How could FinCEN’s BOI rules impact your credit union?

ANALYSIS:   The League has published a few Couriers recently about the new “Beneficial Ownership Information” (BOI) rules from the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN). But we have not stressed BOI compliance much because the rules have not required anything from credit unions so far. 

Now, with new BOI reporting and access programs being implemented this year, we want to take a deeper dive into the rules and explore how FinCEN’s BOI plans may impact credit union compliance in the months and years to come. 

Your existing “Customer Due Diligence” obligations

Before getting to the new BOI rules, we need to start with FinCEN’s existing “Customer Due Diligence” (CDD) rules, which have been in place since 2016.
 
Your credit union must have written, risk-based CDD procedures as part of its Bank Secrecy Act / Anti-Money Laundering (BSA/AML) program.
 
FinCEN’s CDD rules require all credit unions (and other financial institutions) to gather information about those who own or control the “legal entities” that open accounts, such as corporations and LLCs.
 
As we explain in The League’s ii Release No. 0159, the CDD rules have a two-pronged definition of “beneficial owner,” with an ownership prong and a control prong. Under this approach, the credit union must identify:  

• Ownership prong:  Each individual (if any) who, directly or indirectly, owns 25% or more of the equity interests in the “legal entity customer”; and
   
• Control prong:  A single person who has significant responsibility to control the legal entity (including an executive officer or senior manager, such as a CEO, CFO, COO, managing member, general partner, president, vice president or treasurer) or any other person who regularly performs similar functions.  

A credit union may choose, however, to collect CDD information on natural persons who own a lower percentage of the equity interests of a legal entity customer as well as information on more than one individual with managerial control. (See FinCEN’s 2018 CDD FAQs.)

Many credit unions obtain CDD information by having the person opening an organization account complete and sign a “Certification of Beneficial Owner(s)” – a standard form that is included in the CDD rules. The certification form is available on FinCEN’s website. Using the form is not required, and your credit union might use other methods.
 
After gathering the information, credit unions then must verify the identities of those beneficial owners. Additionally, credit unions must maintain records of the identification and verification information collected. The credit union simply keeps the CDD information for its own records. Nothing requires you to report CDD information to a government agency, for example.
 
The new BOI rules do not change those existing CDD obligations. For now, credit unions should keep gathering and verifying CDD information as they have done. 

Congress mandated the new BOI rules

Some organizations have murky ownership structures, making it hard for law enforcement to see who is pulling the strings when companies are involved in crimes. So, in 2021, Congress passed the Corporate Transparency Act (CTA) as part of a large defense spending bill. The CTA seeks to shed light on criminals’ use of anonymous “shell companies” for money laundering, terrorist financing, evading sanctions, sheltering illicit funds, and more.
 
The CTA imposed a new federal requirement on certain legal entities to report BOI directly to FinCEN. Congress instructed FinCEN to write BOI rules and to create a BOI database, which certain parties, such as law enforcement or financial institutions, could access when needed.
 
FinCEN has been working over the past few years to implement the CTA, and it has been doing so in stages. 

Stage 1: The BOI reporting rule (effective 1/1/2024)

The first stage was FinCEN’s “BOI reporting” rule, which we covered in this October 2022 Compliance Courier. The final rule for this stage took effect on Jan. 1, 2024. It requires “reporting companies” to report BOI directly to FinCEN.
 
What are “reporting companies”?
 
The term “reporting companies” means corporations, LLCs and other entities created by filing documents with a secretary of state or similar office. In Wisconsin, many organizations, such as corporations and LLCs, are created by filing documentation with the Department of Financial Institutions (DFI), not the Secretary of State. Still, those organizations are subject to the BOI reporting rule. On the other hand, sole proprietorships and most partnerships are not “reporting companies,” because they are not created by filing paperwork with the DFI.
 
For information about how companies are formed in Wisconsin, see The League’s ii Release No. 0161.
 
Foreign companies registered to do business in the U.S. are also “reporting companies.”
 
Certain categories of companies are exempt, such as banks and credit unions. That means your credit union need not report its BOI to FinCEN. However, your legal entity members must report, along with many Credit Union Service Organizations (CUSOs) and many of your third-party business partners.
 
Who are “beneficial owners”?
 
A beneficial owner is any individual who, directly or indirectly: 

• Exercises substantial control over a reporting company; or
   
• Owns or controls at least 25% percent of the ownership interests of a reporting company. 

An individual might be a beneficial owner through substantial control, ownership interests, or both.
 
Any of the following may be an ownership interest: equity, stock, or voting rights; a capital or profit interest; convertible instruments; options or other non-binding privileges to buy or sell any of the foregoing; and any other instrument, contract, or other mechanism used to establish ownership.
 
What is meant by “substantial control”? An individual exercises substantial control over a reporting company in any of four ways: 1) the individual is a senior officer; 2) the individual has authority to appoint or remove certain officers or a majority of directors of the reporting company; 3) the individual is an important decision-maker; or 4) the individual has any other form of substantial control over the reporting company. 
 
There is a key difference between the existing CDD rules vs. FinCEN’s BOI reporting rule. The existing CDD rules require financial institutions to gather information about just one person with control over a company (though they may choose to gather information about more than one person, if they wish). The new FinCEN rule requires companies to report information about anyone who exercises substantial control over a company. There is no limit to the number of individuals who can be reported to FinCEN for exercising substantial control.
 
What information must be reported?
 
A reporting company must provide: 

1. Its legal name;
2. Any trade names, “doing business as” (d/b/a), or “trading as” (t/a) names;
3. The current street address of its principal place of business if that address is in the United States (for example, a U.S. reporting company’s headquarters), or, for reporting companies whose principal place of business is outside the United States, the current address from which the company conducts business here (for example, a foreign reporting company’s U.S. headquarters);
4. Its jurisdiction of formation or registration; and
5. Its Taxpayer Identification Number (or, if a foreign reporting company has not been issued a TIN, a tax identification number issued by a foreign jurisdiction and the name of the jurisdiction). 

A reporting company must also indicate whether it is filing an initial report, or a correction or an update of a prior report.
 
For each individual who is a beneficial owner, a reporting company also must provide: 

1. The individual’s name;
2. Date of birth;
3. Residential address; and
4. An identifying number from an acceptable ID document such as a passport or U.S. driver’s license, and the name of the state or jurisdiction that issued the ID. 

The reporting company will also have to provide an image of the ID used for #4.
 
Information also must be provided about “reporting company applicants,” who are the individuals who filed a document to create the company or register it to do business.
 
When must BOI be reported?
 
FinCEN has three deadlines for companies to report their BOI: 

• A reporting company created or registered to do business before Jan. 1, 2024, has until Jan. 1, 2025, to file its initial BOI report.
   
• A reporting company created or registered in 2024 will have 90 calendar days to file after receiving actual or public notice that its creation or registration is effective.
   
• A reporting company created or registered on or after Jan. 1, 2025, will have 30 calendar days to file after receiving actual or public notice that its creation or registration is effective. 

How do companies report their BOI to FinCEN?
 
Reporting company must provide their BOI to FinCEN via its BOI E-Filing website, which was launched on Jan. 1, 2024. There is no fee to report.
 
BOI reporting rule resources
 
For details about the BOI reporting rule, check out: 

• FinCEN’s BOI Small Business Resources page, with links to a variety of useful resources for your credit union’s business members.
   
• FinCEN’s Small Entity Compliance Guide to the BOI Reporting Requirements.
   
• The FinCEN BOI web page provides links to BOI resources, including videos and a live chat.
   
• This set of FinCEN FAQs on the BOI reporting rule. 

Stage 2: The BOI access rule (effective 2/20/2024)

On Dec. 22, 2023, FinCEN published its BOI access rule, the second stage of implementing the CTA. The rule took effect on Feb. 20, 2024. It governs who can access BOI that has been reported to FinCEN, as well as the process for doing so.
 
The access rule focuses on how certain government agencies and law enforcement can access BOI, but it also addresses how financial institutions – including credit unions – can do so.
 
Below are some key issues that credit unions should understand when it comes to the BOI access rule.
 
Credit unions cannot access BOI yet & will not be required to
 
The first and (for now) most important points are these: 1) Credit unions cannot access BOI data yet, and 2) even when access opens to them, using it will be optional.
 
Access will be provided in stages, and FinCEN has said that financial institutions will be “the last category of users that will receive access to” BOI. FinCEN has said that access to the BOI database for credit unions will probably coincide with the third stage of rulemaking (discussed below), scheduled to be issued by Jan. 1, 2025.
 
The League will alert credit unions when more information is available and when BOI database access opens for credit unions and other financial institutions.
 
FinCEN says that the access rule “does not create a new regulatory requirement for banks or non-bank financial institutions to access BOI, nor does it create a supervisory expectation that they do so.”
 
Instead, credit unions will be free to choose to use BOI – but only for certain purposes, as described next.
 
Allowable uses for BOI
 
Credit unions will not be able to use the BOI that they get from FinCEN for just any reason. Instead, FinCEN says that they may only use it for CDD related purposes. “This includes any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard U.S. national security, if it is reasonably necessary for the credit union to identify (and verify the identity of) beneficial owners of legal entity customers to comply with the requirement or the prohibition.”
 
Here are examples of permissible uses for BOI that credit unions get from FinCEN: 

• Customer Identification Program (CIP) requirements. (See ii Release No. 0159.)
   
• Enhanced Due Diligence (EDD) required under the BSA. (If the credit union identifies members that pose higher risks for money laundering, terrorist financing, or other illegal activity, then the credit union must apply EDD, increasing scrutiny of those members and their transactions at account opening and more frequently throughout their relationship. See ii Release No. 0159.)
   
• Suspicious Activity Report (SAR) filing. (See ii Release No. 0109.)
   
• Compliance with the U.S. Treasury’s Office of Foreign Assets Control (OFAC) requirements, such as for sanctions screening. (See ii Release No. 0148.)
   
• Anti-money laundering/countering the financing of terrorism related requests, reviews, and investigations. 

FinCEN also says: “Financial institutions should not use BOI obtained from FinCEN for their general business or commercial activities, such as to assess whether to extend credit to a legal entity, or for client development.”
 
Security & confidentiality of BOI
 
Once a credit union gets BOI from FinCEN, it must protect that information. FinCEN’s rules require credit unions (and others) that want access to BOI to develop and implement administrative, technical, and physical safeguards that are designed to protect the security, confidentiality, and integrity of BOI. This includes subjecting the BOI to the same information security procedures the credit union has established to comply with the Gramm-Leach-Bliley Act. (See ii Release No. 0155, which summarizes NCUA guidance on safeguarding member information and ii Release No. 0152 on NCUA privacy rules.)
 
Generally, a credit union may not re-disclose to others the BOI that it gets from FinCEN. However, there are eight exceptions, and two of them apply to credit unions: 1) Credit unions may re-disclose BOI with officers, employees, agents, and contractors within the credit union, and 2) credit unions may share BOI with their regulators.
 
Consent to obtain BOI
 
A credit union must get consent from a reporting company before it can access that company’s BOI from the FinCEN database.
 
Consent only needs to be obtained before a first request for a company’s BOI. Credit unions may rely on this consent to retrieve the same company’s BOI later, including to open additional accounts for the same company.
 
FinCEN’s preamble to the BOI access rule says that credit unions have discretion in how they get consent, noting that credit unions “are able to leverage existing onboarding and account maintenance processes to obtain reporting company consent.” Thus, credit unions may want to work the consent process into part of their account onboarding procedures for organization members. According to the rule, this consent “must be documented but need not specifically be in writing.”
 
The rule does not address several details that credit unions may want to consider, such as: 

• How consent can be provided or revoked;
   
• Which company representatives may provide or revoke consent on the company’s behalf;
   
• When corporate changes would require obtaining new consent; or
   
• How the credit union should handle a company that refuses to give consent. 

The documentation of the company’s consent must be maintained for five years after it was last relied on to make a BOI request to FinCEN.
 
To access FinCEN’s BOI database, credit unions will have to certify that 1) they have obtained the consent of the reporting company and that 2) they need the BOI to satisfy CDD requirements.
 
CDD verification not addressed
 
As explained earlier, existing CDD rules require credit unions to obtain and verify information about a legal entity’s beneficial owners. While obtaining BOI from FinCEN can help with obtaining the BOI, the access rule does not address if a credit union can consider that BOI to be “verified” or if the credit union should take other steps to verify it. FinCEN basically punted on this issue for now, stating: 

Although verification is not addressed in this rule, FinCEN appreciates the comments on this topic and is carefully considering the suggestions provided. FinCEN agrees that verification is an important part of its overall efforts to ensure that the BOI reported to it is “accurate, complete, and highly useful” and continues to assess options to verify BOI taking into consideration practical, legal, and resource challenges. 

BOI access rule resources
 
For details about the BOI access rule, check out: 

• This Small Entity Compliance Guide from FinCEN;
   
• FinCEN’s Fact Sheet, and
   
• This interagency statement for banks and credit unions. 

Watch for stage 3: Updates to CDD rules

As explained at the start of this Courier, existing CDD requirements continue to apply. FinCEN plans to update those CDD rules in a future rulemaking, which will be the third stage of CTA implementation. FinCEN is expected to propose a rule on the topic this year.
 
Of course, The League will update its ii Releases and send out new Compliance Couriers as FinCEN makes actionable developments on its BOI rules and programs.
 
What should credit unions do in the meantime? America’s Credit Unions (formerly CUNA & NAFCU) offers this parting advice: 

The rule notes that credit unions may request to access BOI in furtherance of compliance with CDD rules, but credit unions are not required to do so. Thus, whether a credit union wants to adopt policies and procedures regarding requesting BOI from FinCEN’s database, or whether the credit union should continue to use its pre-2024 process for obtaining and verifying BOI (or some combination of those two options) will be a business decision for each credit union to make.