Data Protection Demands Complicate CTA Compliance

Lowenstein Sandler partners Robert A. Johnston Jr. and Mary J. Hildebrand and counsel Judith G. Rubin co-authored this article.

On Jan. 1, the Corporate Transparency Act (CTA) went into effect, premised on the belief that illicit actors use corporate structures like shell companies and fronts to hide their identities and launder criminal proceeds through the U.S. financial system.

To that end, the CTA created the Beneficial Ownership Secured System (BOSS), requiring that U.S. and foreign companies that are authorized to do business in the U.S. report beneficial ownership information in BOSS unless one of the CTA’s 23 exemptions to reporting applies.

Rules set by FinCEN, which will maintain the database, stagger into effectiveness this year, including its beneficial ownership reporting rule (Jan. 1), access rule (Feb. 20) and customer due diligence rule (still to be announced). FinCEN’s rules raise the stakes for reporting companies that are regulated by state, federal, or foreign data privacy and cybersecurity laws, necessitating several key actions to identify and mitigate attendant risks.

What’s changed?

Now that the CTA has gone into effect, there is for the first time a federal requirement in the U.S. that millions of small companies must report information to FinCEN because they are now reporting companies.

Importantly, companies will be required to identify the individuals who incorporated or formed a company, who own 25% or more of a company and who exert substantial control over it. Furthermore, reporting companies also will be obligated to provide personal identifiable information (PII) for those individuals, including their full legal name, date of birth and current address, as well as a government-issued photo identification document with a unique ID number. Accordingly, in order to comply with the CTA, reporting companies will need to collect, process and report a company’s beneficial ownership information (BOI), including PII, shortly after the company’s formation and thereafter whenever any information on a BOSS filing changes, including but not limited to an expired photo identification document or a change of home address of someone reported in a BOSS filing as one of the company’s beneficial owners. (In 2024, newly formed companies have 90 days to make an initial BOSS filing unless an exemption applies. For 2025 and beyond, this timeline is reduced to 30 days.)

BOI not only includes data regarding a potentially large group of individuals per each company but also sensitive PII that requires enhanced privacy and security measures under data protection laws. Specifically, BOI includes identification numbers from drivers’ licenses, passports or similar identification documents and photos of the documents. Current laws in California, Virginia, Colorado, Connecticut and Utah — and the upcoming Texas Data Privacy and Security Act (effective July 1) — for example, are highly likely to view such information as sensitive PII. Depending on a reporting company’s business, industry and geographic location, BOI (including sensitive elements) may be regulated by sector-specific laws (applicable, for example, to healthcare or financial services), regional regulations (such as the GDPR in the European Union) and/or other data protection laws.

Upon request by a beneficial owner, company applicant or reporting company, the CTA permits FinCEN to assign a numeric identifier to each person or entity. FinCEN cannot issue more than one FinCEN identifier to the same individual or entity (including any successor entities). In order to reduce the administrative burden associated with uploading materials potentially multiple times for a person across multiple entities, reporting companies may report FinCEN identifiers in lieu of providing the required information with respect to each beneficial owner, and company applicants may also use their own FinCEN identifiers to streamline reporting processes. In November, FinCEN issued a final rule clarifying the criteria that must be met for a reporting company to report an intermediate entity’s FinCEN Identifier in lieu of information about its beneficial owner(s), and additional regulations are anticipated in 2024.

Compliance

Ownership Reporting Requirements May Ensnare Web3.0 Companies

by Jeanne R. Solomon and William E. Quick

August 7, 2023

Popular among Web3.0 companies, decentralized autonomous organizations, or DAOs, lack many of the traditional elements of legal business entities. But attempts to fit DAOs into traditional structures is having a perhaps-unintended consequence: Some of these organizations may be subject to the enhanced beneficial ownership reporting requirements coming early next year.

Read moreDetails

Who is authorized to access the BOI database?

FinCEN is authorized to disclose BOI to only six categories of recipients, subject to specific conditions set forth in the access rule:

• Federal agencies engaged in national security, intelligence or law enforcement activity (civil, criminal and/or administrative)
• State, local and tribal law enforcement agencies
• Foreign requesters, provided that the request is submitted on behalf of a law enforcement agency, prosecutor or judge of another country, or on behalf of a foreign central authority or foreign competent authority
• Financial institutions using BOI to facilitate compliance with customer due diligence requirements under applicable law
• Federal regulators and agencies acting in a supervisory capacity assessing financial institutions for compliance with customer due diligence requirements
• Any U.S. Treasury Department officer or employee assigned official duties that require BOI inspection or disclosure or who are responsible for tax administration

Authorized recipients of BOI are required to comply with appropriate security and confidentiality standards to protect BOI. Depending on the recipient, laws such as the Gramm-Leach-Bliley Act, or international treaties, agreements or conventions, may impose additional or different data privacy and security requirements. Individuals or entities that violate the CTA may incur substantial penalties in the form of fines and imprisonment.

PII raises the stakes of CTA compliance

If a company meets the specifications to be categorized as a reporter, it should:

• Revisit current data protection programs to ensure that BOI and FinCEN identifiers are appropriately evaluated, processed and protected in accordance with data protection laws. For example, California and Utah require clear notice to individuals prior to collecting sensitive PII, and Virginia, Colorado, Connecticut and Texas require that individuals affirmatively consent. Data protection assessments may be required in certain circumstances, and reporting companies may have to respond to consumer rights requests (e.g., the right to limit the use and disclosure of sensitive PII).
• Ensure that appropriate cyber insurance coverage is in place and that the policy terms cover BOI and FinCEN identifiers. A security incident or data breach that affects BOI and/or FinCEN Identifiers is highly likely to trigger notification and other obligations under U.S. state data breach laws and similar laws in foreign jurisdictions. The CTA is a new law, and insurance carriers may not yet have updated their policies or related materials.

Ensure that vendors engaged to assist with the CTA and FinCEN rules comply with data protection laws. This includes, for example, processing and disclosing PII only as directed; ensuring that data transfers comply with applicable laws; fulfilling their obligations as a data processor, service provider or contractor under data protection laws; implementing appropriate security measures to protect PII from cyberattacks; and purchasing cyber insurance that provides coverage for any security incident or data breach experienced by a vendor that affects BOI and FinCEN identifiers.