Earlier this year the Corporate Transparency Act officially went into effect and it has massive implication on privacy assurances for business in the United States.
The federal Corporate Transparency Act (“CTA”) went into effect on January 1, 2024 and will require tens of millions of businesses—including the smallest mom-and-pop-shops—to turn over their private information to the federal government for “national security” reasons, as well as purportedly to prevent money laundering and tax evasion. Worse yet, FinCEN—the enforcement division of the U.S. Treasury Department that will be collecting this information—is expressly permitted to share this information with both domestic and foreign governments, law enforcement, and intelligence agencies. Let’s dig into this latest effort of the administrative state to collect data on ordinary citizens.
The CTA requires any company formed in the U.S. and any foreign company operating in the U.S. to file a Beneficial Ownership Information Report (“BOIR”) with FinCEN. The BOIR requires each company to disclose the name, date of birth, and residential address of each “beneficial owner,” as well as upload a form of ID such as a driver’s license or U.S. passport to FinCEN’s “secure” system. A beneficial owner broadly includes both 25% owners of companies and any officers, managers, directors, or other individuals that may exercise control of the company. Companies must then update those reports within 30 days for any changes in the reported information (e.g., an officer who moves his or her residential address). Failure to comply with CTA can result in federal imprisonment of up to 2 years and fines of up to $10,000.
The CTA does provide exemptions for certain companies, including namely regulated banks, investment companies, insurance companies, publicly-traded companies, and large operating companies ($5M+ in gross sales, 20+ employees, and a physical U.S. office). Notably absent from the available exemptions are small- and medium-sized companies that make up the vast majority of businesses in the U.S.
By FinCEN’s own admission, the CTA will apply to 32.6 million businesses in the U.S. and an additional 5 million new business formed each year. The government, amusingly, points to the geopolitical events in the Russian-Ukraine war as part of the justification for requiring tens of millions of lawful citizens to disclose private information to FinCEN:
Recent geopolitical events have reinforced the point that abuse of corporate entities, including shell or front companies, by illicit actors and corrupt officials presents a direct threat to the U.S. national security and the U.S. and international financial systems. For example, Russia’s illegal invasion of Ukraine in February 2022 further underscored that Russian elites, state-owned enterprises, and organized crime, as well as Russian government proxies have attempted to use U.S. and non-U.S. shell companies to evade sanctions imposed on Russia. This rule will enhance U.S national security by making it more difficult for criminals to exploit opaque legal structures to launder money, traffic humans and drugs, and commit serious tax fraud and other crimes that harm the American taxpayer.[1]
Our government appears to believe that it’s worth imposing federal reporting obligations on tens of millions of U.S. businesses and individuals in the off chance that a Russian-tied shell company will willingly reveal details about their ownership and control.
The CTA requires FinCEN to store these BOIRs in “a secure, nonpublic database, using information security methods and techniques that are appropriate to protect nonclassified information systems at the highest security level.” These vague standards provide little comfort considering that federal agencies have consistently been unable to protect against data breaches. One report indicated that, since 2014, the U.S. government has suffered 1,283 data breaches affecting more than 200 million records. In just the past 12 months, the Department of Defense, the Department of Energy, and the Office for Personnel Management suffered breaches compromising the data of millions of Americans. Now imagine the rich target that the FinCEN database will provide as it stores the personal data on tens of millions of Americans and their businesses.
Worst still, the CTA authorizes FinCEN to widely share BOIRs with other federal and state agencies and law enforcement, as well as foreign law enforcement and government actors. Specifically, FinCEN may share BOIRs with:
Foreign requesters must establish “standards and procedures” to protect the security and confidentiality of BOIRs and must maintain the information in a “secure system.” With BOIRs being widely shared across the U.S. and the globe, it’s only a matter of time before confidential information becomes broadly disseminated.
Last month a federal district court in Northern District of Alabama ruled that the CTA was unconstitutional because it “cannot be justified as an exercise of Congress’ enumerated power.”[2] The Court explained that the CTA exceeded the Constitution’s limits on the legislative branch, and the law lacked a sufficient nexus to any enumerated power to be a necessary and proper means of achieving Congress’ policy goals. While many businesses were elated at the ruling, the Court only enjoined the government from enforcing the CTA against the specific plaintiffs in that case, without imposing any nationwide injunction against FinCEN enforcing this law. FinCEN was quick to release a notice communicating that the government would not enforce the CTA with respect to the specific plaintiffs in the case, while also appealing the ruling to the 11th Circuit Court of Appeals.
This case offers a glimmer of hope that the courts may provide a means to protect citizens against ever-encroaching government intrusion. The appeals process could take months or years. In the interim, absent political change or widespread outrage over the law, the CTA will remain in place as a new tentacle of the ever-growing administrative state.
[1] Beneficial Ownership Information Reporting Requirements (87 FR 59498)
[2] National Small Business Association v. Yellen (N.D. Ala).