When we wrote about the Corporate Transparency Act
Fincen's
Why do we say that? Let's start with the biggest issue for banks and the other covered financial institutions — trust companies, credit unions, securities broker-dealers, mutual funds, futures commission merchants and introducing brokers in commodities: access to the BOI registry. (Note that money-services businesses, which include crypto exchanges, will have no access to the BOI registry.)
The CTA limits access to situations where the financial institution is conducting customer due diligence. You remember know your customer, or KYC? Customer due diligence is KYC on growth hormones and is really three different rules for banks: (i) an anti-money-laundering program that includes, among other things, ongoing CDD, which includes monitoring to identify and report suspicious activity; (ii) identification of their customers; and (iii) collection and verification of beneficial ownership information for their legal entity customers.
In other words, CDD is not just an onboarding process but an ongoing process, a continuing effort to identify suspicious activity. Such activity of course must then be reported to Fincen in the form of a suspicious activity report, or SAR.
But the proposed rule provides that banks can access the registry only for their "CDD requirements under applicable law," then limits that "law" to just the collection and verification of BOI for legal entity customers. In other words, the proposal isn't clear whether it is permissible for banks and others to access the BOI registry for their ongoing CDD requirements, notably monitoring to identify and report suspicious activity. Was that deliberate? And what about CDD that's called for when an unusual or suspicious activity is identified by the bank? Also not clear.
In addition, Fincen makes some questionable assumptions about the circumstances under which the registry will be used, for example suggesting that access will only be needed for new legal entity customers. But what about existing customers opening up a new account, also required under the CDD rule?
Another problem is that the financial institution cannot query the database for every company that the putative owner is associated with. This is embedded in the CTA itself and therefore cannot be corrected by regulation. Financial institutions can only query the database for the BOI of a particular reporting company, and only if that reporting company provides its consent.
So financial institutions could get BOI for (say) RegTech Consulting LLC, as long as RegTech Consulting LLC provides its consent, but couldn't determine if RegTech Consulting LLC's beneficial owner is also the beneficial owner of one or more other reporting companies. Given that criminals and criminal enterprises often have multiple legal entities owned by the same person, control group or parent corporation but located in multiple and far-flung jurisdictions, this means that a bank will never be able to fully understand the ownership of a complex corporate client by querying the registry. If you haven't come across this, take a look at the corporate organizational structures of errant organizations like FTX or Enron.
Contrast this approach with that taken by the U.K. Companies House registry, which hyperlinks names associated with one company to other companies housed in the registry. If you see, for example, the name of Charles Windsor as an owner or director, you can quickly find every other English company that Mr. Windsor is associated with. This is an unfair comparison with the U.S. system of course, since the U.K. registry is public and therefore accessible by anyone, English or not, without the need to show cause. This is called transparency, and the British are to be commended for their warm embrace of that hallowed concept. God save the king!
And note that a related flaw in the U.S. registry is that there is nothing in Fincen's notice of proposed rulemaking about financial institutions getting notice when an already queried reporting company corrects or amends its BOI.
Fincen also doesn't waste an opportunity to remind us that unauthorized use of BOI, even within a bank or other financial institution, can lead to severe civil and criminal penalties, including a felony conviction. In other words, if the wrong person in a bank gets access to the BOI requested by the folks who conduct customer due diligence, there are potential liabilities to the individual and to the bank. So, warn your relationship managers not to ask their middle-office onboarding folks for BOI on a client — this could be a career-ender if done incorrectly.
Finally, a possible fatal flaw in the Fincen registry: There is no requirement in the CTA or in the proposed regulation for any verification of the BOI, either by the state registrar or Fincen. So putative beneficial owners can say what they want with little fear that the feds will come after them. Unless, of course, beneficial owners are being pursued for other misdeeds — but by then it's too late.
