The Statute, the Rule, and the Players

Let's get the architecture straight, because confusing the law with the rule is a common source of error. When Congress passes a law, that's the statute. The CTA's statute is 31 U.

S.C. section 5336.

It sets the broad mandate: that certain companies must report beneficial ownership, and it tells a federal agency to write the details. The agency here is FinCEN, and the details it wrote are the regulation, found at 31 CFR section 1010.380.

Think of the statute as the instruction from Congress and the regulation as the operating manual FinCEN built to carry it out. When you actually need to know what a reporting company is, or who counts as a beneficial owner, you'll usually be reading the regulation, 1010.380, because that's where the working definitions live.

But the regulation can never go further than the statute allows, which is exactly the tension that drove the litigation we'll cover later.

The agency at the center is FinCEN, the Financial Crimes Enforcement Network, a bureau of the Treasury Department. FinCEN is the same agency that runs the broader U.S.

anti-money-laundering machinery, things like suspicious activity reports and currency transaction reports. For the CTA, FinCEN does three jobs. It writes the rules.

It runs the secure electronic system where companies file their beneficial ownership information. And it publishes the practical guidance most people actually rely on, the Small Entity Compliance Guide and the BOI frequently asked questions on fincen.gov.

Here's a practical tip that holds even when the rule is in flux: FinCEN's own FAQ page is the fastest place to confirm the current state of play, because FinCEN updates it when the rules shift. We'll lean on that guidance throughout, and we'll always tell you it's FinCEN's interpretation, not a court's final word.

There are actually two FinCEN rules you should keep separate in your head. The first is the Reporting Rule, 31 CFR 1010.380, which we just met.

It answers the questions on the front end: which companies must report, who their beneficial owners are, what information goes in, and by when. The second is the Access Rule, 31 CFR 1010.955, sometimes called the Access and Safeguards Rule.

It answers a completely different question on the back end: once all this sensitive ownership data is collected, who is allowed to see it, and how is it protected. People routinely blur these two together, and that's a mistake. The reporting obligations and the access restrictions are governed by different regulations with different logic.

We'll spend most of this workshop on the Reporting Rule, and we'll give the Access Rule its own dedicated lecture later, because the privacy and access side is genuinely important.

When you finally sit down to file, the report is organized into three buckets of information, and these mirror the three core phrases from lecture one. Bucket one is about the company itself, its legal name, any trade names, its address, where it was formed, and its tax identification number. Bucket two is about each beneficial owner, the real human beings who own or control the company.

And bucket three is about the company applicant, the person who filed the document that created the company, which only applies to companies created on or after January the first, 2024. Hold onto this structure, because it tells you what you're hunting for. To complete a report you need to know the entity, you need to know the humans behind it, and, for newer companies, you need to know who pressed the button to form it.

We'll devote separate lectures to each.

It helps to understand the design intent, because it explains a lot of the rule's quirks. Congress wanted to pierce the anonymity of shell companies, but it did not want a public registry where anyone could look up your home address. So the data flows to FinCEN's secure, non-public system, and access is tightly limited, which is the whole point of that separate Access Rule.

The design also aims squarely at smaller, more lightly regulated entities, the kind of company that could be a shell, while largely exempting big, already-transparent, heavily-regulated entities like banks and public companies. That sounds backwards to people the first time they hear it, and it's a classic trap: the instinct is small business equals exempt, but under the CTA it's closer to the opposite. Large, regulated entities are exempt precisely because regulators can already see who's behind them.

We'll prove that out when we hit the exemptions.

Let's lock in what you'll carry forward. The statute is 31 U.S.

C. 5336. The reporting rule that does the real work is 31 CFR 1010.

380. The access rule, governing who can see the data, is 31 CFR 1010.955.

FinCEN, inside Treasury, runs the whole thing, and its published FAQ is your friend for the current status. And every report is built from three buckets: the company, its beneficial owners, and its company applicant. With that frame in place, the very first question for any entity is the gateway question for the entire regime: is this thing even a reporting company in the first place?

If it isn't, you can stop. If it is, the rest of the analysis kicks in. That gateway question is exactly where we go next.