Skip to Main Content.
  • "Montage of an eye, binary code and people walking on a city pavement."

    What Happens to Your Sensitive Data After It Is Submitted to the Government Under the Corporate Transparency Act?

*This article was also published in the Real Estate Finance Journal’s Summer 2024 edition.

The Corporate Transparency Act (CTA)[1] is designed to combat the use of shell company structures to obscure the identities of individuals engaging in criminal activities, such as terrorism, drug trafficking, money laundering, and corporate fraud. The CTA empowers the U.S. government to collect the beneficial ownership information of legal entities doing business in the United States. Although the CTA’s intended target is corporate fraud and criminal activity, the legislation’s sweeping scope has caught companies’ information security and data privacy compliance efforts in the crossfire.

The CTA is intended to combat nefarious activity through the creation of a new database to be administered by the Financial Crimes Enforcement Network (“FinCEN”). This database will be assembled from reports submitted to FinCEN from CTA-covered entities, also known as “reporting companies.” Reporting companies must disclose their “beneficial owners” to FinCEN. That information includes the name, date of birth, current residential address and unique identifying number from an acceptable document (such as a state driver’s license, U.S. or foreign passport) and a photographic image of the same document for each beneficial owner. This beneficial ownership information must be collected and housed by all reporting companies in connection with this data’s ultimate disclosure to FinCEN.

Who Is Authorized to Access/Use Beneficial Ownership Data?   

For reporting companies, the new data responsibilities pose management and information security risks. Beneficial owners may also have concerns about the security of their data, particularly since the CTA disclosures involve material typically identified as sensitive personal information in a host of state privacy laws, many of which restrict the ways in which recipients or custodians of the data are permitted to use it.

What, exactly, can the government do with the sensitive data it collects on individuals as part of the CTA reporting process? FinCEN has issued a rule prescribing appropriate uses for CTA-generated data.[2] Under the rule, acceptable recipients of this information include “law enforcement, intelligence, and national security professionals,” and certain financial institutions. The information itself will be collected and administered in FinCEN’s “beneficial ownership information technology system” which will, it asserts, “securely collect, process, and store that [personal data].”[3]

Different rules of access apply to each category of authorized recipients. For example, federal government agencies will have access to the information so long as their representatives certify that the requested data will be used “in furtherance” of national security, intelligence, or law enforcement activity. Foreign requests, by contrast, must come from law enforcement officials in the relevant jurisdiction who apply to FinCEN for access to the information after being sponsored by a related U.S. law enforcement agency pursuant to an international treaty or similar instrument.

Can the Government Share CTA Information with Third Parties?

U.S. government agencies must “satisfy several security and confidentiality requirements” before accessing the data, including “establishing standards and procedures to protect the security and confidentiality of [the information], entering into an agreement with FinCEN specifying those standards and procedures, establishing and maintaining a secure system for storing [the information], establishing and maintaining auditable request records, restricting access to [information], conducting audits, and providing FinCEN with reports and certifications.” Financial institutions requesting information under the CTA must “apply[] to [the information] the same security and information handling procedures they use to protect customers’ nonpublic personal information in compliance with section 501 of the Gramm-Leach-Bliley Act and its implementing regulations.”[4]

Once an authorized recipient receives information obtained from CTA compliance, it is prohibited from re-disclosing it to third parties. However, there are eight exceptions to the CTA’s re-disclosure prohibition that are further set forth in the FinCEN rule. Under these exceptions, information may be re-disclosed as follows:[5]

  1. Officers, employees, contractors, or agents of a Federal, State, local or Tribal agency may disclose information to other officers, employees, contractors, or agents within the same organization for the particular purpose or activity for which the information was requested (§ 1010.955(c)(2)(i)).
  2. Officers, employees, contractors, or agents of a financial institution may disclose information to other officers, employees, contractors, or agents within the U.S. of the same financial institution for the particular purpose or activity for which the information was requested (proposed § 1010.955(c)(2)(ii)).
  3. Officers, employees, contractors, or agents of a financial institution may disclose information to the financial institution’s Federal functional regulator,[6] a self-regulatory organization that is registered with or designated by a Federal functional regulator pursuant to Federal statute, or other appropriate regulatory agency, that meets the requirements identified in the statute (§ 1010.955(c)(2)(iii)). For example, a state-chartered bank may disclose CTA information to the Federal Deposit Insurance Corporation and its state banking regulator.
  4. Any officer, employee, contractor, or agent of a Federal functional regulator may disclose information to a self-regulatory organization that is registered with or designated by the Federal functional regulator, provided that the self-regulatory organization meets the requirements set out in the statute (§ 1010.955(c)(2)(iv)). For example, the Securities and Exchange Commission may disclose information to the Financial Institutions Regulatory Authority, the self-regulatory agency for the securities brokerage industry.
  5. Any officer, employee, contractor, or agent of a Federal agency that receives information from FinCEN after requesting it on behalf of a foreign authority pursuant to the statute may disclose the information to the foreign person on whose behalf the Federal agency made the request (§ 1010.955(c)(2)(v)).
  6. Any officer, employee, contractor, or agent of a Federal agency engaged in a national security, intelligence, or law enforcement activity, or any officer, employee, contractor, or agent of a State, local, or Tribal law enforcement agency may disclose information to a court of competent jurisdiction or parties to a civil or criminal proceeding (§ 1010.955(c)(2)(vi)).
  7. Any officer, employee, contractor, or agent of a Federal agency that receives information from FinCEN pursuant to the statute may disclose information to the U.S. Department of Justice for purposes of making a referral to the Department of Justice or for use in litigation related to the activity for which the requesting agency requested the information (§ 1010.955(c)(2)(vii)).
  8. A foreign authority specified in the statute may disclose and use information consistent with the international treaty, agreement, or convention under which the request for information was made (§ 1010.955(c)(2)(viii)).

What Can CTA-Covered Entities Expect and Do?

Not all of the categories of authorized recipients will have immediate access to CTA-related information. FinCEN is phasing access to the data over time, beginning with federal agency requesters in 2024 and finishing with financial institutions at some point in the future. If you have any questions or concerns about the CTA or the personal data you are required to submit in connection with forming an entity under federal regulations, the lawyers at Frost Brown Todd are well-positioned to assist you and your business.

Frost Brown Todd will also continue to monitor all governmental agencies’ future work as they issue regulations and guidance related to the CTA. Please contact the authors or any attorney with our Corporate Transparency Act Team if you have any questions or concerns.

Subscribe to Get CTA Updates


[1] 31 U.S.C. § 5336.

[2] Fin. Crimes Enf’t. Network, FinCEN Issues Final Rule Regarding Access to Beneficial Ownership Information (Dec. 21, 2023).

[3] Id.

[4] Id.

[5] All citations to the Code of Federal Regulations Title 31.

[6] The “federal functional regulators” are: the Board of Governors of the Federal Reserve System; the Office of the Comptroller of the Currency; the Federal Deposit Insurance Corporation; the National Credit Union Administration; the Securities and Exchange Commission; and the Commodity Futures Trading Commission. 31 C.F.R. §1010.100(r).