Reporting Companies Under the Corporate Transparency Act Beware: Using Service Providers to Comply Creates New Data Privacy Risk

In this article, the authors explain that reporting companies are responsible for compliance with state, federal, or foreign data privacy and cybersecurity laws – and for ensuring that their service providers, vendors and consultants comply as well.

The Corporate Transparency Act (CTA), which became effective on January 1, requires that U.S. and foreign companies authorized to do business in the U.S. (each, a Reporting Company) report specific personal information regarding their beneficial owners (beneficial ownership information, or BOI) to the U.S. Department of the Treasury Financial Crimes Enforcement Network (FinCEN) via the Beneficial Ownership Secured System (BOSS) unless an exemption applies. FinCEN has issued a series of rules that specify Reporting Company obligations under the CTA, govern access to BOI, and revise customer due diligence rules (the latter is slated for issuance in 2024) (collectively, the FinCEN Rules).