31 C.F.R. § 1010.955
(a) Prohibition on disclosure. Except as authorized in paragraphs (b), (c), and (d) of this section, information reported to FinCEN pursuant to § 1010.380 is confidential and shall not be disclosed by any individual who receives such information as—
(b) Disclosure of information by FinCEN—(1) Disclosure to Federal agencies for use in furtherance of national security, intelligence, or law enforcement activity. Upon receipt of a request from a Federal agency engaged in national security, intelligence, or law enforcement activity for information reported pursuant to § 1010.380 to be used in furtherance of such activity, FinCEN may disclose such information to such agency. For purposes of this paragraph (b)(1)—
(2) Disclosure to State, local, and Tribal law enforcement agencies for use in criminal or civil investigations. Upon receipt of a request from a State, local, or Tribal law enforcement agency for information reported pursuant to § 1010.380 to be used in a criminal or civil investigation, FinCEN may disclose such information to such agency if a court of competent jurisdiction has authorized the agency to seek the information in a criminal or civil investigation. For purposes of this section—
(3) Disclosure for use in furtherance of foreign national security, intelligence, or law enforcement activity. Upon receipt of a request for information reported pursuant to § 1010.380 from a Federal agency on behalf of a law enforcement agency, prosecutor, or judge of another country, or on behalf of a foreign central authority or foreign competent authority (or like designation) under an applicable international treaty, agreement, or convention, FinCEN may disclose such information to such Federal agency for transmission to the foreign law enforcement agency, prosecutor, judge, foreign central authority, or foreign competent authority who initiated the request, provided that:
(ii) The request is:
(ii) Regulatory agencies. Upon receipt of a request by a Federal functional regulator or other appropriate regulatory agency, FinCEN shall disclose to such agency any information disclosed to a financial institution pursuant to paragraph (b)(4)(i) of this section if the agency—
(5) Disclosure to officers or employees of the Department of the Treasury. Consistent with procedures and safeguards established by the Secretary—
(2) Disclosure of information by authorized recipients.
(d) Security and confidentiality requirements—(1) Security and confidentiality requirements for domestic agencies—(i) General requirements. To receive information under paragraph (b)(1), (2), or (3) or (b)(4)(ii) of this section, a Federal, State, local, or Tribal agency shall satisfy the following requirements:
(F) Restrictions on personnel access to information. The agency shall restrict access to information obtained from FinCEN pursuant to this section to personnel—
(1) Who are directly engaged in the activity for which the information was requested;
(2) Whose duties or responsibilities require such access;
(3) Who have received training pursuant to paragraph (d)(1)(i)(B) of this section or have obtained the information requested directly from persons who both received such training and received the information directly from FinCEN;
(4) Who use appropriate identity verification mechanisms to obtain access to the information; and
(5) Who are authorized by agreement between the agency and FinCEN to access the information.
(G) Audit requirements. The agency shall:
(1) Conduct an annual audit to verify that information obtained from FinCEN pursuant to this section has been accessed and used appropriately and in accordance with the standards and procedures established pursuant to paragraph (d)(1)(i)(B) of this section;
(2) Provide the results of that audit to FinCEN upon request; and
(3) Cooperate with FinCEN's annual audit of the adherence of agencies to the requirements established under this paragraph to ensure that agencies are requesting and using the information obtained under this section appropriately, including by promptly providing any information FinCEN requests in support of its annual audit.
(ii) Requirements for requests for disclosure. A Federal, State, local, or Tribal agency that makes a request under paragraph (b)(1), (2), or (3) or (b)(4)(ii) of this section shall satisfy the following requirements in connection with each request that it makes and in connection with all such information it receives.
(B) Certifications and other requirements. (1) The head of a Federal agency that makes a request under paragraph (b)(1) of this section or their designee shall make a written certification to FinCEN, in the form and manner as FinCEN shall prescribe, that:
(i) The agency is engaged in a national security, intelligence, or law enforcement activity; and
(ii) The information requested is for use in furtherance of such activity, setting forth specific reasons why the requested information is relevant to the activity.
(2) The head of a State, local, or Tribal agency, or their designee, who makes a request under paragraph (b)(2) of this section shall submit to FinCEN a written certification, in the form and manner as FinCEN shall prescribe, that:
(i) A court of competent jurisdiction has authorized the agency to seek the information in a criminal or civil investigation; and
(ii) The requested information is relevant to the criminal or civil investigation, setting forth a description of the information the court has authorized the agency to seek.
(3) The head of a Federal agency, or their designee, who makes a request under paragraph (b)(3)(ii)(A) of this section shall:
(i) Retain for the agency's records the request for information under the applicable international treaty, agreement, or convention;
(ii) Submit to FinCEN, in the form and manner as FinCEN shall prescribe: the name, title, agency, and country of the foreign person on whose behalf the Federal agency is making the request; the title of the international treaty, agreement, or convention under which the request is being made; and a certification that the requested information is for use in furtherance of a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the relevant foreign country.
(4) The head of a Federal agency, or their designee, who makes a request under paragraph (b)(3)(ii)(B) of this section shall submit to FinCEN, in the form and manner as FinCEN shall prescribe:
(i) A written explanation of the specific purpose for which the foreign person is seeking information under paragraph (b)(3)(ii)(B) of this section, along with an accompanying certification that the information is for use in furtherance of a law enforcement investigation or prosecution, or for a national security or intelligence activity, that is authorized under the laws of the relevant foreign country and that the foreign person seeking information under paragraph (b)(3)(ii)(B) has been informed that the information may only be used only for the particular purpose or activity for which it is requested and must be handled consistent with the requirements of paragraph (d)(3) of this section;
(ii) The name, title, agency, and country of the foreign person on whose behalf the Federal agency is making the request; and
(iii) Any other information that FinCEN requests in order to evaluate the request.
(5) The head of a Federal functional regulator or other appropriate regulatory agency, or their designee, who makes a request under paragraph (b)(4)(ii) of this section shall make a written certification to FinCEN, in the form and manner as FinCEN shall prescribe, that:
(i) The agency is authorized by law to assess, supervise, enforce, or otherwise determine the compliance of a relevant financial institution with customer due diligence requirements under applicable law; and
(ii) The agency will use the information solely for the purpose of conducting the assessment, supervision, or authorized investigation or activity described in paragraph (b)(4)(ii)(A) of this section.
(2) Security and confidentiality requirements for financial institutions. To receive information under paragraph (b)(4)(i) of this section, a financial institution shall satisfy the following requirements:
(i) Geographic restrictions on information. The financial institution shall not make information obtained from FinCEN under paragraph (b)(4)(i) of this section available to persons physically located in, and shall not store such information in, any of the following jurisdictions:
(C) A jurisdiction:
(1) That is a state sponsor of terrorism, as determined by the U.S. Department of State;
(2) That is the subject of comprehensive financial and economic sanctions imposed by the Federal Government, i.e., is a jurisdiction with a government whose property and interests in property within U.S. jurisdiction are blocked pursuant to U.S. sanctions authorities, or a jurisdiction subject to broad-based prohibitions on transactions by U.S. persons involving that jurisdiction, such as prohibitions on importing or exporting goods, services, or technology to the jurisdiction or dealing in goods or services originating from the jurisdiction, pursuant to U.S. sanctions authorities; or
(3) To which the Secretary has determined that allowing information obtained from FinCEN under paragraph (b)(4)(i) of this section to be made available would undermine the enforcement of the requirements of paragraph (d)(2) of this section or the national security of the United States.
(ii) Safeguards. The financial institution shall develop and implement administrative, technical, and physical safeguards reasonably designed to protect the security, confidentiality, and integrity of such information. These shall include:
(A) Information procedures. The financial institution shall:
(1) Apply such information procedures as the institution has established to satisfy the requirements of section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.), and applicable regulations issued thereunder, with regard to the protection of its customers' nonpublic personal information, modified as needed to account for any unique requirements imposed under this section; or
(2) If the institution is not subject to section 501 of the Gramm-Leach-Bliley Act, apply such information procedures with regard to the protection of its customers' nonpublic personal information as are required, recommended, or authorized under applicable law and are at least as protective of the security and confidentiality of customer information as procedures that satisfy the standards of section 501 of the Gramm-Leach-Bliley Act.
(iv) Certification. For each request for information regarding a reporting company under paragraph (b)(4)(i) of this section, the financial institution shall make a certification to FinCEN in such form and manner as FinCEN shall prescribe that the financial institution:
(3) Security and confidentiality requirements for foreign recipients of information.
(ii) To receive information under paragraph (b)(3)(ii)(B) of this section, a foreign person on whose behalf a Federal agency made the request under that paragraph shall ensure that the following requirements are satisfied:
(D) Restrictions on personnel access to information. Access to such information shall be limited to persons—
(1) Who are directly engaged in the activity described in paragraph (b)(3) of this section for which the information was requested;
(2) Whose duties or responsibilities require such access; and
(3) Who have undergone training on the appropriate handling and safeguarding of information obtained pursuant to this section.
(2) Rejection of requests.
(ii) FinCEN may reject any request, or otherwise decline to disclose any information in response to a request made under this section, if FinCEN, in its sole discretion, finds that, with respect to the request:
(3) Suspension of access.
(i) FinCEN may permanently debar or temporarily suspend, for any period of time, any individual requester or requesting entity from receiving or accessing information under paragraph (b) of this section if FinCEN, in its sole discretion, finds that:
(f) Violations—(1) Unauthorized disclosure or use. Except as authorized by this section, it shall be unlawful for any person to knowingly disclose, or knowingly use, the beneficial ownership information obtained by the person, directly or indirectly, through:
[88 FR 88808, Dec. 22, 2023]