled “Important Compliance Notice,” and may ask recipients to click on a URL or scan a QR code. FinCEN does not send unsolicited requests and advised against responding to the messages, clicking on any links or scanning any QR codes within them. Remember, there is currently no final reporting form.

Transparency is the Goal

The CTA became effective on Jan. 1, 2024, and the BOI registry is a reality. Although not much changes immediately for financial institutions, it is critical to understand the legislation and how it affects business clients. The final rule for BOI reporting outlines crucial provisions that reporting companies must adhere to, emphasizing the need for transparency in corporate structures.

As financial institutions and their clients navigate these new requirements, the true intent of the registry — to curb illicit activities and enhance financial transparency — remains paramount. Industry leaders eagerly await clarity on access protocols, verification processes and alignment of customer due diligence rules. But the related changes will shape domestic financial practices and resonate globally, reflecting the United States’ commitment to combat money laundering and enhance transparency.

Stakeholders are on standby, ready to adapt to the evolving regulatory landscape and its far-reaching implications.

Abrigo’s mission is to help financial institutions make BIG things happen. Offerings include compliance, credit risk and lending software solutions at