Oh B.O.I., oh B.O.I.
FinCEN's new Beneficial Ownership Information database for U.S. companies is an unprecedented dragnet of personally identifiable information, ensnaring millions of individuals who own U.S. companies.
On 1 January 2024, new rules will kick in that implement the provisions of the 2020 Corporate Transparency Act (CTA)1 creating a centralized database with details of beneficial owners of companies in the U.S.
In what follows, we first summarize the Final Rule as published on 30 September 2022 and FinCEN’s justification for the new regime.
We then establish what practically needs done by owners and controllers of U.S. entities or their filing agents, followed by a discussion of some comments on the final rule made during the public consultation period.
We close with a thought on how blockchains would have allowed for an alternative solution that would be entirely non-intrusive, self-sovereign and non-hackable, but was alas not to be…
For our analysis, we rely entirely on the original source documents.2
A. Why a new reporting requirement
In summary terms, the new rules requires “reporting entities” to file reports with FinCEN that identify two categories of individuals:
the “beneficial owners” of the entity, and;
individuals who have filed an application with specified governmental authorities to create the entity or register it to do business.3
Before FinCEN specifies in detail who is subject to the new reporting requirement and what information needs to be submitted, it justifies its new disclosure regime on grounds that “illicit actors frequently use corporate structures such as shell and front companies to obfuscate their identities and launder their ill-gotten gains through the U.S. financial system.”
To support its case, FinCEN lists specific cases of such abuse, from a sanctioned Russian oligarch’s yacht to bad actors fraudulently applying for financial assistance under the Paycheck Protection Program (PPP) or using “companies registered to synthetic identities” to obtain COVID–19 pandemic relief funds.
It is indeed true that the United States, at the moment of forming an entity or transferring its ownership, presently does not require disclosure of information about its beneficial owners—the individuals who actually own or control the entity—or individuals who take the steps to create an entity such as filing agents.
Rather, only when a U.S. company wants to access a specific service, e.g. open a bank account, will identifying information from its owners be asked.
This is in contrast with many jurisdictions around the world which channel the formation of companies through licensed agents, who have an obligation to perform due diligence on the owners of entities before they can file for incorporation.
An admission of defeat
It is no doubt also true that, as probably is the case anywhere around the world, the U.S. financial system is being abused by malevolent actors, and the list of actors is long, from prime property in Beverley Hills and New York owned by crooks of all colors to cartel-owned businesses and high-value assets owned by companies controlled by sanctioned Russians.
In our reading however, the list of abuses is as much a self-incrimination by FinCEN as it is anecdotical evidence of illicit acts.
The Bank Secrecy Act already requires banks to establish the beneficial ownership of entities that open accounts with them4. Could it be that FinCEN has been asleep at the wheel in enforcing such rules from banks over the last decades?
The ICIJ’s “FinCEN Files” of late 2020 brought to light how allegedly trillions of dollars flow freely through major banks, with only few checks if any by FinCEN on the suspicious activity reports banks are required to file.
Perhaps in an admission of defeat, FinCEN decided to shift the burden of due diligence from banks to companies themselves, creating a massive database with Beneficial Ownership Information (B.O.I.) which individual owners of U.S. entities will be obliged to populate from 1 January 2024 onwards on penalty of fines or imprisonment.
Such taxpayer-funded database will be accessible by banks and the assembled intelligence communities and other authorities.
For banks, this is an early Christmas present. In a letter to Treasury’s Janet Yellen and FinCEN’s acting director Himamauli Das, co-signed by i.a. Elizabeth Warren, they lobbied to get an entry on the disclosure form that provides an exemption in case the B.O.I. is “unobtainable or unknown” removed to make sure they can fully rely on the database entries to legally discharge their due diligence obligations.
A regulatory capture reading of the CTA would recognize the FinCEN rules for what they are: a “Get Out of Jail Free” card for tradfin’s own failures to prevent the U.S. financial system from being used as a massive sink for dirty money.
Is it not telling that no U.S. banker was ever sent to jail for blatant cases of money laundering, but banks happily support new rules that will send anybody who fails to fill out a B.O.I. form for up to 2 years in prison?
An estimated 32.6 million existing entities
In the regulatory analysis of its final rule, FinCEN estimates that there will be at least 32.6 million entities that meet the core definition of a “reporting company” and are not exempt in existence when the proposed rule becomes effective on 1 January 20245.
With only months away from this date as of the time of writing, FinCEN is yet to release the final form and provide details how it is to be filed online.
All threshold owners and controllers of these estimated 30 million legacy companies, and the estimated 10 million new companies formed in the U.S. every year, will eventually go in the database, whether based in the U.S. or abroad.
The burden is on them not only to report who is a beneficial owner (as defined) but also to identify the individuals who file for incorporation of their U.S. entity if they use a service provider.
New entities were originally expected to provide the B.O.I. within 30 days of filing. but on 27 September 2023 FinCEN issued a proposal to extend this to 90 days.6
Existing companies that were created before January 1, 2024, will need to file their reports by January 1, 2025.
Changes to companies’ beneficial ownership too will need to be filed within 90 days.
As an alternative to filing the B.O.I., individuals can voluntarily apply for a “FinCEN identifier”, which requires them to electronically file certain information about themselves and submit updates of their identifying information as needed.
B. What needs filing
The Personally Identifiable Information that is to be included in the FinCEN report should make any privacy advocate shiver:
The legal name of the reporting company';
Any “doing business as” (DBA) or “trading as” names;
Current street address of its principal place of business if that’s in the U.S.;
The jurisdiction of formation or registration; and
The Taxpayer Identification Number.
When filing, companies will need to indicate whether an initial report is being filed, or whether it is a correction or update of an earlier report.
A company will also have to report the following information for each individual who is a beneficial owner or a company applicant:
The name, date of birth, and address;
A unique identifying number from an acceptable ID;
The name of the state or jurisdiction where the ID was issued;
For beneficial owners, the residential street address must be reported;
For company applicants, the individual’s street address must be reported. If a formation agent is used, the agent’s business address can be used for B.O.I. filing purposes but the individual(s) who file do still need to be disclosed.
The acceptable identification documents include:
A non-expired driver’s license issued by a U.S. state;
A non-expired identification document issued by a US state or local government;
A non-expired passport issued by the U.S. government; or
If the aforementioned documents aren’t available, the identification number from a non-expired passport issued by a foreign government.
To top it all off, an image scan of the ID associated with this unique identifying number must also be provided to FinCEN.
Filing will be online however there are as yet no details of the filing system.
There will be no fee for filing but we estimate the cost of compiling the report and gathering the required supporting documents far higher than the US$85 estimated by FinCEN, even for relatively simple entities such as sole Member LLCs.
The comments FinCEN reports on in its main document reflect a number or areas where commentators seek clarification and express concerns:
Proposed 31 CFR 1010.380(d)(1) sets forth three specific indicators of “substantial control”:
service as a senior officer of a reporting company;
authority over the appointment or removal of any senior officer of a reporting company; and
individuals who “direct, determine, or have substantial influence over important decisions made by the reporting company.”
The proposed rule also included a catch-all provision to ensure consideration of any other forms “substantial control” might take beyond the criteria specifically listed.
This broad definition has raised concerns, i.a. that it was not rooted in state corporate formation law or other federal statutes and regulations that use “control” concepts.
Some commenters also stated that the indicators of substantial control in the proposed definition focused on the potential to exercise substantial control rather than on the actual exercise of it.
Despite these concerns about over-reach, FinCEN adopted the rule largely as proposed, which essentially means it keeps its reporting dragnet intact but also exposes itself to potential legal challenges.
For instance, FinCEN confirms that general counsel to a company is a considered a “senior officer” (but not its corporate secretary or treasurer) on the basis that counsel’s role is ordinarily quite substantial.
Specifically in relation to the catch-all “substantial control” clause, and perhaps most relevant to crypto, the FinCEN document explicitly mentions that “control exercised in novel and less conventional ways can still be substantial. It also could apply to the existence or emergence of varying and flexible governance structures, such as series limited liability companies and decentralized autonomous organizations, for which different indicators of control may be more relevant.”7
Any ambiguity whether a Trustee can be seen as exercising substantial control has however been removed: the final rule makes it clear that a trustee of a trust can, in fact, exercise substantial control over a reporting company through the exercise of his or her powers as a trustee over the corpus of the trust, for example, by exercising control rights associated with shares held in trust.
In addition to the “substantial control” provisions, a second area which attracted comment is what constitutes “ownership interest”.
The CTA defines a beneficial owner to include “an individual who . . . owns or controls not less than 25 percent of the ownership interests of the entity.”8
For the purposes of this rule, this would include both equity in the reporting company and other types of interests, such as capital or profit interests (including partnership interests) or convertible instruments, warrants or rights, or other options or privileges to acquire equity, capital, or other interests in a reporting company.9
“Owning or controlling” means indirect control too is included, for instance through a trust or similar arrangement.
Relevant in particular for startups, the definition also sweeps in holders of Simple Agreements for Future Equity (SAFEs), in which an investor agrees to provide funding that will convert into equity according to a formula based upon the conditions of a subsequent capital raise. It may be difficult to calculate how much equity will be received when the relevant condition occurs, and if the condition does not occur, the investor may receive no equity at all. Nonetheless, holders of SAFEs are ensnared if they are likely to acquire an “ownership interest”.
Finally, another catch-all seeks to include “[a]ny other instrument, contract, arrangement, understanding, relationship, or other mechanism used to establish ownership”, presumably to try to intercept the use of straw-men.
Owning a company in chunks of less than 25% would not alleviate the reporting requirement since the ownership is calculated on a combined basis: if a single individual controls say 5 LLCs that each have 20% of another LLC, then the individual is deemed to have a 100% ownership interest in the latter LLC.
The proposed rules have 5 exceptions to the definition of Beneficial Owner, including for individuals acting as Nominee or solely as employee of a reporting entity.10
Ensnaring individuals from abroad
A third area of concern is that the new regime is sweeping both U.S. and non-U.S. individuals in FinCEN’s dragnet and it is important that non-U.S.- based controllers are aware of this.
The new regime applies to both “domestic” and “foreign entities” but perhaps confusingly this as such says nothing about whether a U.S. resident or a foreigner owns the entity. Rather, in the U.S. a “foreign company” is a company incorporated or registered under the laws of one state or a foreign country and doing business in another. For instance, a Delaware company doing business in California is a “foreign company” in California. Conversely, say a Delaware LLC (even with a foreign owner) can still be a “domestic company” if it only does business in Delaware.
Whether a U.S. company is owned by a U.S. resident or a foreigner is more relevant for its tax treatment than for FinCEN reporting purposes: The main practical difference will be that U.S. entities controlled by foreigners (i.e. non-U.S. tax residents) will typically not be able to provide U.S.-issued ID documents but will instead have to enter a passport number and upload a passport scan. They will still have to share their residential address, which will then be a non-U.S. address.
I.a.w. they’ll be required to completely dox themselves even if they may not have any tax obligations in the U.S. from owning a company there, and would not before have had a need for an Entity Identification Number (EIN) or Tax Identification Number (TIN) for their entity.
Other concerns of course relate to the protections around who can access the database. Even though FinCEN emphasizes that protocols will be in place, in practice we suspect the assembled intelligence community will have free roaming rights and financial institutions (as mentioned above) have already secured access. It can be assumed other state authorities too will have access and will share information with foreign authorities on request. In this light, the database brings us a step closer to mass surveillance of all economic activity, all in the name of national security.
Finally there are of course concerns about the vulnerability of what will be an irresistible honeypot of centrally-held Personally Identifiable Information, and the level of technical security an underfunded and understaffed Government agency can provide to make sure the database isn’t hacked.
C. You’re doing this all wrong
Remember how our kids were asked by TSA to remove their shoes at the airport on national security grounds, because of course kids habitually hide bombs in their plimsolls?
That’s the approach FinCEN and regulators more broadly including FATCA are taking: everybody is guilty until proven otherwise.
From 1 January 2024, anybody who creates a company in the U.S. is assumed to do it for illicit purposes, so let’s create a mass-surveillance system for the intelligence apparatus to crawl over, monitoring your every economic activity because exercising our basic freedom to transact is now a national security risk.
It is a far cry from a solution that would let us sovereignly control our data and voluntarily and limitedly share it if and when required to do so, e.g. when accessing financial services or yes, forming a company.
But until blockchains move away from their hyper-financialization, the Web3 community only has itself to blame for not presenting an alternatives to the massive centralized data silos with credit scores, health data, beneficial ownership information and other types of personally identifiable information that are being built and accessed outside of our control.
Personally Identifiable Information stored in an encrypted personal wallet, retrievable from within a secure compartment of our phones, and shared ad hoc if and when there is need to access specific services is far preferable to hackable honeypots of centralized data maintained by government sys-admins.
However for this to happen, we need to first see modern government give up some of its powers, which probably explains why no entrepreneur in her or his right mind works on a solution that requires such radical change.
Ironically, a blockchain-based sovereign data solution could actually help combat true crime, as it would provide much better attestation as to the truthfulness of the information provided, because despite its forced disclosure requirements, the current FinCEN database does not in any way verify the accuracy of the B.O.I. data disclosed.
Without such verification, the FinCEN database will only be as reliable as the data its users provide, despite the threat of fines and imprisonment.
If the U.K.’s public Beneficial Ownership Register is anything to go by, we may soon see John Doe as the Beneficial Owner on record of hundreds of thousands U.S. entities too!
The CTA was sneaked in as Title LXIV of the 1,480 pages National Defense Authorization Act for Fiscal Year 2021, Public Law 116–283 (Jan. 1, 2021) which passed in the last days of the Trump administration. Division F of the NDAA is the Anti-Money Laundering Act of 2020, which includes the CTA.
Mainly, the Beneficial Ownership Information Reporting Requirements, published by FinCEN on 30 September of last year. Note that the 1-month window for comment on the FinCEN proposed Identifier Application and Beneficial Ownership report closed yesterday, 30 October 2023 and the final form to be used by filers and other specifications are therefore still to be released.
Under the proposed rule, a “beneficial owner” would include any individual who meets at least one of two criteria:
The individual exercises substantial control over the reporting company; or
The individual owns or controls at least 25 percent of the ownership interests of a reporting company. The proposed regulations defined the terms “substantial control” and “ownership interest” and proposed rules for determining whether an individual owns or controls 25 percent of the ownership interests of a reporting company. The proposed regulations also, following the CTA, defined five types of individuals exempt from the definition of beneficial owner.
In addition, proposed 31 CFR 1010.380(e) defines the term “company applicant”. The final rule specifies that the term company applicant means the individual who directly files the document to create or register the reporting company and the individual who is primarily responsible for directing or controlling such filing if more than one individual is involved in the filing. In many cases, company applicants may be employed by a business formation service or law firm, who prepare and file the incorporation documents with a state office to create the reporting company. In such case, the final rule allows for the business address to be used instead of the residential address of the filers but still requires them to be identified as individuals.
Note that where business formation services provide software, online tools, or generally applicable written guidance, the employees of such services are not company applicants. However, employees of such services may be company applicants if they are personally involved in the filing of a document to form a particular company.
In summary, the Bank Secrecy Act provides that a bank, at a minimum, must obtain the following identifying information for each beneficial owner of a legal entity customer: (i) Name (ii) Date of birth, (iii) Address, (iv) Identification number.
https://www.federalregister.gov/d/2022-21020/p-37. FinCEN divides “reporting companies” into two types – domestic and international.
A domestic reporting company includes:
A limited liability company, or
Any other entity created by the filing of a document with a secretary of state or any similar office under the law of a state or Indian tribe.
A foreign reporting company includes:
A corporation, limited liability company, or other entity formed under the law of a foreign country.
Any other entity created by the filing of a document with a secretary of state or any similar office under the law of a state or Indian tribe.
Unless an exemption has been provided, it seems the filing of a document (either with a state or Indian Tribal-level office) is the key test to determine whether a company is a “reporting company”.
In case of an LLC, if no one else owns or controls ownership interests in your LLC or exercises substantial control over it, and if there are no other facts to consider for deciding ownership, you’ll be considered the only beneficial owner of this reporting company, and your information must be reported to FinCEN.
In our analysis, on the basis that non-registered Series LLCs are not formed by way of a filing event, they are not subject to the reporting requirement. We base this i.a. on FinCEN’s operative definition of a reporting company created by way of some filing event with a secretary of state, whilst Series LLCs are formed contractually without any filing. This is further supported by i.a. https://www.federalregister.gov/d/2022-21020/p-481. However the reference to Series LLCs and DAOs above creates ambiguity on this point, which FinCEN concedes and says it will address in future guidance.
Debt instruments would be included if they enable the holder to exercise the same rights as one of the specified types of equity or other interests, including if they enable the holder to convert the instrument into one of the specified types of equity or other interests.