By Tom Aldrich, Chief Strategy Officer, 360 Privacy
The Corporate Transparency Act (CTA) became law in the United States as part of the National Defense Authorization Act for FY2021. This landmark legislation is aimed to combat illicit activities such as money laundering, tax evasion, and fraud by requiring certain entities to disclose their Beneficial Owners (BOs) to the likes of the Financial Crimes Enforcement Network (FinCEN). While the intention of the act was noble in its creation, the broader implications of the law for the general public are likely to host a swath of critical impacts – such as for the case of investors, who would typically rather have transactions shielded from the public eye. Let’s take a closer look at how these new disclosure requirements and how they relate to the access and privacy considerations for families, family offices, legal teams, and operational risk management personnel.
Understanding what the CTA entails
According to the legislation, which goes into effect Jan. 1, 2024, virtually every legal entity (incorporated, organized, or registered to do business in a state) must disclose information relating to its owners, officers, and controlling persons with FinCEN - or face criminal and civil penalties for failing to comply with the new reporting requirements. A reporting company (defined as domestic and foreign privately held entities) must divulge the names, dates of birth, home address, unique identifying numbers (i.e. passport or driver’s license number), and accompanying images of the aforementioned unique identifying number of these individuals. The combination of such information moves an individual from being “identifiable” to “identified,” which sparks the debate between proactive security measures taken by the government versus the rights of individuals to remain private.
Privacy concerns for the public
The first concern that comes to mind is one of access. According to this report issued by DLA Piper, reports filed with FinCEN “will not be accessible to the public and are not subject to requests under the Freedom of Information Act.” However, some federal agencies will have access by the nature of their work: national security, civil/criminal law enforcement, intelligence, the Department of Treasury, state/local law enforcement agencies, and financial institutions as part of KYC/AML compliance requirements. In states like New York, where the New York State LLC Transparency Act is currently sitting on Gov. Kathy Hochul’s desk for signature, BOs of Trusts, LLCs, LLPs, corporations, and other entities may very well be accessible through databases maintained by New York’s Secretary of State.
Considerations from the past and for the future
For BOs and reporting companies who will be required to adhere to the updated CTA disclosure requirements – or for those who are unsure about their newfound compliance requirements – it is important to note a few items:
Know the strategic and tactical compliance requirements of your financial institution(s) and advisory teams. If the “FinCEN Files” have taught us anything, it is that suspicious activity reports can be leaked to the public, even when transactions and structural changes to legal entities were compliant and/or legitimate.
As of July 2023, FinCEN was building a new IT system (dubbed the Beneficial Ownership Secure System) to collect and store CTA reports. Ensure that staff members navigate to the official FinCEN website to gain access; when and where possible, employ end-to-end encryption for secure file transfer and storage of data and be wary of inbound requests soliciting data on behalf of FinCEN.
Given the federal agencies who may have access to BO data, expect an increase in phishing attempts targeted at family, staff, family office, and/or financial institution coverage teams. Spear phishing attacks from within an organization may also become a common tactic.
Review the 23 entity types (including SEC-reporting companies, insurance companies, tax-exempt companies or subsidiaries of exempt entities) which are exempt from the definition of reporting companies under the CTA. Consider the ease of access to certain entity data within your state’s database (if applicable), and prevalence of personally identifiable information (PII) available on BOs/senior officers within the organization.
Understand the penalties of noncompliance. According to the legislation, failure to comply or the provision of false or fraudulent reports may result in civil fines of $500 a day for as long as the reports remain inaccurate. Failure to comply may also subject the violators to the criminal penalties of a $10,000 fine or 2 years in jail.
Review the intricacies of access and compliance regulations in each state, especially organizations with multiple areas of operation. As mentioned above, in New York’s case, BO information may be accessible through means that are not applicable in other regions of the United States.
Don’t wait; seriously consider getting ahead of the process and compiling reporting information now. Update internal policies to streamline report information gathering and create a system to continuously track and update upcoming changes to reporting information.
Consult with legal counsel on the upcoming changes, privacy consultants, and PII removal services to further mitigate risks posed by the availability of personal data on the open web.
Takeaways from the CTA
While the Corporate Transparency Act takes a significant step toward greater financial transparency and accountability, it doesn’t come without trade-offs. As we continue to grapple with the complexities of privacy in an increasingly interconnected world, the act serves as a timely reminder of the delicate equilibrium that must be maintained between transparency and privacy.
About the Author
Tom Aldrich, VP Private Clients, 360 Privacy: Tom joined 360 Privacy as a Partner after having worked at Goldman Sachs as a private wealth advisor. He came to Goldman from the US Army, where he served as a Green Beret and functioned as both a communications and intelligence subject matter expert. He deployed overseas four times, where he was responsible for tactical and strategic targeting, intelligence, and digital exploitation. Tom is a Certified Ethical Hacker and obtained his CIPP/US Certification from the International Association of Privacy Professionals.