CTA BOI: What It Requires and Who It Applies To

What is CTA BOI?

The Beneficial Ownership Information Reporting Rule (CTA BOI) is a US federal regulation issued by FinCEN under authority granted by the Corporate Transparency Act of 2021. It requires most US corporations, LLCs, and similar entities to identify who actually owns and controls them, and to report that information directly into FinCEN's Beneficial Ownership Secure System (BOSS) database.

Before this rule, the US had no central federal registry of corporate ownership. Shell companies and anonymously-held LLCs were a documented gap in the anti-money laundering framework. The Financial Action Task Force flagged the US for exactly this weakness in its 2016 Mutual Evaluation Report, noting that US authorities often couldn't identify who owned the legal entities they were investigating. FATF Recommendation 24 specifically requires countries to maintain accurate beneficial ownership information on legal persons, accessible to competent authorities promptly. The US was rated non-compliant.

FinCEN finalized the Reporting Rule on September 30, 2022, published in the Federal Register at 87 FR 59498. It took effect January 1, 2024. Companies formed before that date had until January 1, 2025 to file initial reports. Companies formed during 2024 had 90 days from creation. Companies formed on or after January 1, 2025 have 30 days.

The rule sits within the broader Bank Secrecy Act framework and was mandated by the Anti-Money Laundering Act of 2020, the most sweeping reform of US AML law since the Patriot Act. CTA BOI is the structural piece that closes the gap allowing illicit actors to hide behind anonymous corporate structures.

Who does CTA BOI apply to?

The rule covers two categories of "reporting company":

• Domestic reporting companies: Corporations, LLCs, limited partnerships, and any other entity formed by filing a document with a US state or tribal authority.
• Foreign reporting companies: Entities formed under foreign law that are registered to do business in any US state or tribal jurisdiction.

FinCEN estimated the rule would initially apply to roughly 32.6 million existing entities, with approximately 5 million new companies entering scope each year.

Twenty-three categories of entities are exempt. The most widely invoked are:

• Large operating companies: Entities with more than 20 full-time US employees, a physical US office, and more than $5 million in gross receipts or sales on the prior year's US tax return.
• Banks and credit unions: Already subject to federal or state supervision, including under the FinCEN CDD Rule.
• SEC-registered entities: Broker-dealers, registered investment companies, and investment advisers registered with the SEC.
• Regulated insurance companies: Licensed and supervised by a state insurance commissioner.
• Public companies: Issuers registered under Section 12 of the Securities Exchange Act.
• Inactive entities: Those in existence before January 1, 2020, with no active business, no assets, and no recent ownership changes.
• Subsidiaries of exempt entities: Wholly-owned subsidiaries of certain exempt parents may qualify.

Private equity portfolio companies, closely-held operating businesses, single-purpose real estate LLCs, and most small businesses without a federal regulatory footprint are in scope. That's where the bulk of the compliance burden lands. If your legal entity doesn't have a banking license or SEC registration, you're almost certainly a reporting company.

What does CTA BOI require?

The core obligation is identifying every beneficial owner and reporting their personal information to FinCEN.

A "beneficial owner" is any individual who either:

1. Directly or indirectly owns or controls at least 25% of the ownership interests of the reporting company, OR
2. Exercises "substantial control" over the company, which includes serving as a senior officer, having authority to appoint or remove senior officers or a majority of the board, directing or determining important company decisions, or holding any other form of substantial control as defined in the rule.

The specific information required for each beneficial owner:

1. Full legal name
2. Date of birth
3. Current residential street address (not a PO box, not a registered agent address, not the company's address)
4. Unique identifying number from an acceptable document: US passport, state driver's license, foreign passport, or other state or federal government ID
5. Image of the identifying document

For companies formed on or after January 1, 2024, the same five data points must be filed for each "company applicant": the individual who directly files the formation document and, if different, the individual who directs or controls that filing.

Update obligations are strict. Any change to reported information triggers a 30-day window to file an updated report. That includes a beneficial owner's address change, a name change, or any shift in ownership structure. If a company discovers it filed inaccurate information, it has 30 days from discovery to correct it.

Access to BOSS is restricted to authorized government agencies and, under specific conditions, financial institutions. The OFAC 50% Rule operates in parallel: entities 50% or more owned by a sanctioned person are themselves treated as sanctioned, regardless of whether a BOI report has been filed. Compliance with one doesn't substitute for the other.

What evidence do regulators expect?

FinCEN's BOI database is a reporting system rather than a direct examination framework, but regulators have been clear that they expect companies to have documented processes behind their filings. For any enforcement inquiry, investigators will look for:

• Written BOI compliance policy: A document identifying who owns what percentage, who qualifies as a substantial-control officer, and which internal role is responsible for filing and updating reports.
• Filing confirmation numbers: BOSS issues a unique confirmation on each accepted report. Retain these indefinitely; they're your proof of timely submission.
• Ownership structure documentation: Cap tables, operating agreements, and shareholder registers current as of the filing date.
• Change-tracking log: A record of every ownership change, with dates and the corresponding 30-day update deadline.
• Training records: Evidence that legal counsel, finance leads, and senior officers understand their CTA obligations.
• Exemption analysis: If a company claims an exemption, written analysis supporting that claim, refreshed annually or after any material change in business size or structure.
• Company applicant records: For entities formed after January 1, 2024, the identification documents for the formation filing agent.

For financial institutions, the question is different. They must confirm their Know Your Business (KYB) and Customer Due Diligence procedures are positioned to cross-reference BOSS data once FinCEN activates financial institution access. Examiners will ask whether institutions have a documented plan for that integration.

Common failure modes

These are the patterns FinCEN's Small Entity Compliance Guide and early enforcement experience have surfaced most consistently:

• Missed update deadlines: Companies change their address, add a shareholder, or restructure without realizing the 30-day update clock starts on the date of the change, not the date it's internally noticed.
• Misclassifying beneficial owners: Many companies report only formal equity holders and miss individuals exercising substantial control. A CEO who owns no equity but controls all major decisions is a beneficial owner under the rule.
• Incorrect exemption claims: The most abused exemption is "large operating company." All three prongs are required: 20+ US employees, physical US office, AND $5M+ in US gross receipts on the prior year's return. Missing one prong invalidates the exemption entirely.
• Residential address errors: The rule requires each beneficial owner's current residential street address. Listing the company's registered agent address or a PO box is non-compliant.
• Ignoring the company applicant requirement: Entities formed after January 1, 2024 frequently overlook company applicant disclosure. This is a separate obligation and carries the same penalties as omitting a beneficial owner.
• No process at deal close: When a private equity fund acquires or forms a new subsidiary, that entity has its own 30-day filing requirement. Without a process to trigger compliance work at deal close or formation, deadlines routinely slip.

The National Small Business Association v. Yellen litigation (N.D. Ala., Case No. 5:22-cv-01448) produced a temporary injunction in early 2024 that caused widespread confusion about whether the rule was in force. Companies that used that period to deprioritize compliance work found themselves behind when enforcement resumed.

Penalties for non-compliance

Willful non-compliance carries serious consequences under 31 USC § 5336(h):

• Civil penalties: $591 per day for each day a violation continues. This is the inflation-adjusted figure from the original $500 cap; FinCEN confirmed the $591 rate in 2024 guidance.
• Criminal penalties: Up to $10,000 in fines and imprisonment of up to two years for willful violations. Providing false information is treated as willful.
• Senior officer liability: If a reporting company fails to file, any senior officer of that company at the time of the failure can be held personally liable for both civil and criminal penalties, even if they never touched the actual filing.

The math gets uncomfortable quickly. $591/day on a single unreported entity is manageable. Multiply it across a private equity fund with 50 portfolio companies that each missed their initial filing deadline, and the exposure reaches over $1 million per day across the portfolio.

FinCEN and the DOJ have both signaled active enforcement. FinCEN's January 2024 guidance clarified that the willfulness standard isn't limited to deliberate fraud; it includes conscious disregard of a known legal obligation. That's a meaningful expansion. A compliance officer who receives a memo about CTA BOI and fails to act on it may not be able to argue absence of knowledge.

The companion statute, 31 USC § 5318(g), covers financial institutions that fail to implement adequate procedures when FinCEN activates financial institution access to BOSS, connecting CTA enforcement directly to the broader Bank Secrecy Act penalty structure.

Related regulations and frameworks

CTA BOI is part of a global convergence on transparent corporate ownership. It doesn't stand alone.

FATF Recommendation 24 is the international standard CTA BOI implements domestically. The 2023 revision of FATF Rec 24 strengthened the standard, pushing countries toward central registries rather than reliance on company-held records. The US BOSS database directly satisfies this.

FinCEN CDD Rule (2016): Before CTA BOI, financial institutions were already required under the FinCEN CDD Rule to collect beneficial ownership information from legal entity customers at account opening. CTA BOI creates the government-side registry that financial institutions will use to verify what customers tell them during KYC onboarding. The two rules are designed to close from both ends.

AMLA 2020: The Anti-Money Laundering Act of 2020 is the statutory parent of CTA and also drove FinCEN's national AML/CFT priorities, expanded whistleblower protections, and strengthened suspicious activity reporting. CTA BOI connects directly to the SAR ecosystem: financial institutions that discover a discrepancy between BOSS data and what a customer reports may face SAR filing obligations.

EU comparison: The EU's approach runs through the 4th and 5th AML Directives, now superseded by the EU AML Regulation (AMLR) and the new EU Anti-Money Laundering Authority. EU member states must maintain centrally accessible UBO registers. The key difference: EU registers are largely public. The US BOSS database is not.

UK comparison: The UK has operated a public persons-with-significant-control (PSC) register via Companies House since 2016. The UK's Money Laundering Regulations 2017 require firms to verify PSC data as part of business-relationship due diligence. The US model is more restrictive on public access, but the underlying obligation on reporting companies is comparable.

How FluxForce supports CTA BOI compliance

FluxForce's Identity Verification and KYC/AML Automation agents automate beneficial owner extraction from entity documents, cross-reference reported ownership structures against corporate registries, and flag discrepancies between customer-supplied data and BOSS records as FinCEN financial institution access activates. For compliance teams managing large corporate portfolios, FluxForce tracks the 30-day update window per entity and generates deadline alerts before violations accumulate. The platform maps ownership chains through nested entities, surfaces structural changes that trigger update obligations, and maintains a full audit trail of every ownership check. Request a demo at fluxforce.ai/demo.