ILLICIT FINANCE
Treasury’s Initial Safeguards for Allowing Access to Information on Corporate Ownership
Report to Congressional Committees
United States Government Accountability Office
For more information, contact Michael E. Clements at (202) 512-8678 or clementsm@gao.gov.
Highlights of GAO‑25‑107403, a report to congressional committees
Treasury’s Initial Safeguards for Allowing Access to Information on Corporate Ownership
Why GAO Did This Study
The Corporate Transparency Act, enacted in 2021, requires certain legal entities to report their beneficial ownership information to FinCEN. This requirement supports U.S. efforts to prevent bad actors from concealing or benefiting from ill-gotten gains through shell companies or other opaque ownership structures. The act required FinCEN to adopt a rule to safeguard this information from unauthorized use.
The Corporate Transparency Act also includes a provision for GAO to determine whether FinCEN’s safeguards, procedures, and use of beneficial ownership information, as established in its access rule, are consistent with requirements of the act. This report is the first in a series of seven annual reports.
This report examines (1) whether FinCEN’s access rule included Corporate Transparency Act requirements for protecting the security and confidentiality of beneficial ownership information, (2) the extent to which FinCEN granted agencies access to beneficial ownership information in compliance with the act, and (3) FinCEN’s oversight of agencies’ access to and use of the information.
GAO reviewed the Corporate Transparency Act and FinCEN’s beneficial ownership information access rule; analyzed FinCEN’s policies, procedures, and other documents related to the access program; and interviewed FinCEN and other agency officials.
What GAO Found
Beneficial owners are individuals who, directly or indirectly, own or control a certain percentage of, or exercise substantial control over, a company or other legal entity. The Financial Crimes Enforcement Network (FinCEN) collects and shares information about beneficial owners to help safeguard the U.S. financial system from illicit use and to support law enforcement investigations, among other purposes. In December 2023, FinCEN adopted a rule that allows authorized users (such as federal agencies engaged in national security, intelligence, or law enforcement activity) to access this information if they establish data-safeguarding procedures for it. GAO found that the rule incorporated all the Corporate Transparency Act’s requirements for protecting the security and confidentiality of beneficial ownership information.
In spring 2024, FinCEN launched the first phase of its five-phase process to grant access to beneficial ownership information by selecting six federal agencies for a pilot, partly to test its IT system. To be approved for access, FinCEN required each agency to sign a memorandum of understanding specifying safeguards they would implement to protect the data. Agencies also had to submit an initial report describing safeguarding procedures and certify they complied with the rule’s protection requirements. As of October 2024, four of the six agencies had submitted the necessary documents (see table).
|
Agencies granted access |
Federal Bureau of Investigation Internal Revenue Service-Criminal Investigations U.S. Postal Inspection Service U.S. Secret Service |
|
Agency staff with access |
100 |
|
System searches conducted |
Nearly 1,700 |
Source: Financial Crimes Enforcement Network. | GAO-25-107403
In September 2024, FinCEN began the second phase, enabling about 200 additional federal agencies to request access to beneficial ownership information. Based on feedback from the pilot, FinCEN revised its memorandum of understanding to clarify certain compliance requirements. FinCEN also created a procedure for reviewing and granting agency requests for information. Agencies must still sign a memorandum of understanding, report on their safeguarding procedures, and certify compliance with information protection requirements.
FinCEN officials told GAO they have been developing policies and procedures for overseeing users’ access and safeguarding practices. This oversight is to include conducting annual audits, monitoring how users search the data, and reviewing reports submitted by authorized users. FinCEN plans to assess the need for additional oversight mechanisms as the access program is fully implemented. GAO will continue to monitor FinCEN’s implementation of its oversight policies and procedures.
|
Abbreviations |
|
|
|
|
|
BOI |
beneficial ownership information |
|
BSA |
Bank Secrecy Act, as amended |
|
FinCEN |
Financial Crimes Enforcement Network |
|
IT |
information technology |
|
MOU |
memorandum of understanding |
This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.
February 20, 2025
The Honorable Tim Scott
Chairman
The Honorable Elizabeth Warren
Ranking Member
Committee on Banking, Housing, and Urban Affairs
United States Senate
The Honorable French Hill
Chairman
The Honorable Maxine Waters
Ranking Member
Committee on Financial Services
House of Representatives
The misuse of corporate structures poses significant risks to the U.S. financial system and can threaten national security. Bad actors use shell and front companies to conceal their identities and launder ill-gotten gains. In the United States, corporations, limited liability companies, and other legal entities are formed under state or tribal laws. But most jurisdictions do not require disclosure of beneficial owners—individuals who own or control these entities—at formation or thereafter.
To make it harder for bad actors to conceal their identities and launder money, the Corporate Transparency Act requires certain legal entities to report their beneficial ownership information (BOI) to the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN).[1] This information includes each beneficial owner’s name, birthdate, and address. The act permits FinCEN to share this information with law enforcement and other agencies upon receiving a lawful and proper request. Law enforcement can use BOI, along with related data collected under the Bank Secrecy Act, as amended (BSA), to combat illicit financial activities by pursuing criminal or civil investigations.[2]
In January 2024, FinCEN launched its IT system to collect, store, and manage BOI. However, most companies did not start reporting BOI to FinCEN until late 2024, according to FinCEN.[3] Also in 2024, FinCEN began sharing BOI with several federal agencies following the effective date of its final rule implementing the Corporate Transparency Act’s access and safeguard provisions (access rule).[4] According to FinCEN, as of February 7, 2025, in light of a recent federal court order, reporting companies are not required to file BOI with FinCEN and are not subject to liability if they fail to do so while the order remains in force.[5] However, reporting companies may continue to voluntarily submit beneficial ownership information reports.
The Corporate Transparency Act includes a provision for us to conduct annual audits for 7 years to assess whether FinCEN is protecting access to and use of BOI in accordance with the act’s requirements. This first report focuses on FinCEN’s rollout of its BOI access program and examines the extent to which (1) FinCEN’s access rule restricted BOI access to authorized users and requires such users to protect the security and confidentiality of BOI, as required by the Corporate Transparency Act; (2) FinCEN granted authorized users access to BOI in a manner consistent with requirements of the act and the access rule; and (3) FinCEN implemented mechanisms to oversee authorized users’ access to BOI for compliance with requirements of the act and the access rule.
For our first objective, we reviewed and analyzed the Corporate Transparency Act, FinCEN’s access rule, and FinCEN’s BOI-related guidance. We assessed the extent to which FinCEN included the act’s procedures and safeguards requirements in its access rule.
For our second objective, we reviewed FinCEN’s policies, procedures, and other related documentation for granting users access to its IT system for BOI. These documents included FinCEN’s memorandum of understanding (MOU) for granting access to agencies; documents agencies submitted to receive BOI access, and agency initial reports specifying the standards, procedures; and systems users will maintain to protect the security and confidentiality of BOI. We compared these efforts against requirements of the Corporate Transparency Act and the access rule. We also interviewed FinCEN officials about the agency’s BOI access program and officials from the U.S. Secret Service and U.S. Postal Inspection Service—the first two agencies to be granted access to BOI—about their experiences applying for BOI access.
For our third objective, we reviewed the Corporate Transparency Act, FinCEN’s access rule, and FinCEN’s 2024 public guidance regarding accessing and securing BOI to identify and assess its mechanisms for overseeing agencies’ compliance with access rule requirements. We also interviewed FinCEN officials about their oversight mechanisms and related policies and procedures.
We conducted this performance audit from February 2024 to February 2025 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Background
FinCEN Roles and Responsibilities
FinCEN is a bureau in Treasury that administers the BSA and its related anti-money laundering authorities and requirements, which provide the legal and regulatory framework for preventing, detecting, and deterring money laundering. FinCEN has authority to enforce compliance with BSA requirements and serves as the repository of BSA reporting from financial institutions, including suspicious activity reports and currency transaction reports.[6] FinCEN also analyzes information from these reports and shares such analyses with appropriate federal, state, local, and foreign law enforcement agencies.
In addition, FinCEN allows authorized law enforcement and other agencies to directly access the database containing BSA reports upon request. Federal, state, and local law enforcement agencies use BSA reports to investigate and prosecute crimes such as drug trafficking, terrorism, and fraud. Authorized law enforcement agencies seeking direct access to FinCEN’s BSA database must enter into an MOU with FinCEN that specifies the terms and conditions for using the reports.[7] The MOU also specifies requirements pertaining to protecting the confidentiality of the information.
Corporate Transparency Act Provisions for BOI Reporting and Access
Reporting
The Corporate Transparency Act enacted BOI reporting requirements for specified legal entities.[8] To comply, these entities, known as reporting companies, must submit initial reports to FinCEN. These reports, and updated reports required upon occasion, must contain each beneficial owner’s full legal name, date of birth, current residential or business street address, and a unique identifying number from an acceptable identification document or FinCEN identifier. Beneficial owners are any individuals who directly or indirectly (1) exercise substantial control over a reporting company, or (2) own or control at least 25 percent of the ownership interests of a reporting company.[9]
An entity is subject to these BOI reporting requirements as a reporting company if it is a corporation, a limited liability company, or other similar entity that is
· created in the United States by filing a document with a secretary of state or any similar office under the law of a state or Indian Tribe; or
· formed under the law of a foreign country and registered to do business in the United States by filing a document with a secretary of state or a similar office under the laws of a state or Indian Tribe.
Access
Under the Corporate Transparency Act, FinCEN is authorized to provide certain entities with access to BOI. Specifically, authorized federal, state, local, and tribal officials may be granted access for permissible activities related to national security, intelligence, and law enforcement. Financial institutions also may access BOI, with the reporting company’s consent, to help meet customer due diligence requirements.[10] The institutions’ regulators similarly will have access to BOI as part of their oversight functions.
Selected Federal Law Enforcement Agencies with Access to FinCEN-Maintained Data
Multiple federal law enforcement agencies use FinCEN’s BSA data to detect illicit activity and conduct criminal investigations, including those related to money laundering and other BSA-related offenses. In its pilot program, which began in spring 2024, FinCEN granted initial access to its IT system for BOI to six agencies, chosen because they were significant and experienced users of BSA data.
· The Department of Justice prosecutes violations of federal criminal money laundering statutes and criminal violations of BSA. Within Justice, the Drug Enforcement Administration and the Federal Bureau of Investigation investigate drug trafficking organizations and transnational criminal organizations, including their money laundering activities.
· In the Department of Homeland Security, Homeland Security Investigations and the U.S. Secret Service target transnational criminal organizations. Agents investigate financial crimes, including money laundering and illicit finance, which enables them to track how these organizations receive, move, launder, and store illicit funds.
· In the Department of the Treasury, Internal Revenue Service-Criminal Investigation investigates complex and significant money laundering activity, including that related to terrorism financing and transnational organized crime.
· As part of the U.S. Postal Service, the U.S. Postal Inspection Service investigates crimes involving use of the U.S. mail and the postal service, including mail fraud, financial fraud, identity theft, and cybercrime.
FinCEN’s BOI Access Rule Includes the Corporate Transparency Act’s Access and Use Restrictions
FinCEN’s access rule includes all the Corporate Transparency Act’s provisions pertaining to access and use restrictions.[11] Specifically, FinCEN’s rule restricts (1) BOI access to the categories of users authorized by the act and (2) use of BOI for purposes authorized under the act. The rule also imposes security and confidentiality requirements on authorized users, as set out in the act.
FinCEN’s Access Rule Grants BOI Access to Six Categories of Authorized Users
As shown in table 1, FinCEN’s access rule specifies that the agency may grant BOI access to six categories of authorized users under specified conditions. This is consistent with the Corporate Transparency Act provisions that authorize FinCEN to disclose BOI to certain categories of users under specific circumstances.
Table 1: Categories of Authorized Users and Conditions Under Which FinCEN May Disclose Beneficial Ownership Information (BOI)
|
Category of authorized user |
Condition under which FinCEN may disclose BOI |
|
Federal agencies |
If the agency uses BOI in furtherance of national security, intelligence, or law enforcement activity |
|
State, local, and tribal law enforcement agencies |
If a court of competent jurisdiction has authorized the agency to seek the BOI in a civil or criminal investigation |
|
Foreign law enforcement agencies, judges, prosecutors, central authorities, and competent authorities (“foreign requesters”) |
If the BOI request (1) comes to FinCEN through an intermediary federal agency; (2) is to assist in a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the foreign country; and (3) the request is either made under an international treaty, agreement, or convention, or when no such instrument is available, is made as an official request by a law enforcement, judicial, or prosecutorial authority of a trusted foreign country |
|
Financial institutions |
If a financial institution subject to customer due diligence requirements requests BOI to facilitate compliance with such requirements, it may be disclosed provided that the reporting company has consented to such disclosurea |
|
Federal functional regulators and other appropriate regulatory agenciesb |
If the regulator is authorized by law to assess, supervise, enforce, or otherwise determine compliance of such financial institution with customer due diligence requirements; will use the information solely for these purposes; and has entered into an agreement with FinCEN providing for appropriate protocols governing the safekeeping of information |
|
Department of the Treasury personnel |
If the personnel duties require BOI inspection or disclosure or for tax administration |
Source: Financial Crimes and Enforcement Network (FinCEN). I GAO‑25‑107403
aUnder customer due diligence requirements, financial institutions must have risk-based procedures for verifying the identity of the customer at account opening. For legal entity customers, financial institutions must collect and verify additional information for certain beneficial owners of the legal entity customer. The Corporate Transparency Act directs FinCEN to revise its customer due diligence rule, in part to bring it in conformance with the act’s amendments. FinCEN had not initiated this rulemaking as of October 2024.
bThe federal functional regulators that supervise financial institutions with customer due diligence obligations are the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, National Credit Union Administration, Securities and Exchange Commission, and the Commodity Futures Trading Commission. 31 C.F.R. 1010.100(r).
FinCEN’s Rule Imposes Security and Confidentiality Requirements on Authorized Users
FinCEN’s access rule imposes security and confidentiality requirements on authorized BOI users, as required by the Corporate Transparency Act. Most authorized user categories generally are subject to the same requirements, such as entering into an MOU with FinCEN. However, certain authorized users are subject to different requirements. For example, financial institutions are not required to sign an MOU but instead must protect BOI disclosed consistent with section 501 of the Gramm-Leach-Bliley Act, among other requirements.[12] Foreign requesters must comply with handling, disclosure, and use requirements of any applicable international treaty, agreement, or convention. If no such instrument exists, they must establish and maintain additional requirements pertaining to standards and procedures for information protection, along with restrictions on access to information.
According to the access rule, federal, state, local and tribal agencies must meet several criteria to be granted BOI access, including
· signing an MOU with FinCEN specifying the standards, procedures, and systems they will maintain to protect the security and confidentiality of BOI;
· establishing standards and procedures to protect BOI, including staff training on information handling and safeguarding;
· establishing and maintaining, to FinCEN’s satisfaction, a secure system to store BOI;[13]
· providing FinCEN with an initial report and annual report describing standards and procedures for protecting the security and confidentiality of BOI;
· certifying to FinCEN initially and then semiannually that the agency’s standards and procedures for protecting BOI comply with the access rule’s security and confidentiality requirements;
· establishing and maintaining an auditable system of standardized records for BOI requests; and
· conducting an internal annual audit to verify that BOI has been accessed and used appropriately and in accordance with the agency’s standards and procedures to protect the security and confidentiality of the information.
The access rule generally prohibits authorized users from re-disclosing BOI, including disclosure to other persons within the same requesting agency, except under specified limited circumstances.[14] FinCEN also may authorize the re-disclosure of BOI by an authorized recipient in other situations, consistent with the access rule. In September 2024, FinCEN developed a standard operating procedure for receiving and reviewing such re-disclosure requests.
FinCEN Granted BOI Access to Several Federal Law Enforcement Agencies, Consistent with Requirements, While Developing Access Procedures
FinCEN’s BOI access rule took effect in February 2024. The agency is implementing BOI access in five phases, spanning from spring 2024 to spring 2025. Under the first phase, FinCEN selected six federal law enforcement agencies to grant access to BOI under a pilot program, partly to test its IT system for BOI.
Phase I
In spring 2024, FinCEN selected six federal law enforcement agencies to receive initial access to BOI under a pilot program. The agencies were the Drug Enforcement Administration, Federal Bureau of Investigation, Homeland Security Investigations, Internal Revenue Service-Criminal Investigation, U.S. Postal Inspection Service, and U.S. Secret Service. FinCEN officials told us they selected these agencies because they had substantial experience using BSA data for law enforcement and intelligence purposes. The agencies used the data under separate MOUs, which required them to protect the confidentiality of data accessed through FinCEN’s BSA system.[15]
To be granted access to BOI, FinCEN required the pilot agencies to
· appoint an agency coordinator (the primary contact for managing BOI access and MOU compliance);
· provide FinCEN with a signed MOU establishing the terms and conditions under which the agency may obtain, store, use, and re-disclose BOI;
· submit an initial report describing the standards and procedures established to comply with access rule requirements for protecting BOI; and
· provide a certification signed and dated by the agency’s head attesting that its standards and procedures comply with the access rule’s security and confidentiality requirements.
As of October 29, 2024, four of the pilot agencies had appointed one or more coordinators and submitted the required documents and were granted access to BOI: the Federal Bureau of Investigation, Internal Revenue Service-Criminal Investigation, U.S. Postal Inspection Service, and U.S. Secret Service. According to FinCEN officials, the Drug Enforcement Administration had not yet signed the MOU, while Homeland Security Investigations had signed it but had not yet submitted the other required documents.
FinCEN officials told us they reviewed the submitted documents for completeness and accuracy. In addition, they reviewed the initial reports of standards and procedures to ensure they were consistent with the requirements of the MOUs and the access rule. They relied on each agency’s signed and dated compliance certification and MOU commitment to safeguard and use BOI in accordance with applicable requirements.
FinCEN created an MOU template that specifies the standards and procedures an agency must maintain to protect BOI. We found that the MOU template incorporates the access rule’s requirements for protecting BOI.[16] FinCEN officials said they did not create additional written policies and procedures for granting the pilot agencies access to BOI. Instead, they said they would use their pilot experience to revise the MOU template and develop a standard operating procedure for reviewing BOI requests from other federal agencies in Phase II.
The four pilot agencies collectively provided 100 staff members access to FinCEN’s IT system for BOI, conducting nearly 1,700 searches as of October 29, 2024, according to FinCEN officials. Under the pilot, FinCEN allowed each agency to provide no more than 50 staff with access to enable FinCEN to test its IT system. As discussed above, FinCEN did not expect most companies to start reporting BOI to the agency until near the end of 2024. FinCEN officials had estimated that more than 32 million companies would be required to report BOI by January 1, 2025, and said that over 6 million companies had filed BOI reports as of October 29, 2024.
In addition to the pilot program agencies, FinCEN provided over 140 of its own staff and contractors with access to its IT system for BOI, according to officials. In April 2024, FinCEN issued policies and procedures governing its staff’s access, inspection, use, and disclosure of BOI.[17] Authorized staff may access and use BOI solely in furtherance of their official FinCEN duties or responsibilities that require such access.[18] For example, authorized staff may access BOI to (1) investigate potential BSA violations; (2) conduct strategic analysis, research, intelligence, and other analysis consistent with FinCEN’s mission; and (3) generate reports to monitor and audit the use of the BOI system.
In January 2024, FinCEN’s Technology Division issued a standard operating procedure that sets out the limitations and restrictions on access, inspection, use, and disclosure of BOI in administering, operating, and managing the IT system. Under the procedure, FinCEN staff and contractors may access, inspect, and use BOI and related data submitted to or stored in the system in the course of their ordinary official duties, or within the scope of contracted services by contractors, related to administering, operating, and maintaining the IT system.[19]
|
Security Plan for Beneficial Ownership IT System The Financial Crimes Enforcement Network (FinCEN) developed an IT system to receive, store, and maintain beneficial ownership information. According to the system security plan, this IT system is to be secured at the Federal Information Security Management Act’s highest protection level, indicating a severe or catastrophic effect if confidentiality, integrity, or availability of information is compromised. The plan provides an overview of security requirements and controls in place or planned to meet those requirements. In September 2024, FinCEN’s Technology Division officials signed and approved the plan. |
Source: Financial Crimes Enforcement Network. | GAO‑25‑107403
According to FinCEN, the pilot program helped test its IT system for BOI and address issues before access was expanded to other users. For example, the pilot program enabled FinCEN to test the ability of an agency to provide its staff with user identification to access the system and the ability of an agency’s staff to conduct BOI searches. In addition, as noted above, FinCEN allowed each agency to provide no more than 50 staff with access to the system, enabling FinCEN to test the system’s user access capacity. This phased approach also is intended to help FinCEN manage the resources required to implement its BOI access program, such as by staggering its required annual audits of authorized users.
Phase II
In late September 2024, FinCEN began Phase II, accepting BOI requests from Treasury offices and federal agencies that had existing BSA MOUs with FinCEN. According to FinCEN officials, Phase II will cover about 200 federal agencies, offices, and components (federal entities), nearly half of which are U.S. Attorneys’ Offices. The officials told us they emailed each agency instructions for requesting BOI access. As of October 29, 2024, officials said they were reviewing 10 formal access requests from one Treasury component and federal agencies.
For Phase II, FinCEN developed a standard operating procedure in September 2024 that establishes a process for reviewing and, as appropriate, approving or denying an agency’s request to enter into an MOU to access BOI. For example, as part of the process, FinCEN assesses whether the agency would use BOI to further a national security, intelligence, or law enforcement activity. If approved, the agency would be required, as in the pilot program, to provide FinCEN with a signed and dated MOU, an initial report on standards and procedures, and a signed and dated compliance certification before being granted access to the IT system for BOI.
Based on pilot program feedback, FinCEN officials revised the MOU template to clarify certain terms and conditions and help agencies better understand their compliance responsibilities:[20]
· Auditable system of standardized records. The pilot MOU template incorporated the access rule’s requirement that agencies maintain an auditable system of standardized records for BOI requests. Our review found that two pilot agencies planned to rely on records produced by FinCEN’s IT system for BOI, which records all BOI searches and justifications. FinCEN officials told us they also received questions from the pilot agencies regarding the records requirements. Based on this feedback, FinCEN revised its MOU template to clarify this requirement. The template now specifies that while FinCEN maintains search records, agencies also must keep records necessary to reconstruct each search request (such as investigation records supporting law enforcement justifications).
· BOI training. The pilot MOU template incorporated the access rule’s requirement that agencies develop procedures to train staff on handling and safeguarding BOI. In our interviews with two pilot agencies and review of their initial reports, we found they had not yet developed training and relied on FinCEN to provide the initial training. FinCEN officials told us the pilot agencies also had requested additional clarification on their training responsibilities. Based on this feedback, FinCEN revised the template to clarify that agencies are responsible for training staff on their own procedures for protecting BOI downloaded from the system, while FinCEN will provide training on its IT system for BOI.
· Annual audits. The pilot MOU template incorporated the access rule’s requirement that agencies cooperate with FinCEN’s annual audit. Based on questions from agencies, FinCEN revised the template to clarify that its audits will cover all agency procedures and standards for protecting BOI, such as authorized user training, not just BOI searches. In addition, FinCEN revised the MOU to require agencies to provide FinCEN with copies of their annual internal audits.
In September 2024, FinCEN developed a separate MOU template to grant BOI access to Treasury staff. This MOU establishes the terms and conditions under which FinCEN will provide Treasury staff with access to BOI and under which Treasury staff will access, store, use, safeguard, and re-disclose BOI.
Phases III, IV, and V
FinCEN plans to implement Phases III, IV, and V from fall 2024 through spring 2025:
· Phase III (fall 2024): BOI access for other federal agencies engaged in law enforcement, national security, and intelligence activities, and state, local, and tribal law enforcement agencies.
· Phase IV (winter 2024): BOI access for federal agencies serving as intermediaries for foreign government requests.
· Phase V (spring 2025): BOI access for financial institutions subject to customer due diligence requirements and their supervisors.
According to FinCEN officials, the agency is on schedule to launch each phase in accordance with its time frames, noting the phases will overlap. We will continue to monitor FinCEN’s progress in implementing each phase through our ongoing work.
FinCEN Is Developing Policies and Procedures to Oversee BOI Users
FinCEN generally relies on authorized agencies and their coordinators to comply with MOUs and to access and use BOI appropriately. However, FinCEN also recognized it has oversight responsibilities and is developing policies and procedures to implement mechanisms to oversee users’ compliance with the Corporate Transparency Act and access rule requirements. Some oversight mechanisms are identified in the act and access rule and incorporated into the MOUs, while one is being established separately by FinCEN. These oversight mechanisms include the following:
· Annual audit and other inspections. FinCEN must annually audit each agency that is an authorized user to assess its compliance with the MOU, applicable provisions of the Corporate Transparency Act and access rule, and agency standards and procedures. Audits may be in-person or virtual. In addition, FinCEN may review an agency’s standards, procedures, and BOI training at any time, requiring revisions if needed. FinCEN officials told us they have not yet determined the resources needed to conduct these audits.
· Periodic submissions. Agencies must submit a semi-annual certification on their compliance with the access rule’s security and confidentiality requirements, an annual report on their security and confidentiality standards and procedures, and a report on their annual audit. FinCEN plans to track and review such documents, in part to ensure they are submitted on time and complete.
· Notifications. Agency coordinators must notify FinCEN promptly of any compliance failure found during annual internal audits and of any potential or actual BOI compromise or loss.
· Query audit logs. FinCEN plans to monitor individual users’ access to and use of its IT system for BOI through query audit logs (for instance, to help ensure that BOI is being used only as permitted under the Corporate Transparency Act). The system electronically records and maintains authorized user activity, including request dates, user names, requests made on behalf of others, and justifications for queries.
FinCEN has not yet implemented these oversight mechanisms because it only recently started to provide federal agencies with BOI access. For example, FinCEN officials told us that the agency initially provided the U.S. Postal Inspection Service and U.S. Secret Service with access in June 2024 and July 2024, respectively. Also, FinCEN will not need to audit these agencies until June 2025 and July 2025.
FinCEN officials told us they plan to continue assessing the need for additional oversight mechanisms as the BOI access program is fully implemented. As noted above, they are developing policies and procedures to support existing oversight, which are expected to be completed in early 2025. In addition, FinCEN officials said they leveraged their experience with their BSA system to develop and oversee the IT system for BOI, building on established policies and procedures for conducting audits, monitoring user access, and managing data.
Although not directly related to the BOI access program, Treasury’s Office of Inspector General has been conducting a series of audits to assess whether FinCEN manages access, use, and retention of BSA data in compliance with applicable laws, regulations, and Treasury policies and procedures. In the first two of four planned reports, issued in August 2023 and August 2024, the office identified several compliance deficiencies and made recommendations to address them. For example, the office found FinCEN did not (1) have proper controls to ensure external agencies notified FinCEN when accounts were disabled, (2) maintain proper records of the dates and reasons internal user accounts were disabled, and (3) disable internal user accounts in a timely manner. FinCEN management concurred with the recommendations and noted that corrective actions were completed or underway.[21] These audits may provide important insights on potential risks as FinCEN implements its BOI access program.
Under our recurring mandate, we will continue to monitor FinCEN’s efforts to develop policies and procedures to implement its oversight mechanisms.
Agency Comments
We provided a draft of this report to FinCEN for review and comment. FinCEN provided technical comments, which we incorporated as appropriate.
We are sending copies of this report to the appropriate congressional committees, Secretary of the Treasury, the Attorney General, Secretary of Homeland Security, Postmaster General, and other interested parties. In addition, the report is available at no charge on the GAO website at https://www.gao.gov.
If you or your staff have any questions about this report, please contact me at (202) 512-8678 or clementsm@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix I.
Michael E. Clements
Director, Financial Markets and Community Investment
GAO Contact
Michael E. Clements, (202) 512-8678 or ClementsM@gao.gov
Staff Acknowledgments
In addition to the contact named above, Rich Tsuhara (Assistant Director), Deena Richart (Analyst in Charge), Jordan Anderson, Lauren Capitini, Jill Lacey, Barbara Roesmann, and Jena Sinkfield made key contributions to this report.
The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.
Order by Phone
The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
Place orders by calling (202) 512-6000, toll free (866) 801-7077,
or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.
Connect with GAO
Connect with GAO on Facebook, Flickr, X, and YouTube.
Subscribe to our RSS Feeds or Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.
To Report Fraud, Waste, and Abuse in Federal Programs
Contact FraudNet:
Website: https://www.gao.gov/about/what-gao-does/fraudnet
Automated answering system: (800) 424-5454 or (202) 512-7700
Congressional Relations
A. Nicole Clowers, Managing Director, ClowersA@gao.gov, (202) 512-4400, U.S. Government Accountability Office, 441 G Street NW, Room 7125, Washington, DC 20548
Public Affairs
Sarah Kaczmarek, Managing Director, KaczmarekS@gao.gov, (202) 512-4800, U.S.
Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548
Strategic Planning and External Liaison
Stephen J. Sanford, Managing
Director, spel@gao.gov, (202) 512-4707
U.S. Government Accountability Office, 441 G Street NW, Room 7814, Washington,
DC 20548
[1]The Corporate Transparency Act was enacted as part of the Anti-Money Laundering Act of 2020, Division F, Title LXIV of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. No. 116-283, §§ 6401-6403, 134 Stat. 3388, 4604-4625.
[2]The Bank Secrecy Act is the popular name for the framework of anti-money laundering laws codified at 12 U.S.C. § 1829b, 12 U.S.C. §§ 1951-1960, and 31 U.S.C. §§ 310, 5311- 5314, 5316-5336, and includes notes thereto, with implementing regulations at 31 C.F.R. Chapter X.
[3]Initial BOI reports from domestic reporting companies were required at different stages, dependent upon when the company was created. A domestic reporting company created before January 1, 2024, had until January 1, 2025, to file its initial BOI report. A domestic reporting company created in 2024 was required to file its initial BOI report within 90 calendar days of the earlier of the date on which it received actual notice that its creation was effective or the date on which a secretary of state or similar office first provided public notice that the reporting company had been created. A domestic reporting company created on or after January 1, 2025, must file its initial BOI report within 30 calendar days of the earlier of the date on which it receives actual notice that its creation has become effective or the date on which a secretary of state or similar office first provides public notice that the reporting company has been created. 31 C.F.R. § 1010.380(a)(1).
[4]88 Fed. Reg. 88732 (Dec. 22, 2023).
[5]See Smith v. United States Department of the Treasury, 6:24-cv-00336 (E.D. Tex. Jan. 7, 2025) (enjoining the government from enforcing the Corporate Transparency Act against the plaintiffs and their related entities and staying the effective date of FinCEN’s Reporting Rule, 31 C.F.R. § 1010.380, while the lawsuit is pending), Notice of Appeal and Motion for Stay Pending Appeal docketed (E.D. Tex. Feb. 5, 2025). There are other pending court cases that could impact reporting and other requirements under the Corporate Transparency Act and FinCEN’s implementing regulations. See, e.g., Texas Top Cop Shop Inc. v. McHenry, et. al., 604 U.S. (2025) (previously Texas Top Cop Shop v. Garland, No. 4:24-cv-00478 (E.D. Tex., Jan. 23. 2025)); and National Small Business United v. Yellen, No. 5:22-cv-01448 (N.D. Ala. Mar. 1, 2024), Notice of Appeal docketed and argued (N.D. Ala. Sept. 27, 2024).
[6]FinCEN has responsibility for operating a government-wide data access service for suspicious activity reports, currency transaction reports, and other BSA reports. 31 U.S.C. § 310(b)(2)(B). Treasury and FinCEN delegated their examination authority under the BSA to relevant supervisory agencies, including the federal functional regulators and Internal Revenue Service. 31 C.F.R. § 1010.810(b). Under FinCEN regulation, a “federal functional regulator” is defined as the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, Board of Directors of the Federal Deposit Insurance Corporation, National Credit Union Administration, Securities and Exchange Commission, and Commodity Futures Trading Commission. 31 C.F.R. § 1010.100(r). Other regulators have BSA examination responsibility, as delegated pursuant to 31 C.F.R. § 1010.810(b) (e.g., the Federal Housing Finance Agency with respect to government-sponsored housing enterprises).
[7]According to FinCEN officials, ensuring appropriate use of the reports includes limiting access to personnel with an appropriate use for them and ensuring that the searches conducted are only for authorized purposes.
[8]Pub. L. No. 116-283, § 6403, 134 Stat. 3388, 4605-4625, codified at 31 U.S.C. § 5336.
[9]There are exceptions to the definition of beneficial owner, such as minor children and creditors of the reporting company. 31 U.S.C. § 5336(a)(3)(B).
[10]The Corporate Transparency Act requires FinCEN to promulgate regulations to revise its Customer Due Diligence Rule to conform to the act’s provisions that require direct beneficial ownership reports to FinCEN. FinCEN had not initiated this rulemaking as of February 2025, notwithstanding the Corporate Transparency Act’s requirement to do so within one year of the effective date of FinCEN’s rules pertaining to the reporting of BOI (January 2025). 87 Fed. Reg. 59498, 31 U.S.C. § 5336(b)(4). In our prior work, we discussed similar delays that FinCEN experienced in implementing the Anti-Money Laundering Act of 2020, which includes the Corporate Transparency Act. We recommended, among other things, that FinCEN develop and implement a communications plan to regularly inform Congress and the public in full about its progress implementing the Anti- Money Laundering Act of 2020. See GAO, Anti-Money Laundering: Better Information Needed on Effectiveness of Federal Efforts, GAO‑24‑106301 (Washington, D.C.: Feb. 8. 2024).
[11]We reviewed section 6403(c) of the Corporate Transparency Act, codified at 31 U.S.C. § 5336(c), and applicable FinCEN implementing regulations, contained at 31 C.F.R. § 1010.955, to evaluate whether FinCEN implemented the requirements in section 6403(c) of the act. We found that FinCEN included all provisions of section 6403(c) of the act into its regulations at 31 C.F.R. § 1010.955.
[12]Section 501(b) of the Gramm-Leach-Bliley Act requires the federal prudential regulators to establish financial institution standards for protecting the security and confidentiality of financial institution customers’ nonpublic personal information. Pub. L. No. 106–102, 113 Stat. 1338, 1436–37, 1441 (1999), codified, as amended, at 15 U.S.C. § 6801.
[13]FinCEN noted that agencies will be able to rely on existing databases and related IT infrastructure to satisfy the requirement to ‘‘establish and maintain’’ secure systems in which to store BOI (where those systems have appropriate security and confidentiality protocols, including Federal Information Security Management Act standards). The Federal Information Security Modernization Act of 2014 requires federal agencies in the executive branch to develop, document, and implement information security programs to protect the information and systems that support the agencies’ operations and assets. The act further assigns the Office of Management and Budget the responsibility of requiring these federal agencies need to identify and provide information security protections that are commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of agencies’ information or information systems. However, GAO reported that certain federal agencies had not been effectively implementing the act. See Cybersecurity: OMB Should Improve Information Security Performance Metrics, GAO‑24‑106291 (Washington, D.C.: Jan. 9, 2023).
[14]Re-disclosure refers to the sharing or further disclosure of BOI by authorized recipients to other parties, beyond the initial disclosure by FinCEN. 31 C.F.R. § 1010.955(c)(2) permits re-disclosure in certain limited circumstances, including to officers, employees, agents, and contractors in the same requesting agency for the particular purpose or activity for which such information was requested, and from specified authorized federal agencies to courts of competent jurisdiction or parties to a civil or criminal proceeding.
[15]FinCEN requires each agency with an MOU to manage the process for providing access to individual users of the BSA system in that agency. This process includes conducting a background check before allowing new users to access the system. See GAO, Anti-Money Laundering: Opportunities Exist to Increase Law Enforcement Use of Bank Secrecy Act Reports, and Banks’ Costs to Comply with the Act Varied, GAO‑20‑574 (Washington D.C.: Sept. 22, 2020).
[16]An MOU is the agreement FinCEN uses to specify the standards, procedures, and systems required to protect the confidentiality of BOI, as specified in 31 C.F.R. § 1010.955(d)(1)(i)(A). We reviewed FinCEN’s template MOU and determined that it incorporates the access rule’s requirements for protecting BOI. We do not make any other legal determinations as it relates to the interaction of the MOU with the regulations, including whether the MOU sufficiently addresses the security and confidentiality provisions included in 31 C.F.R. § 1010.955.
[17]As noted earlier, Treasury officers and employees may access BOI if their official duties require it or for tax administration purposes. 31 C.F.R. § 1010.955(b)(5). See also 31 C.F.R. § 1010.955(c)(2) (permitting re-disclosure in certain circumstances).
[18]Each FinCEN division is responsible for determining and evaluating which staff should be authorized to access and use BOI based on factors such as their position description, background investigations, and purpose for using BOI. All authorized staff must complete a FinCEN form, which must be reviewed by their supervisor and authorized by the associate director or deputy associate director.
[19]In October 2024, FinCEN revised its policies and procedures governing the agency’s internal access and use of BOI, which combined the policies and procedures separately issued in January and April 2024.
[20]FinCEN officials told us that the six agencies that participated in the pilot program will be required to enter into revised MOUs.
[21]For example, see Office of Inspector General, Department of the Treasury, Anti-Money Laundering/Terrorist Financing: Audit of FinCEN’s Management of BSA Data–User Access Report, OIG-24-030 (Washington, D.C.: Aug. 1, 2024).