The Corporate Transparency Act went into effect on January 1, 2024. I’ve put together a comprehensive guide to the CTA here. The CTA requires companies (other than those specifically exempt) to file beneficial ownership information (BOI) about all owners who own or substantially control at least 25% of a company. Upon request by a beneficial owner, company applicant or reporting company, the CTA permits FinCEN (the governing body responsible for the enforcement of the CTA) to assign a numeric identifier to each person or entity. FinCEN cannot issue more than one FinCEN identifier to the same individual or entity (including any successor entities).
For most companies the BOI filing is just another reporting requirement to maintain. The CTA requires the collection and submission of personal identifiable information (PII). Companies should consider their data collection procedures and how they interact with their privacy policies. By collecting information required by the CTA, companies must ensure that they are complying with data privacy laws.
If you’re a reporting company, you should take a moment to review and update the following as needed:
Review Your Existing Data Protection Programs
Understand and update your current data protection programs to ensure that BOI and FinCEN identifiers are appropriately evaluated, processed and protected in accordance with data protection laws. Colorado requires that individuals affirmatively consent to the collection of their PII. Data protection assessments may be required in certain circumstances, and reporting companies may have to respond to consumer rights requests (e.g., the right to limit the use and disclosure of sensitive PII).
Check Your Cyber Insurance Coverage
Ensure you have appropriate cyber insurance coverage in place and that the policy terms cover BOI and FinCEN identifiers. A security incident or data breach that affects BOI and/or FinCEN Identifiers is highly likely to trigger notification and other obligations under U.S. state data breach laws and similar laws in foreign jurisdictions. The CTA is a new law, and insurance carriers may not yet have updated their policies or related materials.
Confirm Your Vendors are in Compliance
Ensure that vendors engaged to assist with the CTA and FinCEN rules comply with data protection laws. This includes your lawyer! Your vendors should be processing and disclosing PII only as directed; ensuring that data transfers comply with applicable laws; fulfilling their obligations as a data processor, service provider or contractor under data protection laws; implementing appropriate security measures to protect PII from cyberattacks; and purchasing cyber insurance that provides coverage for any security incident or data breach experienced by a vendor that affects BOI and FinCEN identifiers.
The CTA is here to stay, and companies will need to put proper data processing procedures in place to stay in compliance with privacy laws. We know that failure to comply with the CTA will result in fines as outlined in the CTA itself. Companies should also consider the fines and penalties associated with failure to comply with state and federal privacy laws. The above practices can help you avoid running afoul of multiple laws.
Need help with your CTA filing? Reach out today!