On January 1, 2024, the federal Corporate Transparency Act (CTA) went into effect. Despite a recent court decision that found the CTA unconstitutional (described below), the ruling enjoining application of the law applies only to a small number of businesses. All other entities subject to the CTA, including gaming companies, must disclose the identity of their beneficial owners to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) through an online registry maintained by FinCEN.
Of particular interest to the gaming industry are certain rules that restrict the disclosure of beneficial ownership information (BOI) obtained from the FinCEN BOI database. Individuals who may obtain such information include those acting as a director, an officer, an employee, a contractor or an agent of a financial institution, a category that includes casinos.
This article will review some of the key elements of the CTA, the court challenge that led to the ruling of unconstitutionality, and specific information security and confidentiality requirements pertaining to this law.
A high-level overview of the CTA
With some notable exceptions (e.g., public and tax-exempt companies), a reporting company is any domestic or foreign corporation, limited liability company, or other entity created or registered to do business by the filing of a document with a secretary of state or similar office under the law of a state or American Indian tribe. These include limited partnerships and trusts that are created by a filing with a secretary of state or similar office.
Reporting companies are required to submit a disclosure report to FinCEN that includes the full legal name; trade name or d/b/a name; current address; state, tribal, or foreign jurisdiction of formation or registration; IRS Taxpayer Identification Number or Employer Identification Number; and the following information about each beneficial owner: (i) legal name; (ii) date of birth; (iii) current residential address; (iv) identification number (e.g., state-issued identification, driver’s license, or passport number); (v) and image of the identifying document containing the number.
For reporting companies created or registered on or after January 1, 2024, the person who submits the formation or registration documentation to the applicable state authority for the reporting company must also disclose the same information required of the beneficial owners.
“Beneficial ownership” is defined broadly by the CTA to include any individual who, directly or indirectly, owns or controls 25 percent or more of the ownership interests of a reporting company or who exercises substantial control over a reporting company.
Reporting companies that were formed or registered before January 1, 2024, have until January 1, 2025, to submit their initial report. Any company that is subject to the CTA and was formed or registered in 2024 must submit its initial report within 90 calendar days after the company’s creation or registration. For reporting companies formed on or after January 1, 2025, the time frame to submit their initial reports will shrink to 30 days.
District court decision limits application of the CTA, somewhat
On March 1, 2024, in National Small Business United, d/b/a the National Small Business Association, et al. v. Janet Yellen, in her official capacity as Secretary of the Treasury, et al., the U.S. District Court for the Northern District of Alabama declared the CTA unconstitutional. Among other findings, the court determined that the law is not authorized by Congress’ foreign affairs powers and the plain text of the CTA does not fall under the commerce clause.
Despite this ruling, the court enjoined application of the CTA only with respect to the plaintiff, the National Small Business Association (NSBA), and its membership. Because the court did not extend the injunction to other businesses subject to the CTA, all other reporting entities continue to be subject to the BOI reporting and disclosure limitation requirements.
In other words, and at least for the time being, if you are not a member of the NSBA and fall under the definition of a reporting company, you must report BOI and comply with specific rules restricting the disclosure of certain information obtained from the FinCEN database. These rules are of specific interest to casinos and other gaming industry participants.
BOI security and confidentiality requirements
The key requirements in question are the BOI Access and Safeguard Rules and the Small Entity Compliance Guide for BOI Access and Safeguard Rules.
These rules became effective February 20, 2024, and limit the disclosure of information by FinCEN to federal agencies for use in furtherance of national security, intelligence or law enforcement activity; state, local and tribal law enforcement agencies for use in criminal or civil investigations; a federal agency on behalf of a foreign national security intelligence or law enforcement entity in furtherance of foreign national security, intelligence or law enforcement activity; financial institutions and their regulatory agencies to facilitate compliance with customer due diligence requirements [emphasis added]; and officers or employees of the Treasury.
With respect to the security and confidentiality requirements imposed on financial institutions such as casinos, these entities:
- Shall not make information obtained from FinCEN available to any persons physically located in, or store the information in, the People’s Republic of China, the Russian Federation, or any state sponsor of terrorism as determined by the U.S. Department of State or that is otherwise subject to comprehensive financial and economic sanctions imposed by the U.S. government.
- Must develop and implement administrative, technical and physical safeguards designed to protect the security, confidentiality and integrity of such information. (Note that the application of information procedures established to satisfy the requirements of Section 501 of the Gramm-Leach-Bliley Act and applicable regulations thereunder will meet this obligation.)
- Must obtain and document the consent of the reporting company to request BOI from FinCEN, which consent must be maintained for five years after it was last relied on.
- Must certify that they are requesting information to facilitate their compliance with their customer due diligence requirements under applicable law, have obtained the consent of the reporting company to request the information from FinCEN, and have fulfilled all other requirements.
At this time, financial institutions, including casinos, do not have access to the BOI database and will likely be among the last groups to be extended such access. In the meantime, however, gaming industry participants designated as reporting companies should ensure that they are aware of and comply with all current and forthcoming reporting and information security and confidentiality requirements.