The Personal Financial Data Rights Rule

On October 22, 2024, the Consumer Financial Protection Bureau (“CFPB”) finalized the Personal Financial Data Rights rule, which moves the United States closer to “an open banking system in which consumers, not dominant firms, control their data.”  The CFPB is generally tasked with “promoting fair, transparent, and competitive markets for consumer financial products and services.”

On October 23, 2024, CFPB Director Rohit Chopra spoke at Georgetown University’s DC Fintech Week.  As shown below, his prepared remarks do a nice job of describing how the new rule will address data ownership and stewardship problems largely ignored by helpless consumers.

Today, I primarily want to focus on the data protections in the rule, which are essential to ensuring the rule works to advance competition in financial markets. This rule will help to dramatically improve privacy and security, ending the problematic credential sharing and invasive surveillance that we too often see.

First, to obtain data on a consumer’s behalf, a bank, fintech, or other financial company will need to adhere to federal data security requirements. This means they can’t have shoddy security like we saw at companies like Equifax. And if they fail to meet their obligations, they can face enforcement actions and can even get shut down by the licensing or chartering authority.

Second, the rule works towards ending the practice of “screen scraping.” This occurs when a company collects a consumer’s username and password to log in to online banking on the consumer’s behalf to scrape away data. “Screen scraping” is risky, since it can involve unencrypted credential sharing and massive overcollection of data.

Third, the rule requires companies to minimize the data they collect, secure it, and, as a default practice, delete it upon revocation. In addition, the rule forbids companies from seeking to obtain a permanent authorization to continually harvest data. These requirements should lessen the amount of data that would be vulnerable to a data breach.

Fourth, the rule allows banks and fintechs that currently hold the consumer’s data to deny access to companies requesting on the consumer’s behalf when they fail to meet minimum standards. Companies making requests will need to prove they have the authorization from the consumer, disclose their legal entity identifier, and more. The rule allows banks and fintech to engage in legitimate blocking, as long as those practices are applied consistently and fairly.

Fifth, and most importantly, the rule puts into place significant limitations on how companies can use data. Right now, financial companies send consumers an annual privacy notice that tells them any parties they reserve the right to share the data with. In theory, consumers review this and then opt out of sharing they don’t want. In reality, almost no one opts out of anything. Many believe this is just another notice that doesn’t meaningfully limit misuse of personal data.

The rule spells out a simple, but much different approach: you can use a consumer’s data to provide the product or service the consumer asked you for, but you can’t use it for unrelated purposes the consumer doesn’t want. In other words, companies can’t engage in a bait-and-switch, where they lure people in with an offer for a loan or an account, but then sell, exploit, or monetize the data for another purpose.

And there’s a lot more. Taken together, these protections improve the privacy and security of our financial data, compared to the status quo. This will help to stop the lurch toward surveillance pricing.

The CFPB has closely studied how Big Tech companies and other firms can combine your search history, browsing history, geolocation history, your contacts, and more to create a detailed profile about you. We also see how large banks are also seeking to harvest more data from their customers without meaningful limits. When this information includes your sensitive personal financial data, this can create the conditions for surveillance pricing.

For example, if a rideshare giant knows that you worked an extra shift and just got a larger paycheck than usual, it might decide to charge you more for a ride home. If a dominant player in search knows that you just made a payment at a fertility clinic, it might start targeting you with ads for dubious treatments you didn’t ask for.

While the CFPB’s Personal Financial Data Rights that implements new statutory rights will help to jumpstart competition, it is also a major step forward for privacy, security, and data protection.

Director Chopra is correct in his optimistic assessment of the rule given the longtime “data slurping” conducted by so many companies has largely gone unabated and this new rule – which solves some but far from every consumer data transgression, is a great beginning.  It only took the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 to establish the CFPB and it then another fourteen years to get the CFBP to promulgate this new rule.  When dealing with the “data industrial complex”, these things take time. 

Indeed, as shown by this new rule’s compliance schedule, it will be years before the individual parts of the rule take effect with possible judicial and governmental intervention in the interim.  See Personal Financial Data Rights Rule (“Data providers must comply with the requirements in subparts B and C beginning April 1, 2026; April 1, 2027; April 1, 2028; April 1, 2029; or April 1, 2030, depending on the criteria set forth in § 1033.121(c)”). At the very least, the new rule discussed by Director Chopra alerts consumers to the dark “data industrial complex”. Even if the rule eventually gets neutered, its underlying wake up call hopefully doesn’t get unanswered on a state level.

The Need to Comply With the CTA comes Into Focus

October 8, 2024 was a bellwether date for those waiting on a court to clarify whether the statutory requirement for filing BOI Reports sits on solid ground.  It was on October 8, 2024 when the oral argument in the pending Eleventh Circuit appeal from Small Bus. United d/b/a Nat’l Small Bus. Ass’n v. Janet Yellen, Case No. 5:22-cv-01448, Dkt. No. 52 (N.D. Ala. Mar. 1, 2024) was released to the public.   

Given the tempo and questions raised during this September 27, 2024 hearing, reporting companies can now reasonably assume there is likely no longer any reason to delay filing their BOIR Report based on any perceived lack of judicial clarity.  Before the end of the year – the deadline for over 30 million reporting companies, subject companies should likely file their BOI Report because there is no Judge that will likely remove that obligation. 

While it is never easy to predict which way the judicial winds blow, it seems likely the Eleventh Circuit will at least remand the Alabama decision for further review of the Fourth Amendment argument raised during that hearing – something not touched upon by the court below, if not just rule outright for reversal.  The appellee raised the Fourth Amendment argument because federal, state, local and foreign law enforcement can access BOIR data without the need for a Court Order.  Overall, the Judges – especially the Honorable Andrew L. Brasher who was appointed in 2020, seemed skeptical of this and all other arguments suggesting that Congress passed in 2021 the Corporate Transparency Act (“CTA”) without proper Constitutional footing.

The Eleventh Circuit hearing is on the heels of a District Court Judge in Oregon denying requested injunctive relief, in part, by ruling the CTA was likely constitutional.  See Michael Firestone, et al. v. Janet Yellen, Case No. 3.24-cv-1034, Dkt. No. 18 (D. Or. Sept. 20, 2024).  Indeed, in the second of two supplemental filings with the Eleventh Circuit, the appellee tried to distinguish the Oregon case as well as a recent Supreme Court case that may have shifted the burden in this case slightly in favor of the government – a case the Eleventh Circuit requested supplemental briefing on in its August 14, 2024 Order.  Not surprisingly, the government filed a contrary reply with the Court

As it stands, the Eleventh Circuit and the Court of Appeals of the Ninth Circuit – by way of the likely appeal from the Firestone decision, will squarely rule upon the constitutionality of the CTA – setting up the exact sort of case the Supreme Court likes to hear, namely an appeal where more than one Circuit Court rules on the constitutionality of a far-reaching federal statute. 

Indeed, there are other Courts of Appeal that could also likely chime in on this issue given pending District Court cases, including the First Circuit (William Boyle v. Janet Yellen, Case No. 2:24-cv-00081 (D. Me. filed Mar. 15, 2024) and Black Econ. Council of Mass., Inc. v. Janet Yellen, Case No. 1:24-cv-11411 (D. Mass. filed May 29, 2024)); the Fifth Circuit (Texas Top Cop Shop, Inc. v. Merrick Garland, Case No. 4:24-cv-00478 (E.D. Tex. filed May 28, 2024)), the Sixth Circuit (Small Bus. Ass’n of Mich. v. Janet Yellen, Case No. 1:24-cv-00314 (W.D. Mich. filed Mar. 26, 2024) and Robert J. Gargasz Co. LPA v. Janet Yellen, Case No. 1:23-cv-02468 (N.D. Ohio filed Dec. 29, 2023)); and the Tenth Circuit (Taylor v. Janet Yellen, Case No. 2:24-cv-00527 (D. Utah filed July 29, 2024)).

This mosaic of potentially conflicting upper court decisions leaves little doubt that in the short term FinCEN holds the upper hand and might use such built-up judicial equity to aggressively enforce its BOIR regulations in 2025.  One thing is for sure – the only way this fast-approaching BOIR Train gets derailed is by either the Supreme Court – which is unlikely given the very case the Eleventh Circuit sought briefing on, or by Congress – which is even less likely given the treasure trove of information derived from the CTA may be useful for tracking individuals with large cryptocurrency holdings and eventually bringing in more money into federal coffers as well as potential crime prevention.

Practical Steps for Advising on BOIR Compliance

When advising clients on filing FinCEN’s Beneficial Ownership Information (BOI) reporting obligations, professionals should offer clear, practical guidance to ensure compliance and mitigate potential risks. 

It is obviously helpful to start out by educating small business clients on the fundamentals of BOIR filing:

   – Who needs to file: Explain that most small corporations, LLCs, and similar entities must comply unless specifically exempt.

   – What needs to be reported: Discuss the required information, such as names, dates of birth, addresses, and ID numbers of beneficial owners (anyone with 25% or more ownership or substantial control).

   – Filing deadlines: Highlight the deadlines—new businesses must file upon formation, and existing businesses have until the start of 2025.

Small business ownership structures can be complex.   Professionals should emphasize that beneficial ownership extends to anyone with substantial control, even if their equity stake is less than 25%.  For example, CPAs should direct their clients to experts who can help them identify all individuals who qualify as beneficial owners, ensuring no key person is missed.  Discuss how trusts are to be handled.

The importance of accurate and up-to-date documentation should be stressed:

   – Maintain records: Recommend that clients keep detailed records of beneficial owners and any changes over time. Establishing a system for periodic updates will help ensure compliance in the future.

   – Secure documentation: Encourage clients to securely store identifying information, such as government-issued ID numbers, to ensure data privacy and protection.

Professionals should inform clients of the risks of non-compliance:

   – Fines and penalties: Non-compliance can result in daily fines of $591 per day, potentially leading to substantial financial liability.

   – Business risks: Emphasize that failing to comply could lead to regulatory investigations or civil penalties, which can be costly and damaging to the business’s reputation.

For businesses that may find the filing process challenging, you should either:

   – Assist with filing: Offer to help prepare and file the BOIR on behalf of the client or coordinate with professionals focused on such filings.

   – Refer to a Compliance specialist: CPAs can also recommend working with a compliance expert or other professional specializing in corporate governance and regulatory filings.

Clients should be told to approach BOI filings proactively:

   – Plan for future updates: Encourage clients to set up procedures for regularly reviewing and updating beneficial ownership information to avoid missing future reporting obligations.

   – Consult early: Suggest addressing BOIR filing well in advance of deadlines to prevent rushed submissions that could lead to errors. Professionals who are diligent and invest the time can easily help their clients navigate FinCEN’s BOI reporting obligations effectively, minimizing risk and ensuring ongoing compliance.

Risks of Non-Compliance with FinCEN’s BOI Reporting Rule

Non-compliance with FinCEN’s Beneficial Ownership Information (BOI) reporting requirement could expose your business to significant financial and legal risks. Here’s what you need to know about the potential consequences of failing to comply with this critical regulation.

FinCEN has the authority to impose hefty fines on businesses failing to meet the BOI reporting requirement. Penalties for non-compliance is $591 per day, with no maximum cap. This means even small delays in filing could result in substantial financial costs if FinCEN targets your company.

Non-compliance with BOIR can be seen as an attempt to obscure ownership information, which could trigger further investigation into potential financial crimes.

Businesses found to be in non-compliance with the BOI reporting requirements may also suffer reputational damage. Investors, clients, and partners expect transparency in ownership structures, and failure to comply could result in a loss of trust and business opportunities.

Non-compliant businesses may find it harder to secure loans, attract investors, or engage in mergers and acquisitions. Transparency in beneficial ownership is becoming a key factor in financial and business transactions, and non-compliance could hinder growth opportunities.

As of today, there are no reported instances of fines being assessed against a company for violation of the BOI reporting rule.  Nevertheless, the risks of non-compliance with FinCEN’s BOIR requirement far outweigh the effort of filing. Businesses that take proactive steps to meet the reporting deadlines and maintain accurate information will avoid fines, legal action, and reputational harm. Make compliance a priority to safeguard your business.

Five Common Mistakes to Avoid Before Filing Your BOI Report

Business owners preparing to file their Beneficial Ownership Information (BOI) reports should be aware of common pitfalls that might lead to civil penalties or worse.

The most common mistake is identifying one owner but not identifying every individual qualifying as a beneficial owner. Even if someone owns less than 25% of the business, that person may still be considered a beneficial owner if they hold significant decision-making authority evidencing “substantial control” over the reporting company.

For example, an indirect way to exercise substantial control over a reporting company is by controlling one or more intermediary entities that separately or collectively exercises substantial control over a reporting company. The best way to avoid this mistake is to review your company’s structure carefully and consult an expert if you’re unsure about who is a potential beneficial owner.

Another likely common mistake is submitting incorrect or incomplete details for beneficial owners. Mistakes in names, dates of birth, or identification numbers can lead to rejected filings or regulatory scrutiny – and possibly even fines and jail time if done deliberately. This mistake can easily be avoided by double-checking all information before submission and ensuring you’ve provided accurate and up-to-date details.

A third common mistake is failing to timely file. Businesses underestimate how long the process can take, leading to missed deadlines. For new businesses, filing is required 90 days after formation or registration, while companies formed or registered prior to 2024 have until January 2025 to comply. Companies can avoid this potential problem by marking important dates on your calendar and preparing your filing early to avoid a last-minute rush and a possible $591 a day fine for an untimely filing.

A fourth mistake would be the failure to update information as it changes. As set forth in the applicable regulations, the failure to update beneficial ownership information as changes occur can result in non-compliance. Any changes in ownership or control must be reported within thirty days of the change. This can be avoided by Implementing an internal system to track changes in ownership and file updated reports with FinCEN when necessary.

The fifth common mistake is simply assuming the existence of an exemption without really confirming it applies. Certain businesses, like larger companies already subject to similar rules, are exempt from the BOI reporting requirement. Assuming you are covered by an exemption without having proper confirmation could lead to fines. This can be avoided by double checking your exemption status by consulting the list of exempt entities or seeking expert advice. For example, even if your company has filed for dissolution, that would not automatically exempt you as an inactive company if that dissolution took place in 2024.

Avoiding these five common mistakes will help ensure a smooth BOI reporting process. By simply taking the time to understand key requirements and double-checking your information, you can protect your business from most of these unnecessary risks.

Preparing Your Business for FinCEN’s BOI Reporting Rule

With the Beneficial Ownership Information (BOI) reporting requirement now in effect, many businesses are wondering how to comply with this new rule issued by the Treasury Department’s Financial Crimes Enforcement Network (FinCEN). Preparing early will help you avoid fines and penalties, ensuring a smooth filing process.

The first step is determining who qualifies as a beneficial owner. This includes anyone who exerts substantial control or has ownership of 25% or more in your business. It’s crucial to assess both direct and indirect control, so be sure to evaluate individuals who might have critical influence over decision-making even if they don’t own a large percentage of equity.

You will need the following details for each beneficial owner:

  • Full name
  • Date of birth
  • Residential or business address
  • A government-issued identification number (such as from a driver’s license or passport)

Having this information on hand before filing will streamline the process and ensure accuracy.

If filing for an entity formed in 2024, you will also need to provide similar details for “applicants”, namely those persons who filed formation or registration documents with the state of formation or registration.

New businesses must file their BOI reporting information upon formation. For existing businesses, FinCEN has provided a one-year grace period to comply, meaning the deadline for companies formed or registered prior to 2024 is January 1, 2025. Don’t wait until the last minute — start preparing now.

Develop internal procedures to ensure ongoing compliance. This could involve creating a system for regularly updating beneficial ownership information when ownership or critical management changes over time.

Consider seeking advice from compliance experts to ensure whether you meet all the requirements. While the BOIR filing might seem straightforward, nuances in ownership or control structures could complicate the process. Ensuring your business is prepared for BOI reporting compliance long before the applicable deadline is the exact sort of proactive approach that will save you time, reduce stress, and help avoid costly penalties.

What Every Business Owner Needs to Know About FinCEN’s BOIR Requirement

The Beneficial Ownership Information (BOI) reporting requirement, introduced by FinCEN (the Treasury Department’s Financial Crimes Enforcement Network) increases transparency in business ownership with the stated goal of reducing financial crimes such as money laundering and tax evasion. As a business owner, it’s essential to understand what this regulation means for you and your company.

The BOIR rule mandates that certain companies report information about their beneficial owners to FinCEN. A “beneficial owner” is any individual who directly or indirectly exercises substantial control over the company or owns 25% or more of its equity

Corporations, limited liability companies (LLCs), and similar entities created or registered by a state to do business in the United States are required to file their BOI Report. Larger companies, regulated financial institutions, and inactive companies, are exempt because they largely already have to conduct this disclosure.

Businesses must report identifying information about each beneficial owner, including:

  • Full legal name
  • Date of birth
  • Current residential or business address
  • A unique identification number from a government-issued document (such as a driver’s license or passport)

The BOIR requirement officially went into effect in January 2024, and new companies must file within 90 days after their formation. Existing companies have until the end of 2024 to comply, so it’s essential to immediately start gathering the necessary information. Compliance with FinCEN’s BOIR requirement is a crucial regulatory obligation so take the time to understand these requirements and prepare your business for the upcoming changes.

Constitutionality of FinCEN’s BOIR Requirement

Found in the nearly 1,500-page National Defense Authorization Act of 2021, is the 21-page Corporate Transparency Act (“CTA”), 31 U.S.C. § 5336.  The CTA currently requires most entities incorporated or doing business under State law to disclose personal stakeholder information to the Treasury Department’s criminal enforcement arm, Financial Crimes Enforcement Network (“FinCEN”), including Tax ID numbers, date of birth, government identification number and copies of government identification documents of all beneficial owners and company state formation applicants (collectively a Beneficial Ownership Information Report or “BOI Report”).

According to Congress, this law is intended to prevent financial crimes such as money laundering and tax evasion committed using shell corporations.  The relevant Constitutional question recently put before an Alabama federal court was whether Congress’ broad powers to regulate commerce, oversee foreign affairs and national security, and impose taxes and related regulations were enough to power such a massive information grab. 

In a 53-page opinion, Judge Liles C. Burke of the Northern District of Alabama answered this question in the negative and struck down the CTA as unconstitutional.  See Mem. Op. at 3 (“Because the CTA exceeds the Constitution’s limits on the legislative branch and lacks a sufficient nexus to any enumerated power to be a necessary or proper means of achieving Congress’ policy goals, the Plaintiffs are entitled to judgment as a matter of law.”).   As recognized by Judge Burke, there was no comparable State or federal law to the CTA.  Mem. Op. at 35.

As a result of Judge Burke’s March 1, 2024 ruling – which began its appellate journey on March 11, 2024, all the plaintiffs in that case are for the time being exempt from filing a BOI Report – including the over 65,000 businesses and entrepreneurs located in all 50 states who are members of Plaintiff National Small Business Association (“NSBA”).  As for everyone else who may be a Reporting Company, the CTA very much still applies.

By way of background, FinCEN issued a final rule implementing the CTA on September 29, 2022 and made that rule effective as of January 1, 2024.  87 Fed. Reg. 59498.  Because only the plaintiffs in the Alabama action are safe from the CTA’s reporting reach all other businesses operating in the United States who are considered Reporting Companies will have to comply with the Rule. 

More specifically, the CTA requires disclosures from “reporting company[ies],” defined as “corporation[s], limited liability company[ies], or other similar entit[ies]” that are either “(i) created by the filing of a document with a secretary of state or a similar office under the law of a State or Indian Tribe, or (ii) formed under the law of a foreign country and registered to do business in the United States.” 31 U.S.C. § 5336(a)(11)(A). The CTA exempts twenty-three kinds of entities from its reporting requirements, including banks, insurance companies, and entities with more than twenty employees, five million dollars in gross revenue, and a physical office in the United States. 31 U.S.C. § 5336(a)(11)(B).  In other words, this statute not only targets shell companies involved in criminal conduct or fraud, it expressly hits most small business owners in the country as well.

“FinCEN estimates that there will be approximately 32.6 million reporting companies in Year 1, and 5 million additional reporting companies each year in Years 2–10.”   87 Fed. Reg. at 59549. The CTA requires these millions of entities to disclose the identity and information of any “beneficial owner.” 31 U.S.C. § 5336(b)(1)(A). A beneficial owner is defined as “an individual who . . . (i) exercises substantial control over the entity; or (ii) owns or controls not less than 25 percent of the ownership interests of the entity,” with some exceptions for children, creditors, and a few others. 31 U.S.C. § 5336(a)(3).

For new entities formed or operating in the United States after January 1, 2024, the CTA requires them to disclose the identity and information of both Beneficial Owners and “Applicants,” defined as “any individual who files an application to form a corporation, LLC, or other similar entity under the laws of a State or Indian Tribe; or registers [a foreign entity] to do business in the United States.” 31 U.S.C. § 5336(a)(2).  Such filings must be made within 90 days of the relevant state filings and those companies formed or operating in the United States prior to January 1, 2024 have until year end.

Reporting entities must give FinCEN a Beneficial Owner or Applicant’s full legal name, date of birth, current address, and identification number from a driver’s license, ID card, or passport. 31 U.S.C. § 5336(a)(1), (b)(2)(A).   Under the final rule, reporting entities are also required to submit an image of the identifying document. 31 C.F.R. § 1010.380(b)(1)(ii)(E). If any of that information changes, the reporting company must update FinCEN, 31 U.S.C. § 5336(b)(1)(D), and FinCEN retains Applicant and Beneficial Owner information on an ongoing basis for at least five years after the reporting company terminates. 31 U.S.C. § 5336(c)(1).  Determining whether someone is a Beneficial Owner can be somewhat difficult given it requires a determination of who “has substantial influence over important decisions made by the reporting company” among other potentially vague criteria.  31 C.F.R. § 1010.38 (d)(1)(i)(C).

A willful provision of false or fraudulent beneficial ownership information or failure to report “complete or updated beneficial ownership information to FinCEN” by “any person” is punishable by a $500 per day civil penalty and up to $10,000 in fines and 2 years in federal prison, 31 U.S.C. § 5336(h)(1), (3)(A); a knowing and unauthorized disclosure or use of beneficial ownership information by “any person” is punishable by a $500 per day civil penalty, along with a $250,000 fine and 5 years in federal prison, 31 U.S.C. § 5336(h)(2), (3)(B); and a knowing and unauthorized use or disclosure while violating another federal law “or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period” by “any person” is punishable with a $500,000 fine and 10 years in federal prison, 31 U.S.C. § 5336(h)(3)(B)(ii)(II). Over time, this daily penalty increased to $591 per day.

As recognized by Judge Burke, “[t]he ultimate result of this statutory scheme is that tens of millions of Americans must either disclose their personal information to FinCEN through State-registered entities, or risk years of prison time and thousands of dollars in civil and criminal fines.”  Mem. Op. at 8.  Given the importance of this information, FinCEN already compels banks and other financial institutions to obtain nearly identical information from State entity customers and provide it to FinCEN.  

More specifically, FinCEN’s 2016 Customer Due Diligence rule requires “covered financial institutions” to “identify and verify beneficial owners of legal entity customers.” 31 C.F.R. § 1010.230(a).   As with the CTA, this rule defines a “legal entity customer” as “a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account,” unless the entity fits into one of sixteen exemptions – seven less than the CTA exemptions. 31 C.F.R. § 1010.230(e)(1)-(2).

The CDD rule also defines beneficial owners in the same manner: “Each individual . . . who owns, directly or indirectly, 25 percent or more” of the entity; has “significant responsibility to control, manage, or direct a legal entity,” including “a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer)” and “[a]ny  other  individual  who  regularly  performs  similar  functions.”  31 C.F.R. § 1010.230(d)(1)-(2).

In other words, FinCEN’s CDD rule and the CTA provide FinCEN with nearly identical information.  The CTA itself acknowledges the similarity. See 31 U.S.C. § 5336(b)(1)(F) (requiring the Secretary of the Treasury to promulgate regulations that “collect [beneficial owner and applicant] information . . . in a form and manner that ensures the information is highly useful in . . . confirming beneficial ownership information provided to financial institutions.” (emphasis added).  See also Pub. L. 116-283 § 6402 (6)(B) (134 STAT. at 4604 – 4605) (“It is the sense of Congress that . . . [collection of] beneficial ownership information . . . [will] confirm beneficial ownership information [already] provided to financial institutions.”).

According to FinCEN’s compliance with the Paperwork Reduction Act of 1995: “The estimated average burden associated with this collection of information from Reporting Companies is 90 to 650 minutes per respondent for reporting companies with simple or complex beneficial ownership structures, respectively. The estimated average burden associated with Reporting Companies updating information previously provided is 40 to 170 minutes per respondent for reporting companies with simple or complex beneficial ownership structures, respectively.”

Given the appellate route will likely take well over a year to resolve and the NSBA plaintiffs no longer have any injury to adjudicate – which might have expedited an appeal if they had, it is incumbent on business owners to take the CTA at its face value and comply with the implemented regulations of FinCEN.

Decentralization in 2024

One of the founders of Ethereum recently recognized, “it is rare for the interests of idealism and pragmatism to overlap” but in the case of decentralization it “is not just something we should work towards, but something we truly must deliver on.”  This fixation on “decentralization” took on new life after blockchain hit the popular press. 

Despite BTC reaching 21 month highs, true decentralization of financial systems based on crypto usage will lack mass adoption until there is sufficient trust to render Bitcoin or any other crypto “currency” a real currency.  More than likely, this lack of trust is what is stopping the acceptance of crypto for widespread purchases – an essential precursor for any currency status.  This failing is likely why the IRS from the very beginning relegated decentralized finance products and crypto’s to the status of taxable financial assets. 

To that point, on December 28, 2023, Barrons recognized, “crypto has a long path to relevancy beyond trading.  Despite years of development, blockchain networks remain on the outskirts of mainstream finance, while hacks, theft, and money laundering continue to be among the main uses.  Crypto is still gambling on an unproven technology.”

Indeed, decentralized finance (DeFi) opportunities have also been around for nearly a decade with little widespread market penetration.  With DeFi platforms, existing growing pains stem from a lack of proper security hygiene sufficient to generate trust and “only with trust will this community ever grow beyond its current early adopters.”  Moreover, DeFi platforms and their users face a full frontal attack by centralized banking authorities seeking the sort of financial disclosures currently only found with cash transactions.  DeFi will never touch the “PayPalJPMVisa” mountain peak “until at least one DeFi application checks all the relevant boxes for a sizable enough market.  It may be a decade before a DeFi project reaches that vantage point – with the classic Amazon vs. Sears endgame likely being studied along the way.”

Decentralization can also take on several non-crypto flavors.  For example, the decentralization of governance places local governmental structures above large centralized authorities.  The World Bank considers governmental decentralization in the context of community-driven development as a driver of “economic efficiency, public accountability, and empowerment” by providing “greater voice and choice to citizens to influence decisions that affect their lives” and “allowing local governments to respond dynamically to communities”, and resulting in “allocative efficiency by matching of local needs and preferences with patterns of local public expenditure (assumes substantial fiscal autonomy).”  In the same breath, the World Bank, suggests that potential dangers and challenges brought on by such decentralization include:   “Elite capture, Corruption, Patronage politics, Local civil servants feeling compromised, Incomplete information, Constituents not able to hold representatives accountable, and Opaque decision-making affecting accountability upwards and downwards.”

None of these “potential dangers”, however, are really any less of a risk in centralized governmental structures.  Indeed, “elite capture, corruption, and opaque decision-making” can be more efficiently perpetrated within centralized structures.  Corporate decentralization in the form of DAOs (decentralized autonomous organizations) have some life given the birthplace of limited liability companies – Wyoming, recognizes such a corporate structure and is typically decades ahead of the pack having been the first to recognize LLCs in 1977. Unlike a standard LLC , “a DAO can be managed by a combination of human members/managers and algorithmically.” Nevertheless, this decentralized business entity even in Wyoming remains an LLC hybrid and can be viewed as an unincorporated association able to be sued. DAOs still remain a decentralized movement to track in 2024 and beyond.

Persistent trust issues and effective governmental interventions may curtail widespread crypto adoption and increasing decentralized governance is a non-starter for most countries, but a third major area of decentralization remains a major threat to existing centralized structures – whether such structures derive from authoritative governments – which describes most existing governmental structures, or derive from financial institutions controlling major financial levers, or even are from the tech companies currently controlling most aspects of online and offline public discourse.

Simply put, the decentralization of one’s identity and personal data using self-sovereign identity (SSI) systems represents the greatest current threat to centralized power structures.  Unfortunately, this is not an easy sell or a threat that will manifest anytime soon because, for example, decentralization of one’s digital identity entails asking people to denounce their current online identity built over many years of experience in favor of a clunky and confusing decentralized online persona.

SSI specifications such as W3C VC, OpenID for Verifiable Credentials, SD-JWT – are all directly or indirectly spearheaded by large tech companies and are gaining attention due to potential adoption with European Digital Identity Architecture and Reference Framework, NIST, DHS, etc.  It is not difficult to see why these centralized structures are pushing for mostly federated SSI solutions – the EU Parliament sees SSI as a means of enforcing its privacy regime while NIST sees SSI as a means of strengthening cybersecurity and the DHS wants to deploy it as a means of improving physical security.

More to the point, after centralized authorities implement their own SSI solutions their chosen centralized solutions will never really be self-sovereign given centralized access to personal data – especially personal health information, will never be willingly given up by a centralized authority.  Even the much-ballyhooed HIPAA turns it back to “de-identified” data sales for “medical research”.  Until March 2023, the NIH and other federal agencies previously shared COVID-19 patient health data through several Open-Access Data and Computational Resources.   Indeed, there is a reason HIPAA has long had numerous disclosure exemptions that largely swallowed the law’s protective measures. 

As it stands, healthcare providers sell patient data for billions of dollars without ever violating a single word of either the HIPAA Privacy Rule or HIPAA Security Rule.  Not surprisingly, a 2021 proposed New York Privacy Law was killed in Committee not because of BigTech lobbying – it was shot behind the barn by large hospital lobbyists not keen on having their cash cows disrupted by NYS residents obtaining rights HIPAA does not currently provide.  All the while, since 2018 researchers could “accurately match 95% of adults to their data in a deidentified user dataset”.

The roughly 3 billion DNA base pairs found in human DNA can provide a hard-coded template that cannot be currently mimicked .  In other words, the future world of rapid-fire DNA ID testing envisioned by Gattaca may eventually be the primary means of distinguishing between individuals. 

DNA harvesting for research purposes became mainstream during COVID-19 testing – which is why French President Macron refused Putin’s offer of a PCR test in 2022.  The National Human Genome Research Institute describes COVID-19 PCR “amplification” tests as follows:  “Polymerase chain reaction (PCR) is a common laboratory technique used in research and clinical practices to amplify, or copy, small segments of genetic material. PCR is sometimes called “molecular photocopying,” and it is incredibly accurate and sensitive. Short sequences called primers are used to selectively amplify a specific DNA sequence. PCR was invented in the 1980s and is now used in a variety of ways, including DNA fingerprinting, diagnosing genetic disorders and detecting bacteria or viruses. Because molecular and genetic analyses require significant amounts of a DNA sample, it is nearly impossible for researchers to study isolated pieces of genetic material without PCR amplification.”  It should be no surprise that DNA analytics firms such as 23andMe are targeted by hackers eager to possess the ultimate insight for identity verification and the NIH deployed a wide-ranging voluntary DNA research program on the heels of the eMERGE Network.

Personal identification using DNA fingerprints will become more and more attractive as realistic simulations of human voice, gaits, and images/videos, etc. using generative AI increases the risk biometric identity systems will fail to distinguish real measures from fake ones.  Indeed, some vendors now focus heavily on “liveness detection” that recognizes physiological information as signs of life as an adjunct to the associated biometric data.  FaceTec is a leader in this space and even hosts its own educational site on the importance of liveness detection.  Nevertheless, even these companies will eventually reach a wall in the form of quantum AI capabilities – which points to live rapid-fire DNA testing as the key identity verification tool for future robust SSI implementations. 

Where does this leave decentralization in 2024?  While SSI, DeFi and governmental decentralization efforts today may self-correct in the future towards true decentralization left apart from centralized authority, there are projects in play right now that might more easily mature in 2024 to further data decentralization.  For example, there are efforts taking the form of improved fund distribution – one using a platform created for UNICEF by Nepal-developer, Rumsan, and one called Disburse by Scifn, offering a one-to-many approach. These and other fund distribution platforms can eventually be removed from centralized funding sources.   

In addition to Polkadot, peer-to-peer communication platforms such as Veilid allow users to build their own private distributed apps – which creates peer-to-peer communications with no resulting centralized data storage.  Believing that centralized social media is “harmful to society”, Spritely Institute replaces the current client-server architecture currently under-girding all existing social medium platforms with a “participatory peer-centric model” that places “people in control of their own identity and build the technology that would enable a shift to collaborative and intentional security models prioritizing active consent.”  These approaches still have many mass adoption barriers – the least of which is the competitive market barriers established long ago by current data oligarchs.

SSI left only in the hands of centralized authorities will eventually lead to increased hacking and continued misuse of personal data. Until new statutory requirements bring true portability of personal data – even platform-generated data that is derivative; coupled with meaningful consent rights for existing data usage – rights that limit centralized control when off-boarding to a peer-to-peer platform; individuals will never truly “own” or have control over their personal data.  In other words, decentralization of existing data silos cannot become viable until there is a complete reset of existing norms of data stewardship and lobbyists take a backseat to the preeminence of consumer rights.  If 2024 brings us even a few inches closer to that reality, it will be a good year for decentralization.

NYAG Notches CoinEx Crypto Victory

On June 15, 2023, the New York Office of Attorney General (NYOAG) announced a Stipulation and Consent Order providing for “restitution” amounting to $1,172,971.50 from Vino Global Limited d/b/a CoinEx (CoinEx) and $626,133.88 in penalties to the state because CoinEx allegedly “unlawfully represented itself as an exchange” in violation of New York’s Martin Act.   The underlying lawsuit against CoinEx was filed by the NYOAG in February.  In response to this lawsuit, the Hong Kong-based CoinEx immediately informed its US-based clients that it would completely withdraw its exchange platform and services from the United States. 

In her press release, the NYAG states:  “Unregistered crypto platforms pose a risk to investors, consumers, and the broader economy.”  Of note, no specific NY investor is referenced as being a victim of CoinEx’s activities in New York state.  Rather, a NYOAG investigator created “an account with CoinEx using a computer with a New York-based IP address to buy and sell digital tokens although CoinEx was not registered with the state.”  Moreover, the “restitution” obtained by the NYOAG simply required that each investor “be refunded the amount of cryptocurrency or the cash equivalent of the cryptocurrency they held in their accounts as of April 25, 2023.” 

In other words, the customers of CoinEx got back what was in their accounts and not any monies lost when using the exchange services of CoinEx.  Indeed, CoinEx was already voluntarily refunding and closing out U.S. accounts months earlier. CoinEx was also required to cease and desist from servicing New York customers and was required to implement geoblocking to prevent New York IP addresses from accessing their platform – something CoinEx was already planning on doing for all potential U.S. customers.

To that end, the NYOAG press release mentions that “CoinEx is also prohibited from creating any new accounts for U.S. customers and existing U.S. customers can only withdraw their crypto from the platform.”  This statement is interesting for two reasons.  First, CoinEx by its own accord discontinued providing services to U.S. customers in February – when the NYOAG lawsuit was first filed and long before the recent resolution of this lawsuit.  Second, the NYOAG has no means to supplant the SEC’s authority or to prohibit exchanges from operating in other states.   

Even though it may not be true, it certainly looks good from a PR perspective to say CoinEx was “prohibited” from operating in the U.S. based solely on the NYOAG’s enforcement action.  Interestingly, the NYOAG’s crypto efforts were never strictly limited to “protecting” investors.   In March 2022, the NYOAG issued a taxpayer notice to virtual currency investors and their tax advisors to accurately declare and pay taxes on their virtual investments. 

The recent actions of the SEC coupled with those of New York State – the undisputed financial capital of the country if not the world, point in one direction, namely that the centralized financial institutions that currently control most levers of the financial markets have voted against decentralization and it is now up to the regulators to enforce such decision.

Legal and Business Advocacy