2023-19814. Privacy Act of 1974; System of Records  

  • Start Preamble

    AGENCY:

    Financial Crimes Enforcement Network (FinCEN), Treasury.

    ACTION:

    Notice of a new system of records.

    SUMMARY:

    In accordance with the Privacy Act of 1974, as amended, FinCEN is proposing to establish a new system of records titled Treasury/FinCEN .004 for information collected by FinCEN in connection with the implementation of the Corporate Transparency Act (CTA). The CTA requires certain entities to report to FinCEN identifying information associated with the entities themselves, their beneficial owners, and their company applicants (together, beneficial ownership information or BOI). The CTA also authorizes FinCEN to disclose BOI to authorized recipients, subject to strict protocols on security and confidentiality.

    DATES:

    This action will be effective without further notice on October 13, 2023 unless it is modified in response to comments. Comments must be submitted by [the aforementioned date].

    Start Printed Page 62890

    ADDRESSES:

    Comments may be submitted by any of the following methods:

    Federal E-rulemaking Portal: https://www.regulations.gov. Follow the instructions for submitting comments.

    Mail: Policy Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, VA 22183.

    All comments received, including attachments and other supporting documents, are part of the public records and subject to public disclosure. All comments received will be posted without change to www.regulations.gov, including any personal information provided. You should submit only information that you wish to make publicly available.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    The FinCEN Regulatory Support Section at 1–800–767–2825 or electronically at https://www.fincen.gov/​contact.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    The CTA [1] establishes beneficial ownership information (BOI) reporting requirements for certain corporations, limited liability companies, and other entities created in or registered to do business in the United States. Collection and disclosure of BOI will facilitate important national security, intelligence, and law enforcement activities, and help prevent criminals, terrorists, proliferators, and other actors from abusing corporate structures to hide illicit proceeds in the United States. Specifically, the CTA authorizes FinCEN to collect and maintain BOI,[2] and requires the Secretary of the Treasury [3] (Secretary) to establish by regulation protocols to protect the security and confidentiality of BOI.[4] The CTA also authorizes FinCEN to disclose BOI to authorized governmental authorities and financial institutions, subject to effective safeguards and controls, and requires the Secretary to issue regulations regarding access to BOI by those authorized users.[5] Finally, the CTA requires FinCEN to maintain BOI for a specified period of time.[6]

    On September 30, 2022, FinCEN issued the final rule establishing BOI reporting requirements (the Reporting Rule),[7] which will be effective on January 1, 2024. The Reporting Rule requires certain entities (reporting companies) to report to FinCEN information about themselves, as well as information about two categories of individuals: (1) the beneficial owners of the reporting company; and (2) the company applicants, who are the individuals who filed a document to create the reporting company or register it to do business in the United States. When submitting the required information to FinCEN, reporting companies must file a Beneficial Ownership Information Report (BOIR). They must also file an updated BOIR to reflect any changes to required information previously submitted to FinCEN. Additionally, for purposes of BOI reporting, an individual or a reporting company may obtain a FinCEN identifier (FinCEN ID). Generally, a FinCEN ID associated with an individual can be used in lieu of the information required to be reported about that individual, and the FinCEN ID associated with a reporting company can be used in lieu of certain information that would otherwise have to be reported about that company.

    To collect and maintain BOI, FinCEN will utilize a secure, non-public database that employs methods and controls typically used by the Federal government to protect non-classified but sensitive information systems at the highest Federal Information Security Management Act (FISMA) [8] level—FISMA High.[9] The rating carries with it a requirement to implement certain baseline controls to protect the relevant information.[10] In addition to information technology protection, FinCEN has operational, management, and physical controls for the handling and protection of records. Furthermore, access to BOI reported to FinCEN pursuant to the Reporting Rule will be governed by regulations specifically pertaining to BOI access and safeguards, including security and confidentiality.[11] These regulations aim to ensure that only authorized recipients have access to BOI and that access is used only for purposes permitted by the CTA.

    Start Signature

    Dated: August 25, 2023.

    Ryan Law,

    Deputy Assistant Secretary for Privacy, Transparency, and Records.

    End Signature

    SYSTEM NAME AND NUMBER:

    Treasury/FinCEN .004 Beneficial Ownership Information System.

    SECURITY CLASSIFICATION:

    Unclassified.

    SYSTEM LOCATION:

    Financial Crimes Enforcement Network (FinCEN), 1801 L Street NW, Washington, DC and Amazon Web Services, Headquarters Address: 410 Terry Ave. N, Seattle, WA 98109 (third-party vendor).

    SYSTEM MANAGER:

    Deputy Director, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, VA 22183–0039.

    AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

    The system is established and maintained in accordance with 31 U.S.C. 5336; 31 CFR Chapter X; and Treasury Order 180–01.

    PURPOSE OF THE SYSTEM:

    The purpose of this system is to collect, maintain, safeguard, and disclose BOI as permitted or required by the CTA and its implementing regulations.

    CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

    There are three categories of individuals covered by this system: (1) individuals whose information is reported to FinCEN through BOIRs; (2) individuals who request FinCEN IDs; and (3) individuals who submit BOIRs to FinCEN.

    The first category of individuals whose information will be included in the system are individuals reported either as “beneficial owners” or “company applicants” of reporting companies.[12] Subject to certain exemptions, a beneficial owner is any Start Printed Page 62891 individual who, directly or indirectly, exercises substantial control over a reporting company or owns or controls at least 25 percent of the ownership interests of a reporting company. In the case of a domestic reporting company, a company applicant is the individual who directly files the document that forms the entity, or in the case of a foreign reporting company, who directly files the document that first registers the entity to do business in the United States. If more than one person is involved in the filing of the document, whether for a domestic or a foreign reporting company, the individual who is primarily responsible for directing or controlling the filing is also a company applicant.

    The second category of individuals whose information will be included in the system are individuals who apply for a FinCEN ID. In order to obtain and retain a FinCEN ID, individuals will have to report certain information about themselves.

    Finally, the third category of individuals whose information will be included in the system are individuals who submit the BOIR on behalf of the reporting company. Some identifiable information about those individuals will be included in the system by virtue of their interactions with the IT system.

    CATEGORIES OF RECORDS IN THE SYSTEM:

    Records consist of (1) information submitted to FinCEN in BOIRs and FinCEN ID requests; (2) information submitted to FinCEN by and about individuals that submit BOIRs on behalf of a reporting company; and (3) information that FinCEN obtains from federal government agencies and commercial vendors for purposes of data quality assurance and enhancement, such as standardizing addresses and other information submitted in BOIRs and FinCEN ID requests.

    Records include, but may not be limited to, the following information, which is being collected either pursuant to the CTA or as needed to administer the BOI System.

    • full legal names,
    • dates of birth,
    • residential and business addresses,
    • unique identifying numbers from one of the following:

    ○ State-issued driver's license,

    ○ U.S. or foreign passport,

    ○ State/local/Tribal-issued identification,

    • images of identification documents containing these numbers,
    • FinCEN ID numbers, and
    • email addresses, as needed to administer the BOI System.

    RECORD SOURCE CATEGORIES:

    Records in the BOI system may be provided by individuals and entities. In addition to information provided in a BOIR about a reporting company's beneficial owners or company applicants, individuals submitting BOIRs on behalf of reporting companies will provide limited information about themselves. Individuals applying for FinCEN IDs will provide information about themselves. Commercial vendors and federal government agencies will provide data quality assurance and enhancement information that covers the same categories of information as that provided by individuals and reporting companies.

    ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

    Records in this system may be used to:

    (1) Disclose information to the United States Department of Justice (DOJ) for the purpose of providing representation or legal advice in anticipation of, or in connection with, a proceeding before a court, adjudicative body, or other administrative body, when such proceeding involves: (a) Treasury or any bureau or office thereof; (b) any employee of Treasury in their official capacity; (c) any employee of Treasury in their individual capacity where DOJ or Treasury has agreed to represent the employee; or (d) the United States, if the use of such information by DOJ is deemed by DOJ or Treasury to be relevant and necessary and provided that the disclosure is compatible with the purpose for which information was collected;

    (2) Disclose information in furtherance of national security, intelligence, or law enforcement activity by Federal agencies engaged in such activities, consistent with 31 U.S.C. 5336(c)(2)(B)(i)(I);

    (3) Disclose information for use in criminal or civil investigations by State, local, and Tribal law enforcement agencies, consistent with 31 U.S.C. 5336(c)(2)(B)(i)(II);

    (4) Disclose information to Federal agencies that have submitted requests on behalf of foreign law enforcement agencies, prosecutors, and judges, including foreign central authorities or competent authorities, consistent with 31 U.S.C. 5336(c)(2)(B)(ii);

    (5) Disclose information to financial institutions, consistent with 31 U.S.C. 5336(c)(2)(B)(iii) and (C);

    (6) Disclose information to Federal functional regulators and other appropriate regulatory agencies, consistent with 31 U.S.C. 5336(c)(2)(B)(iv) and (C);

    (7) Disclose information to Treasury officers, employees, contractors, or agents for their official duties, including tax administration purposes, consistent with 31 U.S.C. 5336(c)(5);

    (8) Disclose to appropriate agencies, entities, and persons when (1) FinCEN suspects or has confirmed that there has been a breach of the system of records, (2) FinCEN has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, FinCEN (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with FinCEN efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm;

    (9) Disclose information to another Federal agency or Federal entity, when FinCEN determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach;

    (10) Disclose information to student volunteers and other individuals not having the status of agency employees, if they need access to the information to perform services as authorized under law relating to the official programs and operations of FinCEN. Individuals provided records under this routine use are subject to the same requirements and limitations on disclosure as are applicable to FinCEN officers and employees; and

    (11) To the extent permitted and required by law, disclose information to the National Archives and Records Administration Archivist (or the Archivist's designee) pursuant to records management inspections being conducted under the authority of 44 U.S.C. 2904 and 2906.

    POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

    FinCEN maintains records in this system in security controlled physical locations, using information technology that follows federal information security standards and directives. Start Printed Page 62892

    POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

    Records collected in the system are accessible, for authorized purposes, to various categories of recipients described above in the “Routine Uses of Records” section. Users will be able to retrieve these records by name or other unique identifier.

    POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

    FinCEN maintains records in this system in a secure IT system following federal information security standards and directives and in security controlled physical locations. FinCEN ID application records will be retained for at least five (5) years after every reporting company to which the FinCEN ID is applied terminates. Pursuant to the CTA, BOIR records will be retained for at least five (5) years after the reporting company terminates.[13] Records will be disposed of in accordance with the requirements of the CTA, the Federal Records Act,[14] and applicable record retention schedules.

    ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

    FinCEN safeguards BOI records in this system in accordance with applicable rules and policies, including all applicable Treasury information systems security and access policies. FinCEN imposes strict controls to minimize the risk of compromising the information that is being stored. Access to the records in this system is limited to those individuals who have appropriate permissions. User activity is recorded by the system for audit purposes. Electronic records are encrypted at rest and in transit. Records are maintained in buildings subject to 24-hour security.

    RECORD ACCESS PROCEDURES:

    This system is exempt from notification requirements, record access requirements, and requirements that an individual be permitted to contest its contents, pursuant to the provisions of 5 U.S.C. 552a(j)(2) and (k)(2).

    CONTESTING RECORD PROCEDURES:

    This system is exempt from notification requirements, record access requirements, and requirements that an individual be permitted to contest its contents, pursuant to the provisions of 5 U.S.C. 552a(j)(2) and (k)(2).

    NOTIFICATION PROCEDURES:

    This system is exempt from notification requirements, record access requirements, and requirements that an individual be permitted to contest its contents, pursuant to the provisions of 5 U.S.C. 552a(j)(2), and (k)(2).

    EXEMPTIONS PROMULGATED FOR THE SYSTEM:

    This system is exempt from 5 U.S.C. 552a(c)(3), (c)(4), (d)(1), (d)(2), (d)(3), (d)(4), (e)(1), (e)(2), (e)(4)(G), (e)(4)(H), (e)(5), (e)(8), (f), and (g) of the Privacy Act pursuant to 5 U.S.C. 552a(j)(2), and (k)(2). See 31 CFR 1.36.

    HISTORY:

    None.

    End Supplemental Information

    Footnotes

    1.  The CTA is Title LXIV of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Public Law 116–283 (Jan. 1, 2021). Division F of the NDAA is the AML Act, which includes the CTA.

    Back to Citation

    2.  Section 6403 of the CTA, among other things, amends the Bank Secrecy Act (BSA) by adding a new section 5336, Beneficial Ownership Information Reporting Requirements, to subchapter II of chapter 53 of title 31, United States Code.

    Back to Citation

    3.  The authority of the Secretary to administer the BSA was delegated to the Director of FinCEN. Treasury Order 180–01 (Jan. 14, 2020).

    Back to Citation

    9.  U.S. Department of Commerce, Federal Information Processing Standards Publication: Standards for Security Categorization of Federal Information and Information Systems (FIPS Pub 199) (Feb. 2004), available at https://nvlpubs.nist.gov/​nistpubs/​fips/​nist.fips.199.pdf.

    Back to Citation

    10.   Id.

    Back to Citation

    11.  FinCEN issued a notice of proposed rulemaking for the Access Rule. FinCEN, Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities,87 FR 77404 (Dec. 16, 2022), available at https://www.federalregister.gov/​documents/​2022/​12/​16/​2022-27031/​beneficial-ownership-information-access-and-safeguards-and-use-of-fincen-identifiers-for-entities.

    Back to Citation

    14.   See 44 U.S.C. Ch. 31.

    Back to Citation

    [FR Doc. 2023–19814 Filed 9–12–23; 8:45 am]

    BILLING CODE 4810–02–P

Document Information

Effective Date:
10/13/2023
Published:
09/13/2023
Department:
Financial Crimes Enforcement Network
Entry Type:
Notice
Action:
Notice of a new system of records.
Document Number:
2023-19814
Dates:
This action will be effective without further notice on October 13, 2023 unless it is modified in response to comments. Comments must be submitted by [the aforementioned date].
Pages:
62889-62892 (4 pages)
PDF File:
2023-19814.pdf