FinCEN Issues Final Rule Governing Access to Beneficial Ownership Information Collected Under the Corporate Transparency Act  

, RCCB Alert
, February 6, 2024

On December 22, 2023, the US Department of the Treasury, Financial Crime Enforcement Network (“FinCEN”) issued a final rule (the “Access Rule”)[1] governing access to the beneficial ownership information (“BOI”) FinCEN is required to collect under the Corporate Transparency Act (the “Act”).[2] The Access Rule goes into effect on February 20, 2024, and is the second of three final rules set to be published by FinCEN pursuant to the Act.[3] According to FinCEN, the Access Rule aims “to ensure that: (1) only authorized recipients have access to BOI; (2) authorized recipients use that access only for purposes permitted by the [Act]; and (3) authorized recipients only re-disclose BOI in ways that balance protecting its security and confidentiality with the [Act’s] objective of making BOI available to a range of users for authorized purposes.”[4] The Act provides five categories of recipients with access to BOI: (1) domestic national security, intelligence and law enforcement agencies; (2) foreign requestors; (3) financial institutions with customer due diligence compliance obligations; (4) regulatory agencies; and (5) the US Department of the Treasury.[5] The Access Rule addresses the circumstances under which each of these recipients may access BOI and how such recipients may use BOI.

Domestic Agencies

The first category of recipients authorized to receive BOI under the Act are: (1) federal agencies “engaged in national security, intelligence, or law enforcement activity, for use in furtherance of such activity”, and (2) state, local or tribal law enforcement agencies if authorized by “a court of competent jurisdiction”.[6] The Access Rule provides further clarification regarding the recipients qualified to access BOI under this provision of the Act by defining “national security activity”,[7] “intelligence activity”[8] and “law enforcement activity”,[9] as well as for what qualifies as authorization from a “court of competent jurisdiction”.[10]  

Foreign Requestors

The second category of recipients authorized to receive BOI under the Act are foreign authorities, either through a federal agency acting as an intermediary pursuant to a treaty, agreement or convention, or via an official request from the authorities in a “trusted foreign [country]” when no such treaty, agreement or convention is available.[11] In the Access Rule, FinCEN declined to specify which federal agencies are authorized to act as intermediaries for foreign agencies requesting BOI, but listed “the U.S. Departments of State and Justice, the Federal Bureau of Investigation, U.S. Customs and Border Protection, the [Internal Revenue Service], and member agencies of the Intelligence Community” as likely intermediary agencies.[12] FinCEN noted that it anticipates acting as the federal intermediary agency for requests from foreign financial intelligence units.[13] The Access Rule clarifies that requests for BOI from foreign entities that are not subject to a treaty, agreement or convention must be made through an intermediary federal agency, and must be made in connection with “a law enforcement investigation or prosecution, or for a national security or intelligence activity, authorized under the laws of the foreign country.”[14] Further, the Access Rule specifies that FinCEN will seek the “concurrence of the Department of State” and consult with the Department of Justice, “or other agencies as necessary and appropriate”, when determining whether a foreign country that is not subject to a treaty, agreement or convention, but which has requested access to BOI, should be considered a “trusted foreign country” and therefore afforded access to BOI.[15] Finally, the Access Rule requires intermediary federal agencies requesting BOI on behalf of foreign countries to certify to FinCEN that such BOI is being requested pursuant to “a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the relevant foreign country.”[16]   

Financial Institutions with Customer Due Diligence Compliance Obligations       

The third category of recipients authorized to receive BOI under the Act are “financial institution[s] subject to customer due diligence requirements, with the consent of the reporting company, to facilitate the compliance of the financial institution with customer due diligence requirements under applicable law.”[17] The Access Rule specifies that legally prescribed customer due diligence requirements include “any legal requirement or prohibition designed to counter money laundering or the financing of terrorism, or to safeguard the national security of the United States, to comply with which it is reasonably necessary for a financial institution to obtain or verify beneficial ownership information of a legal entity customer.’’[18] Therefore, although the Access Rule states that FinCEN initially intends to only provide financial institutions with obligations under FinCEN’s 2016 Customer Due Diligence Rule (the “CDD Rule”)[19] with access to BOI, the Access Rule will allow FinCEN to provide BOI to a broader range of financial institutions in the future.[20] The Access Rule further clarifies that, although financial institutions subject to the CDD Rule may access to BOI to satisfy their obligations under the Bank Secrecy Act, such as anti-money laundering compliance, suspicious activity reporting and customer identification requirements, such financial institutions may not use BOI for other purposes, such as credit underwriting or customer development.[21]

Regulatory Agencies

The fourth category of recipients authorized to receive BOI under the Act are “[f]ederal functional regulator[s] (i.e., The Board of Governors of the Federal Reserve System; The Office of the Comptroller of the Currency; The Board of Directors of the Federal Deposit Insurance Corporation; The Office of Thrift Supervision; The National Credit Union Administration; The Securities and Exchange Commission; and The Commodity Futures Trading Commission)[22] or other appropriate regulatory agenc[ies]”.[23] Under the Act[24] and the Access Rule, federal regulators which “assess, supervise, enforce, or otherwise determine’’ the compliance of financial institutions with anti-money laundering, countering the financing of terrorism or other “national security-related legal requirements for which BOI access is reasonably necessary” may access the BOI FinCEN provides to qualified financial institutions.[25] While the Access Rule does not specify which agencies qualify as “other appropriate regulatory agenc[ies]”, it does note that state bank supervisors, credit union regulators and other “state supervisory authorities” may have access to BOI if they satisfy the criteria set-out in the Access Rule.[26] The Access Rule also allows financial institutions and federal functional regulators to disclose BOI to self-regulatory organizations which are “authorized by law to determine compliance with customer due diligence requirements under applicable law”, as long as such self-regulatory organizations meet the other criteria of the Access Rule.[27]

US Department of the Treasury

The fifth and final category of recipients authorized to receive BOI under the Act are officers and employees of the Department of the Treasury (1) “whose official duties require such inspection or disclosure”, or (2) “for tax administration purposes”.[28] FinCEN declined to include a list of official duties that require access to BOI, but noted that FinCEN expected such duties to include “tax administration, enforcement actions, intelligence and analytical purposes, use in sanctions-related investigations, and identifying property blocked pursuant to sanctions, as well as for the administration of the BOI framework, such as for audits, enforcement, and oversight.”[29]

Additional Items in Access Rule and Conclusion

Other items covered by the Access Rule include the specific requirements each category of authorized recipient will need to satisfy in order to access BOI, the use and disclosure of BOI by authorized recipients, and the security and confidentiality requirements FinCEN will require authorized recipients to satisfy. The Access Rule also provides an update regarding the technical development of the BOI database. 

The Access Rule attempts to ensure that only authorized recipients have access to the BOI collected by FinCEN under the Act, that such authorized recipients only use such access for permitted purposes under the Act, and that such authorized recipients only re-disclose BOI in ways that balance the protection and security of BOI with the Act’s goal of making BOI available for a range of authorized purposes.[30]

At RCCB, we are committed to helping our clients understand and satisfy their new obligations under the Act. Our experienced team of professionals can provide you with expert guidance and support throughout the filing process. Please reach out to your RCCB contacts for more information.

RELATED MATERIAL: Final Rule: Beneficial Ownership Information Access Safeguards

RELATED ARTICLE: New Year, New Reporting Requirements: What the Corporate Transparency Act Means for Your Business

[1] The complete rule is available at:

[2] Congress passed the Corporate Transparency Act as part of the 2021 National Defense Authorization Act, with the goal of combatting the use of companies formed, or registered to do business, in the United States for money laundering and other activities that could harm US national security. RCCB’s client alert regarding the Corporate Transparency Act is available at:

[3] The first final rule was published by FinCEN on September 30, 2022, and implemented the Act’s reporting requirements. The complete rule is available at:

[4] 88 FR 88735 (Dec. 22, 2023).

[5] 88 FR 88736 - 88739 (Dec. 22, 2023).

[6] 31 U.S.C. § 5336 (c)(2)(B)(i).

[7] See 88 FR 88743 (Dec. 22, 2023), which provides that “national security activity” means activity pertaining to the national defense or foreign relations of the United States, as well as activity to protect against threats to the safety and security of the United States.

[8] See 88 FR 88744 (Dec. 22, 2023), which provides that “intelligence activity” means all activities conducted by elements of the United States Intelligence Community that are authorized pursuant to Executive Order 12333, as amended, or any succeeding executive order.

[9] See 88 FR 88744 - 88745 (Dec. 22, 2023), which provides that “law enforcement activity” means investigative and enforcement activities relating to civil or criminal violations of law.

[10] See 88 FR 88745 (Dec. 22, 2023), which provides that a “court of competent jurisdiction” means any court with jurisdiction over the criminal or civil investigation for which a State, local, or Tribal agency requests BOI.

[11] 31 U.S.C. § 5336 (c)(2)(B)(ii).

[12] 88 FR 88748 - 88749 (Dec. 22, 2023).

[13] 88 FR 88749 (Dec. 22, 2023).

[14] 88 FR 88750 (Dec. 22, 2023).

[15] 88 FR 88751 (Dec. 22, 2023).

[16] 88 FR 88752 (Dec. 22, 2023).

[17] 31 U.S.C. § 5336 (c)(2)(B)(iii).

[18] 88 FR 88756 (Dec. 22, 2023).

[19] The complete rule is available at:

[20] 88 FR 88756 (Dec. 22, 2023).

[21] 88 FR 88757 (Dec. 22, 2023).

[22] 31 CFR 1010.100(r).

[23] 31 U.S.C. § 5336 (c)(2)(B)(iv).

[24] 31 U.S.C. § 5336 (c)(2)(C).

[25] 88 FR 88758 (Dec. 22, 2023).

[26] 88 FR 88759 (Dec. 22, 2023).

[27] 88 FR 88759 (Dec. 22, 2023).

[28] 31 U.S.C. § 5336 (c)(5).

[29] 88 FR 88760 (Dec. 22, 2023).

[30] 88 FR 88741 (Dec. 22, 2023).

Related Materials


Jump to Page

By using this site, you agree to our updated Privacy Policy (including our statement regarding Cookies) and our Disclaimer.