news & events

The Corporate Transparency Act: What will happen with my personally identifiable information (PII)?

Posted January 23, 2024 at 12:41 PM

Plenty has been written about the Corporate Transparency Act (Act) and its reporting requirements.  In fact, if you want to know what is required and when, I suggest you take a look at the Financial Crimes Enforcement Network (FINCEN) Beneficial Ownership Information (BOI) webpage, which can be found here. This FINCEN webpage is full of information detailing the reporting requirements under the Act, including an extensive list of FAQs.  It also includes a link to FINCEN’s BOI E-Filing System

What is not as often covered, however, is what will happen to your PII once reported?

Before we answer that question, let’s revisit what PII is required to be reported under the Act.  For each beneficial owner of a reporting company, the Act requires the reporting company to provide the owner’s name, date of birth, residential address and an identifying number from an acceptable form of ID, such as a driver’s license or passport (see FINCEN BOI-FAQs F.3).

In this day and age, where massive data breaches and PII pirates are rampant, having some level of anxiety in connection with the BOI reporting requirements is perfectly understandable.  That said, understanding what your PII will be used for and to whom it may be disclosed may alleviate some concerns.

Authorized Recipients
Disclosure of a BOI report is limited to six categories of recipients:

  1. Federal agencies engaged in national security, intelligence, or law enforcement activity if the requested BOI will be used in furtherance of such an activity.
  2. State, local and Tribal law enforcement agencies, but only if a court of competent jurisdiction has authorized the disclosure in connection with a criminal or civil investigation.
  3. Requestors from outside the United States, provided that the request is made through an intermediary federal agency and satisfies the following:
    • The request must be on behalf of a law enforcement agency, or other official, in connection with a law enforcement investigation, matters of national security or intelligence activity; and
    • The request must be made pursuant to an international treaty or other agreement, or, in the absence of such an agreement, be an official request of a trusted foreign country.
  4. Financial institutions in connection with customer due diligence requirements under applicable law, provided that the financial institution obtains prior consent from the customer (i.e., the reporting company).
  5. To regulatory agencies in connection with the assessment of financial institutions for compliance with customer due diligence requirements.
  6. To employees or other agents of the United States Department of the Treasury (i) whose official duties require BOI inspection or disclosure, or (ii) for tax administration.

Security Requirements
Authorized recipients of BOI must also be able to demonstrate that they have established sufficient security policies and procedures with respect to the BOI prior to receiving such information.  For example, domestic agencies (including categories 1 and 2 above) must:

  1. Enter into an agreement with FINCEN specifying the specific security policies and procedures as approved by the head of the requesting agency;
  2. Provide FINCEN with an annual report describing the policies and procedures and certifying that the same meet the requirements of applicable law;
  3. Maintain a secure system for storing BOI which meets prescribed FINCEN requirements;
  4. Maintain auditable records with respect to all BOI requests made by the agency, and conduct an annual compliance audit;
  5. Restrict access to BOI to personnel meeting certain criteria, including training requirements; and
  6. Satisfy other reporting requirements with respect to the sufficiency of the agency’s policies and procedures.

The Corporate Transparency Act is an important tool in combating money laundering and other illegal activities which are frequently carried out anonymously through shell entities.  Unfortunately, the Act casts a wide net that captures not only potential criminals but the ordinary business owner.  With that in mind, Congress and FINCEN have implemented a wide range of disclosure and security requirements which, if followed, should protect the ordinary business owner from having his/her PII disclosed for inappropriate purposes.

How MM&C Business & Tax Attorneys Can Help
Please contact Miller, Miller & Canby should you have any question dealing with the Act’s reporting and/or security requirements. Kevin D’Anna is a Principal at Miller, Miller & Canby and a member of the firm’s Business & Tax and Real Estate (finance) practice groups. Kevin regularly advises financial institutions in connection with asset-based, real estate, and USDA and SBA guaranteed loan transactions.  In addition, he has become trusted outside counsel for local and regional businesses of varying size and industry, providing legal advice on matters ranging from business formation to disposition, and providing practical legal advice in connection with complex business transactions. He may be reached at