[Federal Register Volume 88, Number 176 (Wednesday, September 13, 2023)]
[Notices]
[Pages 62889-62892]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-19814]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Financial Crimes Enforcement Network


Privacy Act of 1974; System of Records

AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, as amended, FinCEN 
is proposing to establish a new system of records titled Treasury/
FinCEN .004 for information collected by FinCEN in connection with the 
implementation of the Corporate Transparency Act (CTA). The CTA 
requires certain entities to report to FinCEN identifying information 
associated with the entities themselves, their beneficial owners, and 
their company applicants (together, beneficial ownership information or 
BOI). The CTA also authorizes FinCEN to disclose BOI to authorized 
recipients, subject to strict protocols on security and 
confidentiality.

DATES: This action will be effective without further notice on October 
13, 2023 unless it is modified in response to comments. Comments must 
be submitted by [the aforementioned date].

[[Page 62890]]


ADDRESSES: Comments may be submitted by any of the following methods:
     Federal E-rulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     Mail: Policy Division, Financial Crimes Enforcement 
Network, P.O. Box 39, Vienna, VA 22183.
    All comments received, including attachments and other supporting 
documents, are part of the public records and subject to public 
disclosure. All comments received will be posted without change to 
www.regulations.gov, including any personal information provided. You 
should submit only information that you wish to make publicly 
available.

FOR FURTHER INFORMATION CONTACT: The FinCEN Regulatory Support Section 
at 1-800-767-2825 or electronically at https://www.fincen.gov/contact.

SUPPLEMENTARY INFORMATION: The CTA \1\ establishes beneficial ownership 
information (BOI) reporting requirements for certain corporations, 
limited liability companies, and other entities created in or 
registered to do business in the United States. Collection and 
disclosure of BOI will facilitate important national security, 
intelligence, and law enforcement activities, and help prevent 
criminals, terrorists, proliferators, and other actors from abusing 
corporate structures to hide illicit proceeds in the United States. 
Specifically, the CTA authorizes FinCEN to collect and maintain BOI,\2\ 
and requires the Secretary of the Treasury \3\ (Secretary) to establish 
by regulation protocols to protect the security and confidentiality of 
BOI.\4\ The CTA also authorizes FinCEN to disclose BOI to authorized 
governmental authorities and financial institutions, subject to 
effective safeguards and controls, and requires the Secretary to issue 
regulations regarding access to BOI by those authorized users.\5\ 
Finally, the CTA requires FinCEN to maintain BOI for a specified period 
of time.\6\
---------------------------------------------------------------------------

    \1\ The CTA is Title LXIV of the William M. (Mac) Thornberry 
National Defense Authorization Act for Fiscal Year 2021, Public Law 
116-283 (Jan. 1, 2021). Division F of the NDAA is the AML Act, which 
includes the CTA.
    \2\ Section 6403 of the CTA, among other things, amends the Bank 
Secrecy Act (BSA) by adding a new section 5336, Beneficial Ownership 
Information Reporting Requirements, to subchapter II of chapter 53 
of title 31, United States Code.
    \3\ The authority of the Secretary to administer the BSA was 
delegated to the Director of FinCEN. Treasury Order 180-01 (Jan. 14, 
2020).
    \4\ 31 U.S.C. 5336(c)(8).
    \5\ 31 U.S.C. 5336(c).
    \6\ 31 U.S.C. 5336(c)(1).
---------------------------------------------------------------------------

    On September 30, 2022, FinCEN issued the final rule establishing 
BOI reporting requirements (the Reporting Rule),\7\ which will be 
effective on January 1, 2024. The Reporting Rule requires certain 
entities (reporting companies) to report to FinCEN information about 
themselves, as well as information about two categories of individuals: 
(1) the beneficial owners of the reporting company; and (2) the company 
applicants, who are the individuals who filed a document to create the 
reporting company or register it to do business in the United States. 
When submitting the required information to FinCEN, reporting companies 
must file a Beneficial Ownership Information Report (BOIR). They must 
also file an updated BOIR to reflect any changes to required 
information previously submitted to FinCEN. Additionally, for purposes 
of BOI reporting, an individual or a reporting company may obtain a 
FinCEN identifier (FinCEN ID). Generally, a FinCEN ID associated with 
an individual can be used in lieu of the information required to be 
reported about that individual, and the FinCEN ID associated with a 
reporting company can be used in lieu of certain information that would 
otherwise have to be reported about that company.
---------------------------------------------------------------------------

    \7\ FinCEN, Beneficial Ownership Information Reporting 
Requirements, 87 FR 59498 (Sept. 30, 2022), available at https://www.federalregister.gov/documents/2022/09/30/2022-21020/beneficial-ownership-information-reporting-requirements.
---------------------------------------------------------------------------

    To collect and maintain BOI, FinCEN will utilize a secure, non-
public database that employs methods and controls typically used by the 
Federal government to protect non-classified but sensitive information 
systems at the highest Federal Information Security Management Act 
(FISMA) \8\ level--FISMA High.\9\ The rating carries with it a 
requirement to implement certain baseline controls to protect the 
relevant information.\10\ In addition to information technology 
protection, FinCEN has operational, management, and physical controls 
for the handling and protection of records. Furthermore, access to BOI 
reported to FinCEN pursuant to the Reporting Rule will be governed by 
regulations specifically pertaining to BOI access and safeguards, 
including security and confidentiality.\11\ These regulations aim to 
ensure that only authorized recipients have access to BOI and that 
access is used only for purposes permitted by the CTA.
---------------------------------------------------------------------------

    \8\ 44 U.S.C. 3541 et seq.
    \9\ U.S. Department of Commerce, Federal Information Processing 
Standards Publication: Standards for Security Categorization of 
Federal Information and Information Systems (FIPS Pub 199) (Feb. 
2004), available at https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf.
    \10\ Id.
    \11\ FinCEN issued a notice of proposed rulemaking for the 
Access Rule. FinCEN, Beneficial Ownership Information Access and 
Safeguards, and Use of FinCEN Identifiers for Entities, 87 FR 77404 
(Dec. 16, 2022), available at https://www.federalregister.gov/documents/2022/12/16/2022-27031/beneficial-ownership-information-access-and-safeguards-and-use-of-fincen-identifiers-for-entities.

    Dated: August 25, 2023.
Ryan Law,
Deputy Assistant Secretary for Privacy, Transparency, and Records.

SYSTEM NAME AND NUMBER:
    Treasury/FinCEN .004 Beneficial Ownership Information System.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Financial Crimes Enforcement Network (FinCEN), 1801 L Street NW, 
Washington, DC and Amazon Web Services, Headquarters Address: 410 Terry 
Ave. N, Seattle, WA 98109 (third-party vendor).

SYSTEM MANAGER:
    Deputy Director, Financial Crimes Enforcement Network, P.O. Box 39, 
Vienna, VA 22183-0039.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The system is established and maintained in accordance with 31 
U.S.C. 5336; 31 CFR Chapter X; and Treasury Order 180-01.

PURPOSE OF THE SYSTEM:
    The purpose of this system is to collect, maintain, safeguard, and 
disclose BOI as permitted or required by the CTA and its implementing 
regulations.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    There are three categories of individuals covered by this system: 
(1) individuals whose information is reported to FinCEN through BOIRs; 
(2) individuals who request FinCEN IDs; and (3) individuals who submit 
BOIRs to FinCEN.
    The first category of individuals whose information will be 
included in the system are individuals reported either as ``beneficial 
owners'' or ``company applicants'' of reporting companies.\12\ Subject 
to certain exemptions, a beneficial owner is any

[[Page 62891]]

individual who, directly or indirectly, exercises substantial control 
over a reporting company or owns or controls at least 25 percent of the 
ownership interests of a reporting company. In the case of a domestic 
reporting company, a company applicant is the individual who directly 
files the document that forms the entity, or in the case of a foreign 
reporting company, who directly files the document that first registers 
the entity to do business in the United States. If more than one person 
is involved in the filing of the document, whether for a domestic or a 
foreign reporting company, the individual who is primarily responsible 
for directing or controlling the filing is also a company applicant.
---------------------------------------------------------------------------

    \12\ FinCEN, Beneficial Ownership Information Reporting 
Requirements, 87 FR 59498, 59593 (Sept. 30, 2022), available at 
https://www.federalregister.gov/documents/2022/09/30/2022-21020/beneficial-ownership-information-reporting-requirements.
---------------------------------------------------------------------------

    The second category of individuals whose information will be 
included in the system are individuals who apply for a FinCEN ID. In 
order to obtain and retain a FinCEN ID, individuals will have to report 
certain information about themselves.
    Finally, the third category of individuals whose information will 
be included in the system are individuals who submit the BOIR on behalf 
of the reporting company. Some identifiable information about those 
individuals will be included in the system by virtue of their 
interactions with the IT system.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records consist of (1) information submitted to FinCEN in BOIRs and 
FinCEN ID requests; (2) information submitted to FinCEN by and about 
individuals that submit BOIRs on behalf of a reporting company; and (3) 
information that FinCEN obtains from federal government agencies and 
commercial vendors for purposes of data quality assurance and 
enhancement, such as standardizing addresses and other information 
submitted in BOIRs and FinCEN ID requests.
    Records include, but may not be limited to, the following 
information, which is being collected either pursuant to the CTA or as 
needed to administer the BOI System.
     full legal names,
     dates of birth,
     residential and business addresses,
     unique identifying numbers from one of the following:
    [cir] State-issued driver's license,
    [cir] U.S. or foreign passport,
    [cir] State/local/Tribal-issued identification,
     images of identification documents containing these 
numbers,
     FinCEN ID numbers, and
     email addresses, as needed to administer the BOI System.

RECORD SOURCE CATEGORIES:
    Records in the BOI system may be provided by individuals and 
entities. In addition to information provided in a BOIR about a 
reporting company's beneficial owners or company applicants, 
individuals submitting BOIRs on behalf of reporting companies will 
provide limited information about themselves. Individuals applying for 
FinCEN IDs will provide information about themselves. Commercial 
vendors and federal government agencies will provide data quality 
assurance and enhancement information that covers the same categories 
of information as that provided by individuals and reporting companies.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    Records in this system may be used to:
    (1) Disclose information to the United States Department of Justice 
(DOJ) for the purpose of providing representation or legal advice in 
anticipation of, or in connection with, a proceeding before a court, 
adjudicative body, or other administrative body, when such proceeding 
involves: (a) Treasury or any bureau or office thereof; (b) any 
employee of Treasury in their official capacity; (c) any employee of 
Treasury in their individual capacity where DOJ or Treasury has agreed 
to represent the employee; or (d) the United States, if the use of such 
information by DOJ is deemed by DOJ or Treasury to be relevant and 
necessary and provided that the disclosure is compatible with the 
purpose for which information was collected;
    (2) Disclose information in furtherance of national security, 
intelligence, or law enforcement activity by Federal agencies engaged 
in such activities, consistent with 31 U.S.C. 5336(c)(2)(B)(i)(I);
    (3) Disclose information for use in criminal or civil 
investigations by State, local, and Tribal law enforcement agencies, 
consistent with 31 U.S.C. 5336(c)(2)(B)(i)(II);
    (4) Disclose information to Federal agencies that have submitted 
requests on behalf of foreign law enforcement agencies, prosecutors, 
and judges, including foreign central authorities or competent 
authorities, consistent with 31 U.S.C. 5336(c)(2)(B)(ii);
    (5) Disclose information to financial institutions, consistent with 
31 U.S.C. 5336(c)(2)(B)(iii) and (C);
    (6) Disclose information to Federal functional regulators and other 
appropriate regulatory agencies, consistent with 31 U.S.C. 
5336(c)(2)(B)(iv) and (C);
    (7) Disclose information to Treasury officers, employees, 
contractors, or agents for their official duties, including tax 
administration purposes, consistent with 31 U.S.C. 5336(c)(5);
    (8) Disclose to appropriate agencies, entities, and persons when 
(1) FinCEN suspects or has confirmed that there has been a breach of 
the system of records, (2) FinCEN has determined that as a result of 
the suspected or confirmed breach there is a risk of harm to 
individuals, FinCEN (including its information systems, programs, and 
operations), the Federal Government, or national security; and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with FinCEN efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm;
    (9) Disclose information to another Federal agency or Federal 
entity, when FinCEN determines that information from this system of 
records is reasonably necessary to assist the recipient agency or 
entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach;
    (10) Disclose information to student volunteers and other 
individuals not having the status of agency employees, if they need 
access to the information to perform services as authorized under law 
relating to the official programs and operations of FinCEN. Individuals 
provided records under this routine use are subject to the same 
requirements and limitations on disclosure as are applicable to FinCEN 
officers and employees; and
    (11) To the extent permitted and required by law, disclose 
information to the National Archives and Records Administration 
Archivist (or the Archivist's designee) pursuant to records management 
inspections being conducted under the authority of 44 U.S.C. 2904 and 
2906.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    FinCEN maintains records in this system in security controlled 
physical locations, using information technology that follows federal 
information security standards and directives.

[[Page 62892]]

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records collected in the system are accessible, for authorized 
purposes, to various categories of recipients described above in the 
``Routine Uses of Records'' section. Users will be able to retrieve 
these records by name or other unique identifier.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    FinCEN maintains records in this system in a secure IT system 
following federal information security standards and directives and in 
security controlled physical locations. FinCEN ID application records 
will be retained for at least five (5) years after every reporting 
company to which the FinCEN ID is applied terminates. Pursuant to the 
CTA, BOIR records will be retained for at least five (5) years after 
the reporting company terminates.\13\ Records will be disposed of in 
accordance with the requirements of the CTA, the Federal Records 
Act,\14\ and applicable record retention schedules.
---------------------------------------------------------------------------

    \13\ 31 U.S.C. 5336(c)(1).
    \14\ See 44 U.S.C. Ch. 31.
---------------------------------------------------------------------------

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    FinCEN safeguards BOI records in this system in accordance with 
applicable rules and policies, including all applicable Treasury 
information systems security and access policies. FinCEN imposes strict 
controls to minimize the risk of compromising the information that is 
being stored. Access to the records in this system is limited to those 
individuals who have appropriate permissions. User activity is recorded 
by the system for audit purposes. Electronic records are encrypted at 
rest and in transit. Records are maintained in buildings subject to 24-
hour security.

RECORD ACCESS PROCEDURES:
    This system is exempt from notification requirements, record access 
requirements, and requirements that an individual be permitted to 
contest its contents, pursuant to the provisions of 5 U.S.C. 552a(j)(2) 
and (k)(2).

CONTESTING RECORD PROCEDURES:
    This system is exempt from notification requirements, record access 
requirements, and requirements that an individual be permitted to 
contest its contents, pursuant to the provisions of 5 U.S.C. 552a(j)(2) 
and (k)(2).

NOTIFICATION PROCEDURES:
    This system is exempt from notification requirements, record access 
requirements, and requirements that an individual be permitted to 
contest its contents, pursuant to the provisions of 5 U.S.C. 
552a(j)(2), and (k)(2).

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    This system is exempt from 5 U.S.C. 552a(c)(3), (c)(4), (d)(1), 
(d)(2), (d)(3), (d)(4), (e)(1), (e)(2), (e)(4)(G), (e)(4)(H), (e)(5), 
(e)(8), (f), and (g) of the Privacy Act pursuant to 5 U.S.C. 
552a(j)(2), and (k)(2). See 31 CFR 1.36.

HISTORY:
    None.

[FR Doc. 2023-19814 Filed 9-12-23; 8:45 am]
BILLING CODE 4810-02-P