The Corporate Transparency Act’s (CTA) beneficial ownership information (BOI) rule is only five years old. Despite its relative newness, it’s about to undergo a dramatic makeover, requiring bankers and compliance experts to scramble.
Beginning January 2024, financial institutions will need to furnish the names of owners at reporting companies at the 25-percent-or-higher level and supply a longer list of individuals with substantial control. These individuals can include the CEO, the CFO, board members, and others.
Additionally, the new BOI rule means financial institutions will be responsible for supplying ownership and control information directly to FinCEN as part of the onboarding process for new customers and supporting existing ones.
At a recent webinar titled “Navigating the Corporate Transparency Act: The Final BOI Rule,” RiskScout partnered with Constantine Lizas*, a former FDIC regulator, now Partner at Harris Beach PLLC, to untangle some of the complicated details.

Attendee Final BOI Rule Questions and Lizas’ Insightful Answers
Question 1: Is there any precedent for civil or criminal penalties surrounding the Corporate Transparency Act that our audience should know about?
Answer: No, at this moment, there’s no precedent. It’s just the statutory law at this point, and we have to see where that goes.
With respect to beneficial ownership information, one of the things that’s going to be really important is understanding what the company is doing. So, if you have a legitimate company, and they just forget and have bad controls and are not as responsible as they should be, I don’t see any major liability for that individual or company.
But if you have a company that is helping to layer funds in a money laundering scheme, and let’s say the prosecutors can’t prove that that company knew that the funds were the funds of a specified unlawful activity—then I think in that type of situation, you are going to see prosecutors and regulators trying to go for a criminal penalty.
In other words, if they can’t prosecute for money laundering but they could prosecute for a violation of beneficial ownership information reporting, that’s when criminal penalties will be seen.
Question 2: How will reporting companies actually get reports to the FIs or financial institutions? Will they be going through the FI’s beneficial ownership forms?
Answer: The reporting companies will send the information to FinCEN. Ultimately, there’s going to be an online VPN or PDF that will go to FinCEN but not to the financial institutions. That’s where we’re going to have some confusion.
The reporting companies will have to report to FinCEN, but when they open a new account at a bank, they’ll then have to submit beneficial ownership information—which could be slightly different and have slightly different exemptions—to the bank, too. It will then be up to the bank to contact FinCEN to confirm whether the bank or the financial institution has the correct information.
Question 3: Are financial institutions really not able to search the FinCEN database themselves but only by inquiry? And if so, how will that work?
Answer: Most likely, there will be a portal where the financial institution will submit a query. And then somebody from FinCEN will go ahead and search the database. You already have a system that is very difficult to maneuver, and it will be made more difficult by the fact that the financial institution will not be able to search the database.
Now regulators and law enforcement will have more access to the database, but FIs are only going to be able to request that FinCEN run individual queries.
Question 4: For a bank or credit union that works with a fintech, will it be the financial institution’s responsibility to contact the fintech to verify all beneficial ownership information for its customers?
Answer: At the end of the day, if the customer has what’s defined as “an account” at the financial institution, then that burden will be on the bank.
Third-party risk is a huge issue. Regulators just put out new third-party risk guidance recently. Banks need to understand what third parties do, and they need to all be on the same page and make sure that everybody is meeting all their BSA responsibilities.
Question 5: You mentioned that financial institutions will have to request consent from their customers around BOI. How would you recommend they go about getting that consent from their customers?
Answer: For new customers, it’s going to be part of the onboarding procedures. For existing customers, it’s going to need to be inserted into the account relationship paperwork, which means that it’s going to have to be re-executed at some point going forward.
Question 6: The rule states that individuals who own 25 percent or more of an entity—OR any individuals who have substantial control of a company—will need to be reported. So, for example, with four individuals who each have 25 percent ownership of a company, as well as three individuals who control the company, such as board members or a CEO, does that mean that all seven of those individuals would need to be reported? Is that correct?
Answer: That is correct, and it’s a difference between the current rule and the new rule. Under the current rule, you would [report] the four beneficial owners and a control person—and the control person would be just one person. Now you’re in a situation where all of those individuals with substantial control would be listed, and you’re going to have seven individuals [to report].
Although there’s no limit on how many people could be reported, you’d think that after five, ten, or 15 people, there’s not as much substantial control. That’s something to be determined at a later date.
Question 7: The current BOI rule states that information must be obtained prior to account opening. Therefore, if an inquiry is made to FinCEN, what can we expect the turnaround time to be?
Answer: That’s something we’re still waiting to find out. Hopefully, it’s the same day, or just a couple of business days.
The FinCEN database, from what I understand from talking to people from FinCEN, is going to be built from the ground up with fairly new technology, if not the latest technology. I think there’s a hope or expectation that the Beneficial Ownership Secure System (BOSS) is going to be far ahead of what anyone has seen with respect to the SAR database. It should be far more responsive.
Question 8: Do you need to get permission for every individual inquiry for BOSS, or do you get permission for all existing inquiries once the permission is given? Does a new consent need to be given every time?
Answer: That’s not been determined yet by FinCEN. [You do get permission] in the beginning to develop a risk profile, but you may want to do it again later, too, if you get negative news or an alert. There is an expectation and a requirement that the financial institution goes ahead and does enhanced due diligence, and that may entail going back and looking again at the beneficial owners.
Question 9: When is a financial institution NOT able to access the database?
Answer: The financial institution will need the consent of the reporting company [to access the database]. Once it gets consent and sends the appropriate certifications to FinCEN, it will have access to query the database through FinCEN but won’t have access to search the database.
Question 10: Speaking of timelines, I know all this is supposed to take effect on January 1st. If we assume there’s no change on that front, is the database also expected to be available on January 1st?
Answer: The answer is “yes” to January 1st, but there could be up to a week or two or even a month lag. If a reporting company gets registered with the secretary of state on January 1st, it would still have 30 days to file with FinCEN.
Question 11: Will we have to wait until the final rule is released before we know if FIs have access to the database? It sounds like this has already been determined. Could you elaborate?
Answer: It could change, but the way that the proposed access rule was written, financial institutions would not have searchable access to the database. I doubt that that will change because it’s a non-public database.
I think there are pretty strong signals from FinCEN that it’s not going to let institutions have searchable access to the database.
Question 12: If legislation is happening [that would increase reporting requirements around BOI] in New York and possibly in California, as well, what are the odds that similar legislation will be proposed in my state?
Answer: Pretty high, but it depends on the state. There are some states that are a little more protective of privacy, but there are also some states that believe some transparency—or sunshine—is a good thing.
Question 13: Where can we find the guidance around the requirements of financial institutions to use BOSS themselves?
Question 14: Will financial institutions be forced to only get their beneficial ownership information from the database? Or will they be able to continue to get it from the customer if that’s something the customer is willing to provide?
Answer: Look, financial institutions can get a query from the customer. The idea is that when getting information from the customer, they’d have to check on that information and be able to confirm that information by sending it to FinCEN.
Question 15: Will examiners and regulators have access to BOSS themselves?
Answer: They will, but only for the purposes of examination as it pertains to customer due diligence.
Question 16: I know we’ve talked about criminal and civil penalties that we haven’t seen yet. Is that the risk of not using the database?
Answer: That is the risk. I think it would be fair to say that at this point, unintentional reporting or misreporting—meaning something benign—may not get a penalty or may just get a civil penalty. But when you get into illegal activity and if you’re using the company to aid or abet illegal activity, that’s when you’re looking at criminal sanctions.
I’d also point out that everyone knows FinCEN is short-staffed. So, if you’re talking about 25-to-40 million entities, and let’s just say one percent have some problems with reporting, you’re talking 2.5 to four million entities that might need some sort of civil penalty. It’s not clear that anyone in the country has the capacity to handle that, whether it’s FinCEN or the U.S. Attorney’s offices. That’s a high number of cases. And even if you’re only saying there are problems with 0.1 percent of cases, that’s still 250,000 to 400,000 cases.
Question 17: Is there an expectation on the part of FinCEN that institutions will need to cure or fix any discrepancies that might be found between the financial institutions’ beneficial owner information and FinCEN’s BOSS registry information once those discrepancies are identified?
Answer: If financial institutions are going to continue to onboard a customer or keep that customer, if it’s an existing one, then there’s going to need to be a policy and procedure to move forward and resolve discrepancies.
As community banks and credit unions await a final BOI rule and clarifications, RiskScout will continue holding webinars to answer pressing questions. We hope you’ll join us. To view other informative sessions held this year, subscribe to our YouTube channel.

*Meet the Presenter:
Constantine Lizas joined Harris Beach’s Washington, D.C. office after leaving the FDIC’s Enforcement Section as an acting Supervisory Counsel and the FDIC’s lead BSA/AML Counsel. At the FDIC, he advised the interagency team that began drafting new rules pursuant to the Anti-Money Laundering Act of 2020. He also served as a federal prosecutor in the Department of Justice’s Money Laundering and Asset Recovery Section. In May, Constantine spoke at the Practicing Law Institute on
Anti-Money Laundering Priorities 2023.
He assists financial institutions with examination matters, enforcement actions, government investigations, and compliance issues. For more, visit this web page, which includes information about his background, services, and recent insights.
For more detailed information and to watch the webinar, click here.