The BOI Database and the Access Rule

Here's a point worth stating loudly, because people assume the opposite: the beneficial ownership information collected under the CTA is not public. It goes into a secure, non-public database maintained by FinCEN. A random member of the public cannot log in and look up who owns a given company, the way you might in some other countries that run open beneficial-ownership registries.

The United States deliberately chose a closed model. Congress wanted law enforcement and certain authorized parties to be able to pierce anonymous structures, but it did not want to publish citizens' home addresses and identification details to the world. So when someone worries that filing puts their personal information out in public, that's a misunderstanding worth correcting, the data is collected for a tightly limited set of authorized users, not for public consumption.

Access is governed by its own regulation, the Access and Safeguards Rule at 31 CFR 1010.955, separate from the Reporting Rule we've been working with. This is the rule we flagged back at the start, and now it earns its own lecture.

The Access Rule does two things. First, it spells out exactly which categories of recipients are allowed to obtain beneficial ownership information from FinCEN's database. Second, it imposes safeguards, security requirements, and limits on how those recipients may use and re-share the data.

The design philosophy is need-to-know: access is granted to specific users for specific purposes, under specific conditions, and it's tracked. This is not a database anyone can browse, even among the authorized; each category of user gets access only on defined terms.

So who is on the authorized list? At the top, federal agencies engaged in national security, intelligence, and law enforcement activity can request BOI for use in those activities. State, local, and tribal law enforcement can get access too, but with an added condition, generally a court of competent jurisdiction must authorize the request in a criminal or civil investigation.

The Treasury Department itself can access the data, including for tax administration and for oversight of the system. And certain foreign government authorities can obtain information, but only by routing their requests through an intermediary U.S.

agency, not by reaching into the database directly. Notice the pattern, the core users are government investigators, and even they operate under conditions tailored to their category. This is access built around law-enforcement need, not general curiosity.

There's one more category that often surprises people: financial institutions. Under the Access Rule, a financial institution may obtain a reporting company's beneficial ownership information to help satisfy its own customer due diligence obligations, the know-your-customer work banks already have to do. But this lane is narrow and conditioned.

Crucially, the financial institution can only get that information with the consent of the reporting company, and its access is tied to fulfilling those due-diligence requirements, not to anything it pleases. The regulators that supervise those financial institutions can, in turn, see the information when they're assessing the institution's compliance. So even the financial-institution lane isn't an open window, it requires the company's consent and it's bounded by the purpose.

The recurring theme is conditions, conditions, conditions.

Because this data is so sensitive, the Access Rule pairs every grant of access with safeguards. Authorized recipients have to meet security and confidentiality standards, store the information appropriately, and limit who within their organization can touch it. And the law backs this with teeth: knowingly disclosing or using beneficial ownership information without authorization is itself a violation, separate from the reporting violations, and it carries its own civil and criminal penalties under 31 U.

S.C. 5336(h).

In other words, the CTA doesn't just punish companies that fail to report, it also punishes officials and others who leak or misuse the data once it's collected. That two-sided structure, report it accurately, and protect it strictly, is what lets the government justify collecting such personal information in the first place. We'll detail the penalties next.

Let's recap the access side. Beneficial ownership information is not public, it sits in a secure FinCEN database, and the separate Access and Safeguards Rule at 31 CFR 1010.955 decides who may see it.

The authorized users are mainly government, federal national-security and law-enforcement agencies, state and local law enforcement with court authorization, Treasury for tax and oversight, and certain foreign authorities through U.S. intermediaries, plus financial institutions in a narrow, consent-based lane tied to their own due-diligence duties.

Every grant comes with safeguards, and misusing the data is its own punishable offense. That brings us to the consequences of getting it wrong, the penalties, and to the part you've been waiting for, where the CTA actually stands right now. That's the next lecture, and it's the one to watch most carefully.