Category Archives: Accounting Firm

Accounting Firm, Employee Benefits, Financial Reporting, Intellectual Property, Law Firm, Middle Market Business, Small Business

Regulatory Protections in SMB Sales

The coming wave of business exits will not just test markets. It will test the people business owners may rely on to get deals done. As increasing numbers of small and mid-sized businesses come to market, the role of intermediaries – whether brokers, advisors, or “finders” – becomes more apparent. At the same time, the legal framework governing those intermediaries may go unnoticed because most business owners simply approach a sale as a commercial process no different than selling an old piece of manufacturing equipment. They expect someone to identify a buyer, negotiate terms, and bring the transaction to closing. In many cases, that expectation is met. What is less often considered is that an intermediary’s role is not purely commercial; it exists within a regulatory regime that can directly affect the enforceability and durability of the transaction itself.

That regime begins with the Securities Exchange Act of 1934, which makes it unlawful for any person to “effect any transactions in, or to induce or attempt to induce the purchase or sale of, any security” unless registered as a broker-dealer. See 15 U.S.C. § 78o(a)(1). The definition of a broker is very broad, encompassing “any person engaged in the business of effecting transactions in securities for the account of others.” See 15 U.S.C. § 78c(a)(4).

Notably, the statute does not distinguish between large and small transactions, or between public and private companies. Instead, it focuses on whether a transaction involves a “security” and whether a person is engaged in the business of effecting transactions in those securities. Courts applying this framework have consistently emphasized conduct over labels, examining what the intermediary actually does rather than how the parties describe the role.
Section 15(a) of the Exchange Act prohibits a broker or dealer from “mak[ing] use of the mails or any means or instrumentality of interstate commerce to effect any transactions in, or to induce or attempt to induce the purchase or sale of, any security … unless such broker or dealer is registered.” 15 U.S.C. § 78o(a)(1); SEC v. Almagarby, 92 F.4th 1306, 1315 (11th Cir. 2024) (“Unregistered dealers are prohibited from buying and selling securities in interstate commerce.”).

Within this framework, certain indicators of broker activity have emerged with consistency across enforcement actions and judicial decisions. These include soliciting or identifying buyers, participating in negotiations, structuring or facilitating the transaction, and receiving compensation contingent on closing. Transaction-based compensation, in particular, has long been viewed by the SEC as a hallmark of broker activity because it ties compensation directly to the success of a securities transaction. See SEC Guide to Broker-Dealer Registration.

For business owners, the relevance of this framework turns on how a transaction is structured. If a business is sold through an asset sale, the transaction typically does not involve securities, and the broker-dealer framework is generally not implicated. Many small and mid-sized service businesses are structured this way for tax and liability reasons. However, that structure is not universal, and transactions frequently evolve during negotiations.

Where a transaction involves the transfer of stock, membership interests, or other forms of equity, it is a securities transaction even if the buyer acquires full control and intends to operate the business. At that point, the intermediary’s conduct must be evaluated under the federal securities laws. What may appear to be a routine business sale from a commercial perspective can, as a matter of law, fall squarely within a regulated activity.

Congress addressed this tension in 2023 by enacting a limited exemption for certain intermediaries involved in private company sales. Consolidated Appropriations Act, 2023, Pub. L. No. 117-328, div. AA, § 501, codified at 15 U.S.C. § 78o(b)(13). The exemption permits qualifying intermediaries to facilitate transactions without registering as broker-dealers, but only under defined conditions.

Among other requirements, the intermediary must reasonably believe that the buyer will acquire control of the company and be active in its management following the transaction. The exemption also applies only to “eligible privately held companies,” generally defined by size thresholds tied to revenue or EBITDA. It further imposes specific limitations, including prohibitions on custody of funds, binding parties to transactions, and participation in public offerings.

Importantly, the exemption provides relief only from federal registration requirements. It contains no express preemption of state securities laws. As a result, state securities laws continue to operate alongside the federal framework. In New York, the Martin Act provides broad authority over securities transactions and enforcement. In New Jersey, the Uniform Securities Law prohibits acting as a broker-dealer without registration. See N.J.S.A. 49:3-56. In Connecticut, similar requirements apply under Conn. Gen. Stat. § 36b-6. These statutory schemes raise there own pitfalls for intermediaries.

All of these requirements represent real risk to those having a business that buys and sells small businesses. In 2025, the Commission charged Paul McCabe and PMAC Consulting with acting as unregistered brokers in transactions involving private-company stock, alleging that they negotiated deals, advised buyers, and received substantial transaction-based compensation without registration. See SEC Press Release No. 2025-19. In an earlier proceeding, the SEC found that True Capital Management engaged in unregistered broker activity over a multi-year period while receiving transaction-based compensation in connection with securities transactions. See Exchange Act Release No. 98354 (Sept. 22, 2023).

These enforcement actions are instructive not because they involve large or complex institutions, but because the underlying conduct mirrors what occurs in many private-company transactions. Soliciting counterparties, participating in negotiations, and being paid upon closing are not unusual activities. They are routine features of the small business aquisition process, and it is precisely those features that trigger regulatory scrutiny when securities are involved.

There is a further layer of risk that applies regardless of registration status. Rule 10b-5 makes it unlawful, in connection with the purchase or sale of any security, to make any untrue statement of a material fact or omit material information necessary to make statements not misleading. See 17 C.F.R. § 240.10b-5. This provision applies broadly to participants in securities transactions, including, in certain circumstances, even sellers involved in small private placements.
In the context of small and mid-sized service businesses, that risk is not theoretical. Many smaller businesses lack audited financial statements or formal internal controls. Intermediaries often assist in presenting financial and operational information to prospective buyers. If such representations are inaccurate or incomplete, the issue does not remain confined to the intermediary; it becomes embedded in the transaction itself.

For business owners, the takeaway is not to avoid intermediaries, but to approach them with informed expectations. A competent intermediary should explain how the transaction is likely to be structured and whether it might involve securities. The intermediary should also be transparent about its regulatory posture, including whether it is registered or relying on an exemption. Finally, the process should reflect a disciplined approach to financial disclosure and diligence.

Moreover, business owners should not expect that potentially unlawful conduct will always lead to the rescission of a commission agreement. For example, the Second Circuit has reasoned that a stock purchase agreement that does not require a broker to engage in an unlawful transaction, i.e., “quintessential dealer activity”, will not lead to the rescission of the underlying transaction. As recognized by the Court, “because the contract can be performed lawfully, and because the contract is silent as to if, when, and how Auctus could sell discounted shares of Xeriant stock on the market (assuming that is, indeed, unlawful), the contract has not been made in violation of the Exchange Act.” See Xeriant, Inc. v. Auctus Fund LLC, 141 F. 4th 405, 413 (2d Cir. 2025).

There are, of course, alternatives to the retention of intermediaries who may skirt regulatory compliance. Owners can pursue a more direct process, working with their existing legal and accounting advisors to identify buyers through industry relationships, competitors, or management peers. Potential acquirers may also be owner operators actively seeking to acquire and run additional small businesses as a natural function of their prior success. A “trusted advisor” path can be very effective, particularly where the likely buyer pool is identifiable.

Regardless of the path chosen, the regulatory framework governing purchase transactions is not informal or discretionary. It is statutory, often enforced, and applies based on structure and conduct rather than terminology. For business owners, the question is not simply who can find a buyer. It is whether the process – and the people involved in it – are aligned with the legal framework that protects the seller and governs how the transaction must be executed and sustained.

Accounting Firm, Copyright Infringement, Intellectual Property, Network Security, Risk Management, Small Business, Social Media

CHIP Away Risk and Grow Your Business

While many business owners recognize the importance of maintaining their Cybersecurity Hygiene and protecting their Intellectual Property (“IP”), they are often too pressed for time and money to implement any serious plans of action.  There are ways to improve your cybersecurity and IP postures without breaking the bank or ignoring revenue goals.

Be proactive and not take for granted good cybersecurity hygiene exists in your company.  To start this exercise, every business owner should at least have someone review the readily available free resources on the subject. For example, the U.S. Small Business Administration (“SBA”) has online resources dedicated to informing small businesses on how to bolster their cybersecurity. And, the National Institute of Standards and Technology (“NIST”) helps companies who admittedly have modest or no cybersecurity plans in place by offering to “kick-start their cybersecurity risk management strategy” with the NIST Cybersecurity Framework (CSF) 2.0.

Tip #1:  Choose WordPress for your website.   After reviewing free resources, business owners can determine which direction to turn when it comes to preparing for the worst.  For example, you may want to start out by looking at one of your main sources of credibility in the marketplace – your website.  A secure site will always score higher on SEO than an insecure site – which makes it crucial for business to focus on reputational integrity and protection of customer data.  The WordPress platform is extremely popular with small business owners given its content management system allows owners to easily upload and modify content – without the need for a developer charging for every edit. 

Given that a large portion of the Internet is using WordPress, Corporate websites built using WordPress allow for secure custom shops and can securely mesh with your own separate e-commerce shop built using tools such as Shopify

Some WordPress tips include keeping WordPress on auto-update to ensure all security updates are in place as soon as possible; choosing a mature template with many thousands of downloads that has been security tested over a long period and routinely updated; limiting the use of Plugins to those essential for WordPress security, including WordFence (or a similar firewall/scanning plugin) and WPS Hide Login (or similar plugin that hides the default login URL frequented by hackers) because many incidents are directly tied to insecure plugins – those that may have not been updated in years yet are still active on your site; and making sure you install an SSL (Secure Sockets Layer) Certificate allowing for encrypted HTTPS communications between site and browser.

The last tip is especially important given Google’s Chrome browser and Brave’s browser have long warned users when a website does not use this HTTPS protocol – a warning that likely causes potential visitors to not even visit the site.  The Really Simple SSL plugin can help ensure that this is easily done.  Many hosting companies provide a free SSL certificate so getting the plugin will make this an easy fix if needed.

Tip #2:  Practice good security hygiene by using passwords that include upper case letters, numbers, lower case numbers, and symbols that total no less than 10 characters. Keep the password in a safe place if you cannot memorize it and only use it for your website.  As well, deploy two-factor authentication to make it that much more difficult to get in the website using the front door – Authenticator is an excellent app for 2FA purposes but there many to choose from.  When it comes to passwords, the strongest chain of defense can only be as strong as its weakest link.

Tip #3:  Remind all employees never to click on links in emails – even if they seem legitimately from companies you do business with, including lawyers and accountants.  As for the most basic of “basic training”:  Don’t open or click on anything that looks suspicious. Again, it is much more difficult for hackers to launch an exploit without walking in the front door and they can’t come in if you don’t open the door. In other words, never click on a link, file or image from an untested source or unknown URL. The extra seconds it takes to confirm the actual sender of an email message or owner of a website is well worth the time.

Tip #4:  Safeguard against Ransomware attacks.  Given credit card data and account information has long been dirt-cheap to buy on the dark web, hackers now combine social engineering, e.g., well-crafted targeted emails using publicly available information, including emails of licensed professionals, with botnets usually tasked with promulgating spam and searching for vulnerabilities.  The result is a ransomware attack that can cripple a business unless Bitcoin is transferred to a specific account. 

The FBI has long suggested firms focus on a variety of basic prevention efforts – in terms of awareness training for employees and technical prevention controls, as well as the creation of a solid business continuity plan in the event of a ransomware attack.  And, after a ransomware attack is suspected, victims should immediately contact the local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.   

If a firm wants to immediately enact a more proactive approach, however, there are certainly additional very basic policies and procedures that can be put in place right now to help avoid a ransomware exploit:  (i) block executable files (such as “.exe” files) and compressed archives (such as zip files) containing executable files before they reach a user’s inbox; (ii) block the use of thumb drives; (iii) mitigate against social engineering exploits by providing employee online training that is continuous and targeted with services such as KnowBe4; (iv) make sure whoever is providing you with IT support has a software patch management plan in place; (v) regularly back up data with media not connected to the Internet.

Tip #5:  Apply for Cyber Insurance.   Given the recent massive spike in small business insureds being specifically targeted, price hardening and onerous underwriting requirements have been the norm for cyber insurers.  While it is way too soon to turn in the towel on small business cyber insurance, some of those allocated insurance premium dollars might also be spent on bolstering security as well as lower cost/higher deductible coverage. 

One key attribute of any cyber insurance should be the technical vendors and legal counsel associated with these carriers.  Cyber insurance will also always serve a vital role in helping small business owners deal with ransomware attacks by offering the benefit of an underwriting process so that businesses can better understand their vulnerabilities and potential strengths – all without the need of hiring a consultant or paying any fees.   Indeed, an insurer acting as a trusted partner may even assist a potential client obtain compliance with an insurer’s cybersecurity standards before the insurance is even purchased

Protecting your most valuable assets – your intellectual capital, is well worth the effort.   Whether it’s how your employees conduct business, which clients you do the most business with, how you service those clients, or how you communicate with clients and employees, intellectual property is wrapped around all of it. 

Tip #1: Your know how needs confidential treatment.  Your client list and how your clients are serviced constitute your “know how” or more commonly “trade secrets” that must be kept confidential – once they become public any protections you may have had will evaporate.  The use of non-disclosure agreements with third parties is essential – as well as ensuring your employees understand this fundamental concept. Using well-written contracts with clients will also help ensure your know how is protected.

Tip #2: Your brand, sales and marketing brochures, and training materials are trademark and copyright protected.  Even a small company with no employees can have a robust brand built over many years – and found predominantly on the company’s sales and marketing materials.  All that is necessary for local common law protection is that it be in use to identify specific services or products.  To obtain nationwide protection and added damages for infringement, the mark should seek federal registration using the USPTO.Gov website.  Similarly, the product brochures created from scratch are copyright protected as soon as they were created but have enhanced protection when registered at Copyright.Gov.  

As you review the content and systems powering your business — everything from the company names to the use of training materials — you will quickly appreciate how much value goes unguarded. Consulting a legal expert or learning how to protect your trademarks and copyrights may not be quick or glamorous, but it will give you something longstanding: ownership of an intangible asset, leverage, and peace of mind.

Tip #3: Plan for the sale of your business by incorporating these best practices.  According to the SBA, more than half of the nation’s small-business owners are over the age of 50, and approximately 21% of the US population were born before 1964. And, according to one study, baby boomers owned about 51% of the privately held businesses in the United States, which is about 3 million businesses valued at $10 trillion dollars.  Unfortunately, founders typically defer addressing the fact that they will one day be too old and tired to manage a successful business. 

When no one in the family wants to take over your business there are only two options, close shop or sell to a willing buyer.  One metric used in valuing businesses is tied to the company’s ability to scale based on its protected intellectual property assets.  In other words, sustainable growth is not always about making more — it’s also about being able to protect what you’ve already built. After deploying the right practices, support system, and mindset, a successful entrepreneur can go from vulnerable to vigilant — and nurture a business that’s built for selling.

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Middle Market Business, Risk Management, Small Business

Practical Steps for Advising on BOIR Compliance

When advising clients on filing FinCEN’s Beneficial Ownership Information (BOI) reporting obligations, professionals should offer clear, practical guidance to ensure compliance and mitigate potential risks. 

It is obviously helpful to start out by educating small business clients on the fundamentals of BOIR filing:

   – Who needs to file: Explain that most small corporations, LLCs, and similar entities must comply unless specifically exempt.

   – What needs to be reported: Discuss the required information, such as names, dates of birth, addresses, and ID numbers of beneficial owners (anyone with 25% or more ownership or substantial control).

   – Filing deadlines: Highlight the deadlines—new businesses must file upon formation, and existing businesses have until the start of 2025.

Small business ownership structures can be complex.   Professionals should emphasize that beneficial ownership extends to anyone with substantial control, even if their equity stake is less than 25%.  For example, CPAs should direct their clients to experts who can help them identify all individuals who qualify as beneficial owners, ensuring no key person is missed.  Discuss how trusts are to be handled.

The importance of accurate and up-to-date documentation should be stressed:

   – Maintain records: Recommend that clients keep detailed records of beneficial owners and any changes over time. Establishing a system for periodic updates will help ensure compliance in the future.

   – Secure documentation: Encourage clients to securely store identifying information, such as government-issued ID numbers, to ensure data privacy and protection.

Professionals should inform clients of the risks of non-compliance:

   – Fines and penalties: Non-compliance can result in daily fines of $591 per day, potentially leading to substantial financial liability.

   – Business risks: Emphasize that failing to comply could lead to regulatory investigations or civil penalties, which can be costly and damaging to the business’s reputation.

For businesses that may find the filing process challenging, you should either:

   – Assist with filing: Offer to help prepare and file the BOIR on behalf of the client or coordinate with professionals focused on such filings.

   – Refer to a Compliance specialist: CPAs can also recommend working with a compliance expert or other professional specializing in corporate governance and regulatory filings.

Clients should be told to approach BOI filings proactively:

   – Plan for future updates: Encourage clients to set up procedures for regularly reviewing and updating beneficial ownership information to avoid missing future reporting obligations.

   – Consult early: Suggest addressing BOIR filing well in advance of deadlines to prevent rushed submissions that could lead to errors. Professionals who are diligent and invest the time can easily help their clients navigate FinCEN’s BOI reporting obligations effectively, minimizing risk and ensuring ongoing compliance.

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Middle Market Business, Risk Management, Small Business

Risks of Non-Compliance with FinCEN’s BOI Reporting Rule

Non-compliance with FinCEN’s Beneficial Ownership Information (BOI) reporting requirement could expose your business to significant financial and legal risks. Here’s what you need to know about the potential consequences of failing to comply with this critical regulation.

FinCEN has the authority to impose hefty fines on businesses failing to meet the BOI reporting requirement. Penalties for non-compliance is $591 per day, with no maximum cap. This means even small delays in filing could result in substantial financial costs if FinCEN targets your company.

Non-compliance with BOIR can be seen as an attempt to obscure ownership information, which could trigger further investigation into potential financial crimes.

Businesses found to be in non-compliance with the BOI reporting requirements may also suffer reputational damage. Investors, clients, and partners expect transparency in ownership structures, and failure to comply could result in a loss of trust and business opportunities.

Non-compliant businesses may find it harder to secure loans, attract investors, or engage in mergers and acquisitions. Transparency in beneficial ownership is becoming a key factor in financial and business transactions, and non-compliance could hinder growth opportunities.

As of today, there are no reported instances of fines being assessed against a company for violation of the BOI reporting rule.  Nevertheless, the risks of non-compliance with FinCEN’s BOIR requirement far outweigh the effort of filing. Businesses that take proactive steps to meet the reporting deadlines and maintain accurate information will avoid fines, legal action, and reputational harm. Make compliance a priority to safeguard your business.

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Middle Market Business, Risk Management, Small Business

Five Common Mistakes to Avoid Before Filing Your BOI Report

Business owners preparing to file their Beneficial Ownership Information (BOI) reports should be aware of common pitfalls that might lead to civil penalties or worse.

The most common mistake is identifying one owner but not identifying every individual qualifying as a beneficial owner. Even if someone owns less than 25% of the business, that person may still be considered a beneficial owner if they hold significant decision-making authority evidencing “substantial control” over the reporting company.

For example, an indirect way to exercise substantial control over a reporting company is by controlling one or more intermediary entities that separately or collectively exercises substantial control over a reporting company. The best way to avoid this mistake is to review your company’s structure carefully and consult an expert if you’re unsure about who is a potential beneficial owner.

Another likely common mistake is submitting incorrect or incomplete details for beneficial owners. Mistakes in names, dates of birth, or identification numbers can lead to rejected filings or regulatory scrutiny – and possibly even fines and jail time if done deliberately. This mistake can easily be avoided by double-checking all information before submission and ensuring you’ve provided accurate and up-to-date details.

A third common mistake is failing to timely file. Businesses underestimate how long the process can take, leading to missed deadlines. For new businesses, filing is required 90 days after formation or registration, while companies formed or registered prior to 2024 have until January 2025 to comply. Companies can avoid this potential problem by marking important dates on your calendar and preparing your filing early to avoid a last-minute rush and a possible $591 a day fine for an untimely filing.

A fourth mistake would be the failure to update information as it changes. As set forth in the applicable regulations, the failure to update beneficial ownership information as changes occur can result in non-compliance. Any changes in ownership or control must be reported within thirty days of the change. This can be avoided by Implementing an internal system to track changes in ownership and file updated reports with FinCEN when necessary.

The fifth common mistake is simply assuming the existence of an exemption without really confirming it applies. Certain businesses, like larger companies already subject to similar rules, are exempt from the BOI reporting requirement. Assuming you are covered by an exemption without having proper confirmation could lead to fines. This can be avoided by double checking your exemption status by consulting the list of exempt entities or seeking expert advice. For example, even if your company has filed for dissolution, that would not automatically exempt you as an inactive company if that dissolution took place in 2024.

Avoiding these five common mistakes will help ensure a smooth BOI reporting process. By simply taking the time to understand key requirements and double-checking your information, you can protect your business from most of these unnecessary risks.

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Middle Market Business, Risk Management, Small Business

Preparing Your Business for FinCEN’s BOI Reporting Rule

With the Beneficial Ownership Information (BOI) reporting requirement now in effect, many businesses are wondering how to comply with this new rule issued by the Treasury Department’s Financial Crimes Enforcement Network (FinCEN). Preparing early will help you avoid fines and penalties, ensuring a smooth filing process.

The first step is determining who qualifies as a beneficial owner. This includes anyone who exerts substantial control or has ownership of 25% or more in your business. It’s crucial to assess both direct and indirect control, so be sure to evaluate individuals who might have critical influence over decision-making even if they don’t own a large percentage of equity.

You will need the following details for each beneficial owner:

  • Full name
  • Date of birth
  • Residential or business address
  • A government-issued identification number (such as from a driver’s license or passport)

Having this information on hand before filing will streamline the process and ensure accuracy.

If filing for an entity formed in 2024, you will also need to provide similar details for “applicants”, namely those persons who filed formation or registration documents with the state of formation or registration.

New businesses must file their BOI reporting information upon formation. For existing businesses, FinCEN has provided a one-year grace period to comply, meaning the deadline for companies formed or registered prior to 2024 is January 1, 2025. Don’t wait until the last minute — start preparing now.

Develop internal procedures to ensure ongoing compliance. This could involve creating a system for regularly updating beneficial ownership information when ownership or critical management changes over time.

Consider seeking advice from compliance experts to ensure whether you meet all the requirements. While the BOIR filing might seem straightforward, nuances in ownership or control structures could complicate the process. Ensuring your business is prepared for BOI reporting compliance long before the applicable deadline is the exact sort of proactive approach that will save you time, reduce stress, and help avoid costly penalties.

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Middle Market Business, Risk Management, Small Business

What Every Business Owner Needs to Know About FinCEN’s BOIR Requirement

The Beneficial Ownership Information (BOI) reporting requirement, introduced by FinCEN (the Treasury Department’s Financial Crimes Enforcement Network) increases transparency in business ownership with the stated goal of reducing financial crimes such as money laundering and tax evasion. As a business owner, it’s essential to understand what this regulation means for you and your company.

The BOIR rule mandates that certain companies report information about their beneficial owners to FinCEN. A “beneficial owner” is any individual who directly or indirectly exercises substantial control over the company or owns 25% or more of its equity

Corporations, limited liability companies (LLCs), and similar entities created or registered by a state to do business in the United States are required to file their BOI Report. Larger companies, regulated financial institutions, and inactive companies, are exempt because they largely already have to conduct this disclosure.

Businesses must report identifying information about each beneficial owner, including:

  • Full legal name
  • Date of birth
  • Current residential or business address
  • A unique identification number from a government-issued document (such as a driver’s license or passport)

The BOIR requirement officially went into effect in January 2024, and new companies must file within 90 days after their formation. Existing companies have until the end of 2024 to comply, so it’s essential to immediately start gathering the necessary information. Compliance with FinCEN’s BOIR requirement is a crucial regulatory obligation so take the time to understand these requirements and prepare your business for the upcoming changes.

Accounting Firm, Financial Reporting, FinCEN BOI Reporting, Law Firm, Middle Market Business, Risk Management, Small Business

Constitutionality of FinCEN’s BOIR Requirement

Found in the nearly 1,500-page National Defense Authorization Act of 2021, is the 21-page Corporate Transparency Act (“CTA”), 31 U.S.C. § 5336.  The CTA currently requires most entities incorporated or doing business under State law to disclose personal stakeholder information to the Treasury Department’s criminal enforcement arm, Financial Crimes Enforcement Network (“FinCEN”), including Tax ID numbers, date of birth, government identification number and copies of government identification documents of all beneficial owners and company state formation applicants (collectively a Beneficial Ownership Information Report or “BOI Report”).

According to Congress, this law is intended to prevent financial crimes such as money laundering and tax evasion committed using shell corporations.  The relevant Constitutional question recently put before an Alabama federal court was whether Congress’ broad powers to regulate commerce, oversee foreign affairs and national security, and impose taxes and related regulations were enough to power such a massive information grab. 

In a 53-page opinion, Judge Liles C. Burke of the Northern District of Alabama answered this question in the negative and struck down the CTA as unconstitutional.  See Mem. Op. at 3 (“Because the CTA exceeds the Constitution’s limits on the legislative branch and lacks a sufficient nexus to any enumerated power to be a necessary or proper means of achieving Congress’ policy goals, the Plaintiffs are entitled to judgment as a matter of law.”).   As recognized by Judge Burke, there was no comparable State or federal law to the CTA.  Mem. Op. at 35.

As a result of Judge Burke’s March 1, 2024 ruling – which began its appellate journey on March 11, 2024, all the plaintiffs in that case are for the time being exempt from filing a BOI Report – including the over 65,000 businesses and entrepreneurs located in all 50 states who are members of Plaintiff National Small Business Association (“NSBA”).  As for everyone else who may be a Reporting Company, the CTA very much still applies.

By way of background, FinCEN issued a final rule implementing the CTA on September 29, 2022 and made that rule effective as of January 1, 2024.  87 Fed. Reg. 59498.  Because only the plaintiffs in the Alabama action are safe from the CTA’s reporting reach all other businesses operating in the United States who are considered Reporting Companies will have to comply with the Rule. 

More specifically, the CTA requires disclosures from “reporting company[ies],” defined as “corporation[s], limited liability company[ies], or other similar entit[ies]” that are either “(i) created by the filing of a document with a secretary of state or a similar office under the law of a State or Indian Tribe, or (ii) formed under the law of a foreign country and registered to do business in the United States.” 31 U.S.C. § 5336(a)(11)(A). The CTA exempts twenty-three kinds of entities from its reporting requirements, including banks, insurance companies, and entities with more than twenty employees, five million dollars in gross revenue, and a physical office in the United States. 31 U.S.C. § 5336(a)(11)(B).  In other words, this statute not only targets shell companies involved in criminal conduct or fraud, it expressly hits most small business owners in the country as well.

“FinCEN estimates that there will be approximately 32.6 million reporting companies in Year 1, and 5 million additional reporting companies each year in Years 2–10.”   87 Fed. Reg. at 59549. The CTA requires these millions of entities to disclose the identity and information of any “beneficial owner.” 31 U.S.C. § 5336(b)(1)(A). A beneficial owner is defined as “an individual who . . . (i) exercises substantial control over the entity; or (ii) owns or controls not less than 25 percent of the ownership interests of the entity,” with some exceptions for children, creditors, and a few others. 31 U.S.C. § 5336(a)(3).

For new entities formed or operating in the United States after January 1, 2024, the CTA requires them to disclose the identity and information of both Beneficial Owners and “Applicants,” defined as “any individual who files an application to form a corporation, LLC, or other similar entity under the laws of a State or Indian Tribe; or registers [a foreign entity] to do business in the United States.” 31 U.S.C. § 5336(a)(2).  Such filings must be made within 90 days of the relevant state filings and those companies formed or operating in the United States prior to January 1, 2024 have until year end.

Reporting entities must give FinCEN a Beneficial Owner or Applicant’s full legal name, date of birth, current address, and identification number from a driver’s license, ID card, or passport. 31 U.S.C. § 5336(a)(1), (b)(2)(A).   Under the final rule, reporting entities are also required to submit an image of the identifying document. 31 C.F.R. § 1010.380(b)(1)(ii)(E). If any of that information changes, the reporting company must update FinCEN, 31 U.S.C. § 5336(b)(1)(D), and FinCEN retains Applicant and Beneficial Owner information on an ongoing basis for at least five years after the reporting company terminates. 31 U.S.C. § 5336(c)(1).  Determining whether someone is a Beneficial Owner can be somewhat difficult given it requires a determination of who “has substantial influence over important decisions made by the reporting company” among other potentially vague criteria.  31 C.F.R. § 1010.38 (d)(1)(i)(C).

A willful provision of false or fraudulent beneficial ownership information or failure to report “complete or updated beneficial ownership information to FinCEN” by “any person” is punishable by a $500 per day civil penalty and up to $10,000 in fines and 2 years in federal prison, 31 U.S.C. § 5336(h)(1), (3)(A); a knowing and unauthorized disclosure or use of beneficial ownership information by “any person” is punishable by a $500 per day civil penalty, along with a $250,000 fine and 5 years in federal prison, 31 U.S.C. § 5336(h)(2), (3)(B); and a knowing and unauthorized use or disclosure while violating another federal law “or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period” by “any person” is punishable with a $500,000 fine and 10 years in federal prison, 31 U.S.C. § 5336(h)(3)(B)(ii)(II). Over time, this daily penalty increased to $591 per day.

As recognized by Judge Burke, “[t]he ultimate result of this statutory scheme is that tens of millions of Americans must either disclose their personal information to FinCEN through State-registered entities, or risk years of prison time and thousands of dollars in civil and criminal fines.”  Mem. Op. at 8.  Given the importance of this information, FinCEN already compels banks and other financial institutions to obtain nearly identical information from State entity customers and provide it to FinCEN.  

More specifically, FinCEN’s 2016 Customer Due Diligence rule requires “covered financial institutions” to “identify and verify beneficial owners of legal entity customers.” 31 C.F.R. § 1010.230(a).   As with the CTA, this rule defines a “legal entity customer” as “a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account,” unless the entity fits into one of sixteen exemptions – seven less than the CTA exemptions. 31 C.F.R. § 1010.230(e)(1)-(2).

The CDD rule also defines beneficial owners in the same manner: “Each individual . . . who owns, directly or indirectly, 25 percent or more” of the entity; has “significant responsibility to control, manage, or direct a legal entity,” including “a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer)” and “[a]ny  other  individual  who  regularly  performs  similar  functions.”  31 C.F.R. § 1010.230(d)(1)-(2).

In other words, FinCEN’s CDD rule and the CTA provide FinCEN with nearly identical information.  The CTA itself acknowledges the similarity. See 31 U.S.C. § 5336(b)(1)(F) (requiring the Secretary of the Treasury to promulgate regulations that “collect [beneficial owner and applicant] information . . . in a form and manner that ensures the information is highly useful in . . . confirming beneficial ownership information provided to financial institutions.” (emphasis added).  See also Pub. L. 116-283 § 6402 (6)(B) (134 STAT. at 4604 – 4605) (“It is the sense of Congress that . . . [collection of] beneficial ownership information . . . [will] confirm beneficial ownership information [already] provided to financial institutions.”).

According to FinCEN’s compliance with the Paperwork Reduction Act of 1995: “The estimated average burden associated with this collection of information from Reporting Companies is 90 to 650 minutes per respondent for reporting companies with simple or complex beneficial ownership structures, respectively. The estimated average burden associated with Reporting Companies updating information previously provided is 40 to 170 minutes per respondent for reporting companies with simple or complex beneficial ownership structures, respectively.”

Given the appellate route will likely take well over a year to resolve and the NSBA plaintiffs no longer have any injury to adjudicate – which might have expedited an appeal if they had, it is incumbent on business owners to take the CTA at its face value and comply with the implemented regulations of FinCEN.

Accounting Firm, Blockchain, Digital Assets, DLT, Financial Reporting, NFTs, Risk Management

The NFT Growth Tax

Between Amazon launching next month its NFT Marketplace – tentatively called the “Amazon Digital Marketplace”, Sotheby’s already launched high-end secondary marketplace for “digital artwork”, and Christie’s launching last year its Christie’s 3.0 – a platform allowing for fully on-chain sales that demonstrates “the auction house’s commitment to both artists and collectors in the Web3 space”, programmable digital assets/NFTs are simultaneously entering both ends of the mainstream market.     

Probably the most important takeaway from such broad initiatives turns on the fact foundational brands have decided to supplant the prior NFT free-for-all initiated by PFP projects, artists and collectors.  Despite potentially risking the same fate of Dapper Labs, Amazon will rely on a private blockchain that takes credit cards while Sotheby’s eliminates “NFTs” from the equation altogether to focus on what it calls “digital artwork” even though digital art has already been around for decades.  What is clear is that Amazon’s use of its own “brand worthy” naming convention – “Amazon Digital”, elevates rather than hinders this new ecosystem. 

Being swept aside by this establishment wave is OpenSea – the newly-displaced old guard and wild-west pioneer who likely never contemplated insider trading as a risk until a former OpenSea Manager was recently convicted of it.  Not surprisingly, OpenSea offloads tax obligations and refers its users to CoinTracker for tax calculations.  OpenSea even explicitly points out to users of the marketplace that “[y[ou are responsible for determining what, if any, taxes apply to your purchases, sales, and transfers of NFTs. If you have specific questions regarding taxes, please consult with a professional tax advisor.”  OpenSea’s sole Help Center entry regarding taxes further drives home the point:  “Users are responsible for determining what, if any, taxes apply to their purchases, sales, and transfers of NFTs. If you have questions about taxes, please consult with a professional tax advisor.”

In sharp contrast, the government is certainly rooting for reliable tax collectors such as Amazon, Christie’s and Sotheby’s to enter the NFT sandbox.  Since 2018 – when the Supreme Court overruled decades of precedent, taxation of online sales no longer depends on physical presence within a particular state.  The new guard will create the proper recipe for mass profitable usage, namely removing tech geek elements, improving user interfaces, adding brand allure, and ensuring government is happy and remaining on the right side of the regulatory fence. 

As Grace Kyne of EY informed attendees at the April 13, 2023 NFT.NYC session “NFTs and Marketplaces: Opening Pandora’s Box”, there are state-specific marketplace facilitator rules that make most marketplaces subject to state tax.  Not surprisingly, Amazon is front and center in pointing that hard fact out to its market participants: “Marketplace Facilitator legislation is a set of laws that shifts the sales tax collection and remittance obligations from a third party seller to the marketplace facilitator. As the marketplace facilitator, Amazon will now be responsible to calculate, collect, remit, and refund state sales tax on sales sold by third party sellers for transactions destined to states where Marketplace Facilitator and/or Marketplace collection legislation is enacted.”

In other words, pushing digital asset sales to Amazon is really every state treasurer’s dream.

This should not come as any surprise.  Ever since the 2019 tax year, IRS Form 1040 has included a question regarding a taxpayer’s cryptocurrency activity. In 2021, the IRS slightly broadened the scope of its inquiry:  “At any time during 2021, did you receive, sell, exchange, or otherwise dispose of any financial interest in any virtual currency?”  In 2022, the scope of the latest IRS Form 1040 broadened yet again: “At any time during 2022, did you: (a) receive (as a reward, award, or payment for property or services); or (b) sell, exchange, gift, or otherwise dispose of a digital asset (or a financial interest in a digital asset)?

In other words, the IRS expressly seeks disclosure of all digital asset transactions and not merely those involving cryptocurrencies.  The IRS now wants to know about a taxpayer’s NFT sales and any income generating activities where digital assets are received as payment.  On April 5, 2023, the IRS released its IRS Tax Tip 2023-45 which elaborated on this new position regarding a taxpayer’s obligation to report digital asset transactions – including citation to applicable supplemental forms.  By informing taxpayers of their new obligations – by way of tax forms and “tax tips”, it becomes increasingly difficult for them to argue any lack of knowledge on the topic.   The easiest approach will always be one which just assumes all realized digital asset gains are taxable.   

And, to the extent there was any ambiguity regarding more specific tax treatment of NFTs, that might soon evaporate given the IRS – in its March 13, 2023 Notice 2023-27, seeks to classify most NFTs as “collectibles” – a lesser form of asset for purposes of capital gains and other tax purposes.

Specifically, Notice 2023-27 – which seeks comments before June 19, 2023, announces the IRS’s and Treasury’s intention to issue guidance as to whether certain NFTs are “collectibles” under IRS Section 408(m).  Currently, the only available categories of “collectibles” under this section are:  “(A) any work of art, (B) any rug or antique, (C) any metal or gem, (D) any stamp or coin, (E) any alcoholic beverage, or (F) any other tangible personal property specified by the Secretary for purposes of this subsection.”  See 26 USC § 408(m)(2).  The IRS recognizes that NFTs do not presently constitute any of the above – including “art” given an NFT is not the art itself, it is a digital file pointing to the actual digital art typically found using an IPFS gateway such as Pinata.  Moreover, Section (F) expressly references “tangible personal property” so that catchall also does not squarely fit. 

While waiting for comments, the IRS will deploy a “look-through” analysis:  “Under the look-through analysis, an NFT constitutes a section 408(m) collectible if the NFT’s associated right or asset is a section 408(m) collectible. For example, a gem is a section 408(m) collectible under section 408(m)(2)(C), and therefore an NFT that certifies ownership of a gem constitutes a section 408(m) collectible. Similarly, an NFT does not constitute a section 408(m) collectible if the NFT’s associated right or asset is not a section 408(m) collectible. For example, a right to use or develop a “plot of land” in a virtual environment generally is not a section 408(m) collectible, and therefore, an NFT that provides a right to use or develop the “plot of land” in the virtual environment generally does not constitute a section 408(m) collectible.”  See IRS Notice 2023-27.

It is not clear whether the “look-through” approach would be limited to an underlying physical asset tied to the NFT or whether it might include potential money-generating components of an NFT.  More than likely, however, the relevant IRS section could not be broadly interpreted to include future gains unrelated to specific associated assets.  Moreover, earning rewards by way of an NFT should not be taxable given rewards are generally treated as a rebate or discount on purchases – that should be treated no differently than frequent flyer miles.

The lesson learned for businesses seeking to grow NFT adoption is that market validation and future growth opportunities are now inevitable given the tax hounds have gotten the scent.  To the extent there were any previous regulatory barriers to growth opportunities, those will be lifted so long as the government gets it take.

Accounting Firm, Electronic Health Records, Litigation Management, Network Security, Risk Management, Technology Law

B2 – B1 < (P x H)1 – (P x H)2

On February 16, 2021, The Sedona Conference (TSC) – a nonpartisan, nonprofit research and educational institute “dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation and intellectual property rights”, released its final “Commentary on a Reasonable Security Test“.  TSC is well known for previously helping Courts around the country determine the proper contours of e-discovery.  

Recognizing that cybersecurity reasonableness crosses both legal and technology domains, TSC sought a reasonableness test that would help bridge that divide.  Accordingly, the proposed test for reasonable security was designed to be consistent with “models for determining reasonableness that have been used in various other contexts by courts, in legislative and regulatory oversight, and in information security control frameworks.” The Sedona Conference, Commentary on a Reasonable Security Test, 22 SEDONA CONF. J. 345, 358 (forthcoming 2021).  To that end, this test is ultimately based on the landmark Learned Hand negligence test in United States v. Carroll Towing Co., 159 F.2d 169, 173 (2nd Cir. 1947).  

The Sedona Conference Reasonable Security Test consists of “B2 – B1 < (P x H)1 – (P x H)2” where B represents the burden, P represents the probability of harm, H represents the magnitude of harm, subscript 1 represents the controls (or lack thereof) at the time the information steward allegedly had unreasonable security in place, and subscript 2 represents the alternative or supplementary control.  22 SEDONA CONF. J. at 360.  

TSC’s Commentary should be carefully studied for numerous reasons, including the fact TSC applies it to actual recent enforcement actions and provides solid arguments for its judicial application.  No different than its highly cited e-discovery initiatives, this new TSC approach may very well be relied on by courts tackling the important question of what constitutes reasonable security in the context of a data breach litigation or enforcement action.