CTA BOI: What It Requires and Who It Applies To

What is CTA BOI?

The Beneficial Ownership Information (BOI) Reporting Rule is a federal regulation issued by the Financial Crimes Enforcement Network (FinCEN) under the Corporate Transparency Act of 2021, which Congress enacted on January 1, 2021 as part of the National Defense Authorization Act for Fiscal Year 2021. The rule took effect January 1, 2024, creating the first national registry of beneficial owners of US legal entities.

The problem the CTA addresses is real and long-documented. The US had no central repository of who actually owned corporations and LLCs formed under state law. Anonymous shell companies had been a documented vector for money laundering, sanctions evasion, and terrorist financing for decades. FATF cited this gap in its 2016 Mutual Evaluation of the United States, finding that the US lacked adequate measures to prevent the misuse of legal persons. The Anti-Money Laundering Act of 2020 then directed FinCEN to create this registry, specifying its scope and access controls.

FinCEN published the final rule on September 30, 2022, after reviewing approximately 240,000 public comments. The Beneficial Ownership Secure System (BOSS) is the central database. Access is controlled: federal law enforcement queries it freely, state and local law enforcement needs court authorization, and financial institutions can access it with documented customer consent for KYC and AML purposes.

The rule's enforcement history has been unstable. A series of federal court injunctions in late 2024 temporarily blocked enforcement. The Treasury Department then announced in February 2025 that it wouldn't impose civil penalties on US persons or domestic reporting companies, and FinCEN issued an interim final rule in March 2025 narrowing the reporting obligation to foreign pooled investment vehicles registered in the US. The underlying statute remains law. Criminal liability remains active. FinCEN has stated it intends to resume full enforcement once the legal framework is resolved. Compliance teams that treat the current suspension as permanent are taking a risk they don't need to take.

Who does CTA BOI apply to?

A "reporting company" is any corporation, LLC, or other entity created by filing a document with a US secretary of state or equivalent tribal official, plus any foreign entity registered to do business in any US state. That definition captures most privately held businesses in the country.

Twenty-three specific exemptions exist. The ones most relevant to financial services clients:

• Large operating companies: entities with more than 20 full-time US employees, a physical US office, and more than $5 million in US-source gross receipts on the prior year's federal tax return. All three conditions are required simultaneously.
• SEC-reporting companies registered under the Securities Exchange Act
• Banks as defined under the Bank Secrecy Act
• Federal and state-chartered credit unions
• Bank holding companies and savings and loan holding companies regulated by the Federal Reserve, OCC, or FDIC
• Money services businesses registered with FinCEN under MSB Registration rules
• Registered investment advisers and investment companies under the Investment Company Act
• Insurance companies licensed in any US state
• 501(c) tax-exempt organizations
• Inactive entities meeting five specific criteria: formed before January 1, 2020; not actively conducting business; no foreign ownership; no assets; not held by or on behalf of a foreign person

FinCEN's 2022 regulatory impact analysis estimated approximately 32.6 million existing reporting companies, with roughly 5 million new entities created each year. Most small and medium-sized private businesses with any formal corporate structure are in scope.

Foreign entities aren't exempt simply by virtue of being incorporated elsewhere. A foreign company registered to do business in any US state is a reporting company with the same obligations as a domestically formed entity.

What does CTA BOI require?

The core filing obligations:

1. File a Beneficial Ownership Information Report (BOIR) with FinCEN identifying each beneficial owner of the reporting company. Reports are filed electronically through FinCEN's BOSS portal at no charge.

2. Identify beneficial owners on two tracks: (a) any individual who directly or indirectly owns or controls 25% or more of the company's ownership interests, and (b) any individual exercising "substantial control." Substantial control captures senior officers (CEO, CFO, COO, President, General Counsel) and anyone with authority to appoint or remove senior officers or a majority of the board, regardless of ownership stake.

3. Provide required information per beneficial owner: full legal name; date of birth; current residential street address (PO boxes are not acceptable); a unique identifying number from a US passport, state driver's license, or foreign passport; and an image of that document.

4. For entities formed on or after January 1, 2024, report company applicants: the individual who filed the formation document with the secretary of state, and (if different) the person primarily directing that filing. Maximum two company applicants per entity.

5. Meet filing deadlines: entities formed before January 1, 2024 had until January 1, 2025; entities formed between January 1, 2024 and December 31, 2024 had 90 days from formation; entities formed on or after January 1, 2025 have 30 days.

6. Update within 30 calendar days of any change, including new or departing beneficial owners, changes in senior officer roles, ownership percentage changes that cross the 25% threshold, and document or address updates.

7. Correct inaccuracies within 30 calendar days of discovering a previously filed report contains errors.

The rule doesn't specify a retention period for supporting documents. FinCEN retains BOSS data for at least five years after entity termination. Aligning internal document retention with BSA standards (five years minimum) is reasonable practice and consistent with what examiners expect across the BSA/AML program.

What evidence do regulators expect?

For financial institutions accessing the BOI database, examiners look for:

• Written policies and procedures for requesting BOI data, with explicit data use restrictions documented (BOI data can't be used for commercial purposes or any purpose unrelated to AML/CTF compliance)
• Customer consent obtained and recorded before each BOSS query, with the stated business purpose
• Access logs showing only authorized personnel accessed the system
• Procedures for handling discrepancies between FinCEN BOI data and customer-provided ownership information (a mismatch triggers enhanced review, not automatic account termination)
• Integration records showing BOI query results feed into Customer Due Diligence and Know Your Business workflows
• Training records showing staff understand what BOI data is, how to read it, and what a mismatch means for the customer file
• Evidence of periodic program testing and board-level oversight

For reporting companies managing their own compliance:

• A written exemption analysis if the entity claims not to be a reporting company, dated, signed, and reviewed annually
• BOIR confirmation numbers from FinCEN for every filed report
• An internal process that triggers the 30-day update clock, requiring coordination between HR (officer changes), corporate secretary (ownership changes), and legal (threshold interpretation). Without that internal handoff, the 30-day clock runs out silently.
• Board or audit committee records evidencing governance oversight of the BOI program

The FinCEN CDD Rule already required financial institutions to collect beneficial ownership information from legal entity customers. Examiners increasingly expect BOSS database queries as a supplemental verification step, not as a replacement for the institution's own collection process. The two obligations are additive.

Common failure modes

Most BOI compliance problems fall into predictable patterns:

• Misidentifying the large operating company exemption: The exemption requires all three conditions simultaneously. We've seen companies count part-time employees toward the 20-person threshold, use a registered agent address as their "physical office," or calculate the $5 million revenue test based on global rather than US-source income. Any one of those errors voids the exemption.

• Ignoring the substantial control track: Companies focus on the 25% ownership threshold and miss beneficial owners through the substantial control prong. A de facto decision-maker with no equity stake but real authority over major transactions, key hires, or financing decisions is a beneficial owner under the rule.

• Stale data after organizational changes: The 30-day update requirement catches companies off guard during M&A transactions, leadership transitions, and recapitalizations. Treating a BOIR filing as a one-time compliance event, rather than an ongoing obligation, is the single most common failure pattern in practice.

• Subsidiary exemption assumption: A wholly owned subsidiary doesn't inherit its parent's exemption. Each entity must independently qualify.

• Company applicant misidentification: New entities often identify the wrong company applicant. The relevant person is whoever physically or electronically submitted the formation document to the secretary of state, not the business owner who initiated the process or the attorney who prepared the filing internally.

Criminal enforcement doesn't pause during civil suspension. FinCEN referred a case to DOJ in early 2024 for alleged false statements in a BOIR filing, demonstrating that willful violations carry real personal exposure for the individuals involved, regardless of the broader enforcement pause.

Penalties for non-compliance

The CTA sets specific penalty ranges that every compliance officer should know precisely.

Civil penalties: Up to $591 per day (inflation-adjusted from the original $500/day) for each day a violation continues. A company that fails to file for 60 days accumulates up to $35,460 in civil exposure before any enforcement action begins. Treasury's February 2025 non-enforcement announcement suspends these civil penalties for US persons and domestic reporting companies only, and only for now.

Criminal penalties: Up to $10,000 in fines and/or up to two years imprisonment for willful violations. "Willful" means the person knew the obligation existed and chose not to comply, or knowingly provided false information. Senior officers who direct a company not to file face personal criminal exposure, not just the entity.

Unauthorized disclosure by financial institutions: If a bank or covered institution misuses BOI data from BOSS (using it for credit underwriting, sharing it with unauthorized parties, or accessing it without documented customer consent), civil penalties run up to $1 million and criminal penalties up to $250,000 and/or 10 years imprisonment.

Treasury's non-enforcement announcement is explicit about what it doesn't cover: it doesn't protect foreign entities, it doesn't eliminate criminal liability, and it doesn't shield financial institutions from data misuse penalties. FinCEN's BOI FAQ published January 2024 states the agency intends to resume civil enforcement for all covered entities once legal uncertainty resolves. The compliance program built now is the one that gets examined then.

Related regulations and frameworks

The BOI Reporting Rule doesn't stand alone.

FATF Recommendation 24: The CTA was explicitly designed to implement FATF Rec 24, which requires countries to maintain accurate, current information on the beneficial ownership of legal entities and make it accessible to competent authorities. The US was cited in FATF mutual evaluations for inadequate beneficial ownership transparency. The CTA addresses that finding directly, and FinCEN's rule is the mechanism.

FinCEN CDD Rule: The FinCEN CDD Rule requires banks, credit unions, broker-dealers, and other covered financial institutions to collect beneficial ownership information from legal entity customers at account opening. The two rules are complementary. The CDD Rule places collection obligations on financial institutions; the BOI Reporting Rule places disclosure obligations on the entities themselves and creates a government-maintained verification database. Financial institutions should use both, not treat them as alternatives.

FATF Recommendation 10: FATF Rec 10 on customer due diligence requires financial institutions to identify and verify the beneficial owners of legal entity customers as a core CDD obligation. The BOI database gives institutions a new government-sourced tool for that verification step, though it doesn't replace the institution's own collection process.

OFAC 50% Rule: The OFAC 50% Rule requires sanctions treatment for any entity 50% or more owned by a sanctioned party, whether or not that entity appears on the SDN list itself. BOI data makes the ownership chain diligence required to apply this rule more reliable and faster to complete.

International equivalents: The EU's approach under successive AML Directives requires member states to maintain central registers of beneficial ownership. The EU AMLR (2024) goes further, mandating cross-border data sharing requirements. The UK maintains a Register of Persons with Significant Control. The US BOI registry differs structurally: it's non-public and access-controlled, while EU and UK registers were partly or fully public. For compliance teams managing multi-jurisdictional programs, a single ownership verification process won't satisfy all three regimes simultaneously. Each requires its own documented workflow.

How FluxForce supports CTA BOI compliance

FluxForce's Identity Verification and KYC/AML Automation capabilities connect directly to BOI verification workflows at account opening and periodic review. Aiden Flux and Nova Sentinel cross-reference FinCEN BOI data against customer-provided ownership information, flag mismatches for analyst review, and generate audit-ready evidence trails for every beneficial ownership decision. The Regulatory Compliance Automation module monitors corporate structure changes and triggers the 30-day update obligation automatically when reporting companies are among your clients. Every decision comes with full documentation, which is exactly what examiners want on audit day. Request a demo to see it in action.