CTA: What It Requires and Who It Applies To

What is CTA?

The Corporate Transparency Act (CTA) is a US federal law enacted January 1, 2021, as Division F of the National Defense Authorization Act for Fiscal Year 2021. That same legislation included the Anti-Money Laundering Act of 2020, the most sweeping overhaul of the Bank Secrecy Act in two decades. FinCEN, the Treasury bureau responsible for financial intelligence and AML policy, administers the resulting beneficial ownership information (BOI) reporting program. Reporting requirements became effective January 1, 2024.

The legislative context matters. For decades, forming an anonymous shell company in the US was trivially easy. Delaware, Wyoming, and Nevada allowed incorporation with minimal disclosure, no federal requirement to name the actual owner, and no central registry. Professional money launderers, foreign kleptocrats, and sanctions evaders used this gap freely. The FATF flagged it repeatedly. Its 2016 Mutual Evaluation Report on the United States rated the country non-compliant on the core beneficial ownership standard and non-compliant or partially compliant on multiple related standards. Treasury's own advisories documented shell company use in real estate money laundering, corruption proceeds concealment, and sanctions evasion over many years.

The CTA's solution is a centralized but non-public registry. Covered entities file BOI reports directly with FinCEN through the BOI E-Filing System at boiefiling.fincen.gov. Authorized requestors, including federal law enforcement, national security agencies, financial institutions with customer consent, and certain foreign counterpart agencies, can query it. The registry is not publicly searchable. That's a deliberate design choice and it distinguishes the US approach from the EU's public register model.

FinCEN published the final implementing rule on September 30, 2022 (87 FR 59498), codified at 31 CFR Part 1010. The full regulation and current guidance are available at fincen.gov/boi.

One important caveat on enforcement status: the CTA faced multiple constitutional challenges in federal courts in 2024 and 2025. In early 2025, FinCEN issued an interim final rule temporarily limiting BOI reporting enforcement to foreign reporting companies, with domestic enforcement paused pending further rulemaking. Compliance teams should check fincen.gov/boi directly for the current enforcement posture before advising clients or business units.

Who does CTA apply to?

The CTA defines two categories of covered entities.

Domestic reporting companies are corporations, LLCs, limited liability partnerships, and any other entity created by filing a document with a US state secretary of state or equivalent tribal authority. The definition is intentionally broad. It captures the full range of entity types, from single-member LLCs formed to hold a rental property to complex multi-tier holding structures.

Foreign reporting companies are entities formed under foreign law that are registered to do business in any US state or tribal jurisdiction.

Both categories carry the same BOI reporting obligations. The main difference is address reporting: foreign entities without a US principal office report their registered agent's address instead.

The law exempts 23 entity categories. The most operationally significant:

• Large operating companies: Must simultaneously have 20 or more full-time US employees, more than $5 million in US-sourced gross revenue on the prior year's federal tax return, AND a physical US office. All three criteria are required together. Missing any one of them means the exemption does not apply.
• Banks and credit unions: Federally regulated institutions under the BSA, FDIC, Federal Reserve, OCC, or NCUA
• SEC-reporting companies: Issuers registered under Securities Exchange Act Sections 12 or 15(d)
• Registered investment advisers: Entities registered with the SEC
• Insurance companies: Under state regulatory supervision
• Accounting firms: Registered with the PCAOB
• Inactive entities: Formed before January 1, 2020, with no transactions, no assets, no ownership changes, and not party to litigation since formation
• Subsidiaries of exempt entities: Wholly owned or controlled exclusively by one or more qualifying exempt entities

FinCEN's 2022 regulatory impact analysis estimated the initial compliance universe at approximately 32.6 million existing businesses, with roughly 5 million new reporting companies expected annually. The overwhelming majority are small businesses, single-member LLCs, and real estate holding companies, not large corporations.

What does CTA require?

For each reporting company, there are two sets of required disclosures.

Company-level information:

1. Full legal name of the reporting company
2. All trade names or DBAs currently in use
3. Current US street address (principal place of business; for foreign companies, the primary US location or, if none, the registered agent's address)
4. Jurisdiction of formation or registration: state, tribal authority, or foreign country
5. IRS Taxpayer Identification Number (or foreign equivalent)

Beneficial owner information for each qualifying individual:

1. Full legal name
2. Date of birth
3. Current residential street address (not a PO Box, not a business address)
4. A unique identifying number from a qualifying document: US passport, state-issued driver's license, or other government-issued photo ID
5. An image of that identifying document

A beneficial owner is any individual who either: (a) directly or indirectly owns or controls 25% or more of the company's ownership interests, OR (b) exercises substantial control over the company. The substantial control prong covers all senior officers (CEO, CFO, COO, general counsel, and their functional equivalents), individuals with authority to appoint or remove senior officers or a majority of the board, and any other person who exercises significant influence over major decisions about the company's finances, operations, or structure.

It's the "OR" that catches people. A CEO with zero equity stake is still a beneficial owner through substantial control. A nominee shareholder registered at 26% is a beneficial owner through the ownership prong. Both must be reported.

Company applicants must also be disclosed for entities formed on or after January 1, 2024. That means the person who filed the formation document with the state, and if different, the person who directed that filing.

Filing deadlines:

1. Entities formed before January 1, 2024: original deadline January 1, 2025 (subject to litigation-related enforcement pauses; check current FinCEN guidance before advising)
2. Entities formed during calendar year 2024: 90 days from the date of formation
3. Entities formed January 1, 2025 onwards: 30 days from formation

Updates and corrections: Any change to previously reported information must be filed within 30 days of the change. Inaccuracies discovered after filing must be corrected within 30 days of discovery. Filing is free. There is no filing fee through the FinCEN BOI E-Filing System.

What evidence do regulators expect?

The CTA's enforcement model differs from traditional bank examinations. There's no ongoing examination cycle for reporting companies themselves, but FinCEN and the DOJ can investigate compliance at any point. For financial institutions that access the BOI database, examiners will align their review with Customer Due Diligence (CDD) program expectations.

For reporting companies, an audit-ready evidence package should include:

• A copy of the filed BOI report and the FinCEN confirmation receipt from the E-Filing System
• A written ownership structure analysis documenting the 25% threshold calculation for each beneficial owner, including any indirect ownership chains
• A written analysis of whether the substantial control prong applied to any individuals beyond the registered shareholders
• Copies of the government-issued identification documents reviewed and submitted for each beneficial owner
• A documented process for monitoring ownership and control changes, with trigger events mapped to the 30-day update window
• Timestamped records of any subsequent update filings
• For entities claiming an exemption: a written analysis of each exemption criterion, supported by evidence (headcount records, prior year revenue figures from a tax return, physical office documentation)
• A current legal entity organization chart, dated as of the filing date

For financial institutions with authorized access to the FinCEN BOI database:

• Customer consent records authorizing the institution to query the database for CDD purposes
• Database query logs demonstrating access was used only for permitted purposes
• Written procedures connecting BOI query results to onboarding and periodic review workflows
• Staff training records showing employees understand the permitted use conditions and unauthorized disclosure prohibitions

FinCEN's official Small Entity Compliance Guide, published at fincen.gov/boi, is the authoritative checklist. Treat it as the primary exam preparation document for any compliance review.

Common failure modes

The failures FinCEN has flagged and that we've seen in practice follow predictable patterns.

• No filing at all. As of late 2024, tens of millions of covered companies still hadn't filed. Small businesses, single-member LLCs, real estate holding companies formed years ago, and family structures are disproportionately in this category. Many had no awareness the obligation existed.
• Misidentifying beneficial owners. Filing only registered shareholders without analyzing the substantial control prong is the most common substantive error. A CFO or general counsel with no equity stake still qualifies. We've seen compliance teams miss this consistently.
• Treating the initial filing as a permanent record. An ownership transfer, a senior officer's departure, a registered address change: each triggers a 30-day update obligation. One-and-done thinking is wrong and creates ongoing exposure.
• Faulty exemption analysis. The large operating company exemption requires all three criteria at once: 20+ full-time US employees, $5M+ in US-sourced revenue, AND a physical US office. If revenue drops below $5M in a subsequent year, the exemption lapses and a BOI report is due within 30 days. We've seen companies that qualified at launch fail to monitor their ongoing status.
• Nominee arrangements. Listing a registered nominee as the beneficial owner rather than the actual controlling person. FinCEN has specifically identified nominee ownership structures as a money laundering red flag and a CTA enforcement priority.
• Missing or expired ID documents. Submitting beneficial owner records without the required government-issued photo ID image, or using an expired document.

On the criminal side, FinCEN's BOI guidance published at launch outlined specific fraud scenarios the registry was designed to address, including real estate layering schemes and trust misuse. The DOJ's Money Laundering and Asset Recovery Section (MLARS) has brought criminal prosecutions for willful failure to file and for filing false BOI reports. See current enforcement actions at fincen.gov/news and justice.gov/criminal/criminal-mlars.

Penalties for non-compliance

Penalty authority is set at 31 U.S.C. § 5336(h), with annual inflation adjustments under the Federal Civil Penalties Inflation Adjustment Act.

Civil penalties: $591 per day for each day a violation continues (2024 inflation-adjusted figure, up from the original $500 statutory baseline). The civil penalty applies to willful violations and to any person who causes a reporting company to violate the CTA. That includes advisers, attorneys, or company formation agents who instruct a client to omit a beneficial owner. Senior officers who certify false reports are personally exposed.

Criminal penalties: Willful failure to file, willful filing of false or fraudulent BOI reports, and willful use of the CTA to commit fraud all carry up to two years imprisonment and fines up to $10,000. "Willful" covers intentional violations and willful blindness. An officer who deliberately avoided learning about the obligation gets no protection.

Unauthorized BOI database access or disclosure: Financial institutions and their personnel who improperly access or disclose FinCEN BOI data face up to five years imprisonment and fines up to $250,000 per violation, or up to 10 years if the unauthorized access was for commercial advantage or in furtherance of a crime.

Personal liability is real. If a senior officer of a reporting company certifies a BOI report they know to be false, they face civil and criminal exposure independent of any penalties against the company itself.

The DOJ has brought criminal prosecutions under the CTA, including cases in the Southern District of New York involving false BOI filings connected to broader fraud and sanctions evasion schemes. FinCEN civil enforcement runs in parallel. Enforcement activity is posted at fincen.gov/news.

Related regulations and frameworks

The CTA sits within a larger web of US and international beneficial ownership requirements.

At the international level, FATF Recommendation 24 requires member countries to ensure that competent authorities can access adequate, accurate, and current information on the beneficial ownership of legal persons. The CTA is the direct US legislative response to FATF's 2016 Mutual Evaluation Report, which rated the US non-compliant on Recommendation 24. FATF had flagged this gap across multiple evaluation cycles going back to 2006.

Domestically, the CTA works alongside the FinCEN CDD Rule (31 CFR § 1010.230). The CDD Rule requires banks, broker-dealers, mutual funds, and other covered financial institutions to collect beneficial ownership data at account opening. The CTA creates the FinCEN registry those institutions can query to verify what customers self-report. The two rules are complementary, not duplicative. The CDD Rule governs financial institution collection. The CTA governs company disclosure.

The Anti-Money Laundering Act of 2020 is the parent statute. The CTA was enacted as Division F of the NDAA FY2021, which incorporated AMLA 2020 into the National Defense Authorization Act. The broader AMLA overhauled the Bank Secrecy Act framework, added whistleblower protections, created a national AML/CFT priorities list, and established the BOI registry in one package.

The Bank Secrecy Act remains the foundational statute. FinCEN's authority to administer the CTA derives from the BSA, and the CTA's penalty structure mirrors BSA civil and criminal enforcement authority.

In the EU, the parallel frameworks under the Anti-Money Laundering Regulation (AMLR 2024) and existing directives require public beneficial ownership registers. The US CTA uses a non-public database accessible only to authorized parties. Neither approach is inherently superior. The non-public model protects owner privacy and reduces targeted fraud risk; the public model enables civil society and investigative journalism access.

How FluxForce supports CTA compliance

FluxForce's Identity Verification and KYC/AML Automation platform automates beneficial ownership identification across onboarding workflows, covering both the 25% threshold calculation and the substantial control analysis. Nova Sentinel monitors entity structures for changes that trigger the 30-day update obligation. Aiden Flux cross-references reported owners against sanctions lists, PEP databases, and adverse media in real time. Every determination is documented with full evidence trails ready for FinCEN examination or DOJ inquiry. To see how FluxForce maps to your CTA and broader KYB obligations, request a live demo at fluxforce.ai/solutions/kyc-solution.