FinCEN Eliminates Beneficial Ownership Reporting Requirements for U.S. Companies and U.S. Persons,...
Calling on FinCEN to Delete Sensitive CTA Information Gathered from Exempt US Companies
The dust seems to be settling on the Corporate Transparency Act (CTA). But there’s still some swirling.
U.S. companies are no longer required to comply with the reporting requirements aimed at stopping shell companies. The question now is what happens to all sensitive data that has already been submitted?
After many court cases resulting in back-and-forth directions to business owners, the Financial Crimes Enforcement Network (FinCEN) issued an interim final rule in March that states only foreign reporting companies are required to file Beneficial Ownership Information (BOI) reports under the CTA. Domestic entities – US companies- are not required to file. The development came as a relief to the millions of small businesses across the United States that had been preparing, or had already filed, BOI reports in compliance with the CTA.
While the clarification brings much-needed regulatory relief, it also creates a serious and unresolved issue: what happens to the BOI reports and the sensitive data they contain that domestic companies filed before this rule change?
The Problem: Filed Reports for Now-Exempt Companies
Many domestic businesses acted in good faith and began—or completed—the BOI filing process shortly after the CTA went into effect on January 1, 2024. This included newly formed entities and existing small businesses falling under the CTA’s initial requirements as well as existing companies that filed toward the end of 2024 to meet the January 1, 2025, compliance date. These entities disclosed sensitive information about their ownership structures, including names, birth dates, residential addresses, and identification documents of beneficial owners.
With the interim final rule in place, entities not classified as “foreign reporting companies” (which have been formed in non-United States jurisdictions and are registered to do business in the United States by filing with a secretary of state or equivalent authority) are no longer required to report. Further, United States persons (even “beneficial owners” exercising substantial control over or owning in excess of 25% of the foreign reporting company), are not required to be included in a foreign reporting company’s BOI report. Thus, the CTA reporting obligation is now effectively limited to foreign reporting companies having one or more non-U.S. persons as beneficial owners – a population that dwindles from approximately 33 million entities to about 12 thousand entities. Yet, FinCEN still holds the previously submitted BOI data from a significant subset of those 33 million entities—a trove of highly confidential personal and business information that no longer serves a regulatory purpose.
Protect Privacy: Purge the Records
Given that these companies are now exempt, there is no compelling reason for FinCEN to retain their BOI reports. Further, FINCEN’s needlessly retaining such sensitive data unnecessarily exposes small businesses and their stakeholders to increased risks, including cyberattacks, internal misuse, or accidental disclosure.
In the best case, FinCEN will establish a formal, transparent procedure for identifying and permanently deleting all BOI reports filed by now-exempt domestic reporting companies along with their corresponding print and electronic data.
Such a policy would:
- Honor the principle of data minimization, which is a core best practice in privacy and cybersecurity.
- Reduce the risk of breaches or unauthorized access to information that should not have been collected under current rules.
- Reinforce trust between FinCEN and the small business community, which has already expressed frustration over the rapid and extensive implementation of the CTA.
- Prevent potential legal exposure for retaining and storing data that is no longer relevant or justified by regulation.
Looking Ahead
This issue highlights the growing pains that often accompany sweeping federal regulatory changes. While the CTA was designed to combat illicit finance and improve transparency, its shortfalls in evolving implementation and unprecedented scope underscore the importance of adaptability and limited taxpayer impact on the part of regulators. Should FINCEN fail to act responsibly by purging unnecessary BOI records and definitively safeguarding the wide net of data that it collected, American entrepreneurs will call for it to be held accountable for the damage caused. Resulting damage, expense, and political fallout would be another harsh CTA lesson impacting past, present, and future regulators.
