United States: Reporting Companies Under The Corporate Transparency Act Beware: Using Service Providers To Comply Creates New Data Privacy Risk

The Corporate Transparency Act (CTA), which became effective on January 1, requires that U.S. and foreign companies authorized to do business in the U.S. (each, a Reporting Company) report specific personal information regarding their beneficial owners¹ (beneficial ownership information, or BOI) to the U.S. Department of the Treasury Financial Crimes Enforcement Network (FinCEN) via the Beneficial Ownership Secured System (BOSS) unless an exemption applies. FinCEN has issued a series of rules² that specify Reporting Company obligations under the CTA, govern access to BOI, and revise customer due diligence rules (the latter is slated for issuance in 2024) (collectively, the FinCEN Rules).

BOI, FinCEN Identifiers, and Data Protection Laws

• Beneficial Ownership Information: BOI includes not only personal information such as legal name, date of birth, and complete current address of a potentially large group of individuals for each Reporting Company but also sensitive personal information that requires enhanced privacy and security measures under state, federal, or foreign data privacy and cybersecurity laws (Data Protection Laws). Specifically, the unique identification numbers from drivers' licenses, passports, or similar government-issued photo identification documents, as well as photos (images) of the documents, are highly likely to be viewed as sensitive personal information (Sensitive PII) under current Data Protection Laws in California, Virginia, Colorado, Connecticut, and Utah, and the Texas Data Privacy and Security Act (effective July 1). Depending on a Reporting Company's business, industry, and geographic locations, BOI (including sensitive elements) may also be regulated by sector-specific federal laws (applicable, for example, to health care or financial services), regional regulations (such as the General Data Protection Regulation in the European Union), and/or other Data Protection Laws. To comply with the CTA, Reporting Companies will need to collect, process, and report BOI shortly after the company's formation³ and thereafter whenever any information on a BOSS filing changes (e.g., a photo identification document expires or a home address changes).
• FinCEN Identifiers: Pursuant to the CTA, upon request by a beneficial owner, a company applicant (i.e., the individual who directly files the document creating the domestic Reporting Company), or a Reporting Company, FinCEN may assign a numeric identifier (FinCEN Identifier) to each natural person or entity. Company applicants and beneficial owners must provide FinCEN with the same BOI to be eligible for a FinCEN Identifier. FinCEN cannot issue more than one FinCEN Identifier to the same individual or entity (including any successor entities). Reporting Companies may report FinCEN Identifiers instead of BOI for each beneficial owner, and company applicants may also use their own FinCEN Identifiers to avoid repeatedly providing BOI. On November 7, 2023, FinCEN issued a final rule clarifying the criteria that must be met for a Reporting Company to use a FinCEN Identifier for an intermediate entity in lieu of BOI, and additional regulations are anticipated in 2024.
• Data Protection Laws: BOI and FinCEN Identifiers are highly likely to constitute PII when collected or processed by Reporting Companies and the service providers, vendors, and consultants (Service Providers) engaged by Reporting Companies to assist with CTA compliance (CTA Services). The CTA and the FinCEN Rules create an opportunity for existing Service Providers to expand their offerings and incentivize early-stage companies and startups to pivot and enter the new market. Service Providers that market or provide CTA Services frequently lack the robust privacy and cybersecurity infrastructure and technology platform necessary to protect and secure BOI (including Sensitive PII) as required by Data Protection Laws, leaving the Reporting Companies exposed to enhanced regulatory, legal, and commercial risks.
  

What Should Reporting Companies Do Now?

Reporting Companies are responsible for compliance with Data Protection Laws and for ensuring that Service Providers comply as well. It's essential that Reporting Companies (1) establish internal and external processes to identify BOI and FinCEN Identifiers as PII, regardless of the source; (2) evaluate the PII and determine applicable Data Protection Laws; and (3) integrate the PII into legally compliant data protection programs.

Reporting Companies should revisit their current selection and vetting process for Service Providers to include the capability to identify, evaluate, and integrate BOI and FinCEN Identifiers as PII. This includes, as applicable, providing enhanced data privacy and security measures to protect Sensitive PII. Service Providers should demonstrate their CTA resources, including relevant technology, processes, and procedures. Extra caution is advisable when Reporting Companies are urged to become "early adopters" or Service Providers emphasize the competitive nature of pricing options.

In addition to the foregoing, Reporting Companies should ensure that CTA Services are not provided (and Service Providers are not compensated) unless an agreement is in place that contractually requires Service Providers to (i) comply with Data Protection Laws applicable to the PII (specifically including BOI and FinCEN Identifiers); (ii) allow annual audits by the Reporting Company or its designee; and (iii) purchase cyber insurance that provides coverage for any security incident or data breach that affects BOI and/or FinCEN Identifiers.

Footnotes

1 "Beneficial owners" means persons who incorporated or formed a company, who own 25 percent or more of a company, and who exert substantial control over a company.

2 The Final Beneficial Ownership Information Reporting Rule, which became effective on January 1; the Final Rule on Access to Beneficial Ownership Information, which becomes effective on February 20; and a third major rule slated to be issued by FinCEN in 2024 to revise its Customer Due Diligence Rule.

3 In 2024, any company incorporated, formed, or authorized to do business in any U.S. state, territory, or tribal land by filing a document with a U.S. state secretary of state or similar authority will have 90 days to make its initial BOSS filing unless an exemption applies. For 2025 and beyond, this timeline is reduced to 30 days.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.