EMINUTES places cookies on your device to give you the best user experience. By using our website, you agree to the placement of these cookies. Please read our updated Privacy and Cookie Policy.

18 • 2024

Is It Safe to Submit Residential Addresses to FinCEN as Part of Beneficial Ownership Information?

Since January 1, 2024, small businesses (“reporting companies”) have been submitting information about their beneficial owners to the Financial Crimes Enforcement Network (“FinCEN”). The submission of such beneficial ownership information (“BOI”) is required under the federal Corporate Transparency Act (“CTA”)[1] and FinCEN’s regulations implementing the CTA.[2] The BOI that must be filed with FinCEN by a reporting company includes, among other things, each beneficial owner’s[3] full legal name and residential street address.[4]

The whole point of the CTA is to try and ferret out “[i]llicit actors [who] frequently use corporate structures such as shell and front companies to obfuscate their identities and launder their ill-gotten gains through the U.S. financial system.”[5] But many millions of business entities are now required to report their BOI to FinCEN and obviously only a very tiny fraction of those entities are illegitimate. And many companies are owned and operated by individuals, like high-profile celebrities, who have a legitimate reason to keep their residential street addresses from becoming a matter of public record.[6] Do such individuals have anything to fear when their companies report their residential street addresses to FinCEN as part of the companies’ BOI filings? They shouldn’t.

Like the Internal Revenue Service, FinCEN is a bureau of the U.S. Department of the Treasury. In the CTA, Congress strictly regulated the retention and disclosure of BOI by FinCEN. The CTA provides that BOI “shall be confidential” and may not be disclosed except as authorized by the CTA and the protocols promulgated by FinCEN under the CTA.[7] In general, the CTA permits disclosure of BOI by FinCEN only to specified law enforcement personnel for law enforcement purposes; to a financial institution, upon request and with the consent of the reporting company, to facilitate compliance with customer due diligence (“CDD”) requirements; or to a federal functional regulator to determine compliance with such CDD requirements.[8]

As required by the CTA, FinCEN has adopted a final rule (the “Access Rule”) providing for access to, and safeguards to protect, BOI filed with FinCEN.[9] The Access Rule prescribes the circumstances under which BOI reported to FinCEN may be disclosed to authorized BOI recipients and how it must be protected. Like the CTA itself, the Access Rule provides that BOI “is confidential” and may not be disclosed except as authorized under the CTA and the Access Rule.[10]

FinCEN is authorized to disclose BOI under specific circumstances to six categories of recipients: (1) U.S. Federal agencies for use in furtherance of national security, intelligence, or law enforcement activity; (2) U.S. State, local, and Tribal law enforcement agencies for use in criminal or civil investigations; (3) foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities (“foreign requesters”) for use in furtherance of foreign national security, intelligence, or law enforcement activity; (4) financial institutions using BOI to facilitate compliance with CDD requirements under applicable law; (5) Federal functional regulators acting in a supervisory capacity assessing financial institutions for compliance with CDD requirements; and (6) Treasury officers and employees.[11] Authorized recipients of BOI from FinCEN are prohibited from further disclosing such BOI to any other person, and are required to use such BOI “only for the particular purpose or activity for which such information was disclosed,” except as otherwise permitted by the Access Rule.[12]

To access BOI, U.S. domestic agencies must establish, among other things, standards and procedures to protect the security and confidentiality of BOI, enter into an agreement with FinCEN specifying those standards and procedures, establish and maintain both auditable BOI request records and a secure system for storing BOI, restrict access to BOI, and provide FinCEN with certain reports and certifications.[13] Requests for BOI by domestic agencies must be limited in scope and made by a written certification to FinCEN, in the form and manner prescribed by FinCEN.[14] For example, a request for BOI by a U.S. State, local or Tribal agency must include a written certification that a court of competent jurisdiction has authorized the agency to seek the BOI in a criminal or civil investigation, and that the BOI is relevant to the investigation.[15]

Financial institutions that obtain BOI from FinCEN must also develop and implement administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, and integrity of the BOI.[16] Financial institutions will be able to satisfy this requirement by applying to BOI the same information procedures that they already use to protect customers’ nonpublic personal information in compliance with section 501 of the Gramm-Leach-Bliley Act.[17] For each BOI request, the financial institution will have to certify that the request satisfies applicable criteria, including that the institution is requesting the BOI to facilitate its compliance with CDD requirements under applicable law.[18] Certain geographic restrictions will apply, such as that financial institutions shall not store BOI, or make BOI available to persons physically located in, China or Russia.[19]

Finally, foreign requesters will have to request BOI under an international treaty, agreement, or convention and comply with all applicable handling, disclosure, and use requirements of the treaty, agreement, or convention under which the request was made.[20] Like domestic agencies, foreign requesters will have to establish standards and procedures to protect the security and confidentiality of BOI, maintain the BOI in a secure system, and restrict access to the BOI, among other requirements.[21]

These requirements are not without teeth. It is unlawful for any person to knowingly disclose or use BOI except as authorized by the CTA and the protocols established by the Access Rule.[22] The CTA provides for substantial civil and criminal penalties for unauthorized disclosure or use of BOI. The civil penalty is a fine of not more than $500 for each day that the violation continues or is not remedied.[23] The criminal penalties include a fine of not more than $250,000, or imprisonment for not more than 5 years, or both.[24] These hefty penalties should deter anyone from accessing BOI for the unauthorized purpose of finding out a celebrity’s residential street address.

[1] 31 U.S.C. § 5336.

[2] 31 C.F.R. § 1010.380.

[3] For a discussion of who qualifies as a “beneficial owner” of a reporting company, see eMinutes, “Updating Beneficial Ownership Information Previously Filed with FinCEN Will Require Vigilance” (Jan. 28, 2024).

[4] 31 U.S.C. § 5336(b)(2)(A)(iii); 31 C.F.R. § 1010.380(b)(1)(ii)(C)(2).

[5] FinCEN, Beneficial Ownership Information Reporting Requirements, 87 FR 59,498 (Sept. 30, 2022).

[6] See, e.g., eMinutes, How to Use a Delaware LLC to Safeguard Identity (July 20, 2016).

[7] 31 U.S.C. § 5336(c)(2)(A), (3).

[8] Id. § 5336(c)(2)(B), (C).

[9] The text of the Access Rule is codified at 31 C.F.R. § 1010.955. For more information from FinCEN about the Access Rule, see FinCEN, Beneficial Ownership Information Access and Safeguards, 88 FR 88,732 (Dec. 22, 2023); FinCEN, Fact Sheet: Beneficial Ownership Information Access and Safeguards Final Rule (Dec. 21, 2023); FinCEN, Small Entity Compliance Guide for Beneficial Ownership Information Access and Safeguards Requirements v. 1.0 (Feb. 2024).

[10] 31 C.F.R. § 1010.955(a).

[11] Id. § 1010.955(b)(1)-(5).

[12] Id. § 1010.955(c)(1), (2).

[13] Id. § 1010.955(d)(1)(i).

[14] Id. § 1010.955(d)(1)(ii).

[15] Id. § 1010.955(d)(1)(ii)(B)(2).

[16] Id. § 1010.955(d)(2)(ii).

[17] Id. § 1010.955(d)(2)(ii)(A)(1). Section 501 of the Gramm-Leach-Bliley Act requires financial institutions to protect customer records and information from unauthorized access, use, or disclosure. 15 U.S.C. § 6801.

[18] 31 C.F.R. § 1010.955(d)(2)(iv).

[19] Id. § 1010.955(d)(2)(i).

[20] Id. § 1010.955(d)(3)(i).

[21] Id. § 1010.955(d)(3)(ii).

[22] Id. § 1010.955(f); 31 U.S.C. § 5336(c)(4).

[23] 31 U.S.C. § 5336(h)(3)(B)(i).

[24] Id. § 5336(h)(3)(B)(ii)(I). There are also enhanced criminal penalties of a fine of up to $500,000, imprisonment for not more than 10 years, or both, if the CTA is violated while violating another U.S. law or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period. Id. § 5336(h)(3)(B)(ii)(II).