3. Data access
In the NPRM, FinCEN sets out proposed regulations regarding access to BOI which aim to ensure that:
(1) only authorized recipients have access to BOI; (2) authorized recipients use that access only for purposes permitted by the CTA; and (3) authorized recipients only re-disclose BOI in ways that balance protection of the security and confidentiality of the BOI with furtherance of the CTA's objective of making BOI available to a range of users for purposes specified in the CTA.
The proposed rule also notes the importance of efficiency in access, quoting Senator Brown, who encouraged FinCEN to “ensure that [F]ederal, [S]tate, local and tribal law enforcement can access the beneficial ownership database without excessive delays or red tape [...].”
As such, the business processes for accessing data should enable BOI to be, “obtained or accessed rapidly and efficiently by competent authorities,” as required by the FATF. This requirement applies to “all public authorities with designated responsibilities for combating money laundering and/or terrorist financing,” as well as to authorities at national level and others as appropriate in the course of public procurement. OO’s research on the use of BOI by FIUs and law enforcement agencies in investigations shows BOI is most useful when access is direct and unfiltered. For authorised domestic users, rapid and efficient access to BOI could be impeded by certain requirements currently being contemplated in the proposed rule. The official comment submitted by the FACT Coalition includes a detailed analysis and recommendations for how access can be improved. In addition, FinCEN should consider how to give access to public authorities at both the federal and state level in the course of public procurement as required by the FATF.
Furthermore, the access for financial institutions (FIs) as described in the NPRM risks falling short of the type of access they need to effectively meet their KYC and CDD obligations, according to OO’s research. To meaningfully assess risk, FIs will need to access BOI not just from the client company, but also companies and individuals within the broader ownership structure (for example, to comply with sanctions, as discussed below). In addition, CDD is not a one-off event but an ongoing process for FIs. FinCEN should bear this in mind when thinking about the business process for FI access to BOI. The consent from reporting entities as required by the CTA should be obtained in such a way that it minimises tip-off risks when FIs are investigating potential suspicious activity and transactions, for example by exploring the use of ZKPs. Access by regulated parties should also be considered jointly with their KYC and CDD requirements. As noted under the section on verification, requirements for any user of BOI to report errors and discrepancies can contribute to data accuracy. Discrepancy reporting allows private sector data users and the range of technologically advanced verification methods they use to play an active role in data verification.
Given the well-documented transnational nature of the illicit activities the CTA intends to curb and of the protection of national security, foreign authorities require rapid and efficient access to BOI. BOI has an important role to play in the enforcement of economic and financial sanctions. Given the type of provisions employed by the United States Office of Foreign Assets Control (OFAC) and many other authorities, that sanctions apply not just to the entity itself, but also to all companies owned or controlled by that entity, this effectively makes visibility of full company structures and beneficial ownership an essential part of sanctions compliance and enforcement. Anonymously owned companies can and are used to evade sanctions.
The proposed rule sets out access requirements for foreign entities seeking BOI for their investigations, who will be able to do so by requesting this information via an authorised US federal entity. However, they fall short of putting in place a legal framework for the access that foreign authorities may require to effectively use the data, such as specific timeframes for processing and responding to requests from foreign jurisdictions to authorised federal agencies. Furthermore, the provision for FinCEN to “directly receive, evaluate, and respond to requests for BOI from foreign financial intelligence units [FIUs],” contrasts with the requirements around access and controls for international requests made via other methods. In practice, the substantial differential in access requirements via these two mechanisms could mean that foreign BOI requests would largely be channelled via FIUs to FinCEN for its evaluation and response, increasing FinCEN’s workload. In addition, this is not a viable alternative to the efficient exchange of information between other authorities, as evidence exchanged through FIUs is not always admissible as evidence in court. This could lead to unnecessary delays that undermine international investigations.
To ensure BOI is most useful and usable, authorised users should be able to perform searches by a wide range of fields including name of the beneficial owner, name of the person making a statement, identification numbers (for example, a driver’s licence number), home address, company name, business address of the company, etc. To make BOI useful, authorised users should also be able to access historical data. A record of beneficial ownership can be seen as a ledger of information that builds up over time. New information about the ownership and control of a company supersedes older information as shares are sold, company rules are updated, and new companies are incorporated. This forms part of a well-designed BO declaration and storage system that allows for the sharing of both current and historical BOI. As with an accounting ledger, BOI needs to be recorded and organised in a way that makes accessing and understanding it as easy as possible. It should also enable queries to be made of historical information such as, who beneficial owners were of a particular company at a specific time, and what the company’s name was at that time if this has changed; whether one of those beneficial owners also owned other companies at that point in time; how that beneficial owner’s disclosed interests in the company changed over time; and whether those changes were reported within the legally-required timeframe.
The functionalities above require the collection of and access to structured data by authorised users, and in many cases users would also benefit from being able to access BOI in bulk. Bulk formats allow users such as FIUs, procurement agencies, and banks to apply new data analysis techniques to identify suspicious patterns of ownership or beneficial owners that appear on other datasets of interest. Bulk analysis of single or combined data sets will allow authorised users to find patterns or red flags relating to beneficial ownership, or to assess and improve data quality. This type of analysis is critical to employ the proactive verification mechanisms described above, and to use the BOI as a primary source of evidence in investigations.
In summary, rapid and efficient access for authorised domestic and foreign users, and prioritising usability of the data for domestic users, to the extent feasible within the prescribed privacy protections, will help maximise the impact that law enforcement and national security agencies can have in preventing and combat money laundering, terrorist financing, tax fraud, and other illicit activity, and in protecting national security.