financialservices.house.gov

Cmte Financial Services (R)
Contact:



McHenry Requests GAO Audit FinCEN’s Beneficial Ownership Secure System


Washington, Oct 15 -

Today, the Chairman of the House Financial Services Committee, Patrick McHenry (NC-10), sent a letter requesting the Government Accountability Office (GAO) audit the Financial Crimes Enforcement Network’s (FinCEN) Beneficial Ownership Secure System (BOSS). The BOSS registry is intended to be a key national security tool designed to support the national security community, including law enforcement, to target bad actors abusing the United States financial system to engage in illicit activity. 


However, following FinCEN’s failure to properly manage critical access to information in its Bank Secrecy Act (BSA) database, Republicans are skeptical the agency will properly safeguard the data in BOSS as mandated. Committee Republicans’ oversight of FinCEN’s is a continuation of their efforts to ensure the implementation of the beneficial ownership reporting regime adheres to Congressional intent and American small businesses’ sensitive information is appropriately safeguarded by FinCEN.

  

Read the full letter here.

 

Read a key excerpt from the letter below:


“I am writing to request that the Government Accountability Office (GAO) analyze and audit the Department of the Treasury’s (Treasury) Financial Crimes Enforcement Network (FinCEN), with a focus on FinCEN’s information security and database management of the Beneficial Ownership Secure System (BOSS). The beneficial ownership information registry is intended to be a key national security tool designed to support the national security community, including law enforcement, to target bad actors and nation states abusing the United States financial system to engage in illicit activity. 


“On January 1, 2024, FinCEN began accepting beneficial ownership information (BOI) from small businesses throughout the country. In their submissions, businesses are expected to disclose personally identifiable information such as addresses, legal representatives, birth dates, unique identifying numbers for each beneficial owner, and more. There are already questions about how FinCEN handles sensitive Bank Secrecy Act (BSA) data, therefore it is Congress’ intent to ensure that FinCEN adequately safeguards the BOSS. 


“To ensure America’s small businesses are protected, Division F of the Willim M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 included the strongest privacy and disclosure protections as it relates to the collection, maintenance, and disclosure of beneficial ownership information. Among others, these protections include agency head certification of an authorized investigation to access to the database, semi-annual certification by agencies to the Secretary of the Treasury of protocols to ensure maximum protection, and limitations on disclosure of beneficial ownership information. The protections in Division F are critical to protect confidential information and prevent unauthorized access.


“Currently, FinCEN maintains one of the largest information repositories accessible to law enforcement and regulatory agencies, the BSA database. This database includes Suspicious Activity Reports, Currency Transaction Reports, and other BSA reports. In August 2023 and August 2024, the Treasury Office of the Inspector General (OIG) released two audits of FinCEN’s management of BSA data. The August 2023 audit highlighted failures of the agency to timely follow data suppression protocols and ensure that agencies with access to BSA data removed suppressed records timely. In its second audit, the OIG found FinCEN did not properly manage user access, despite the volume of 14,000 FinCEN portal users with direct access to BSA data. Specifically, the OIG found that FinCEN could not ensure whether agencies were timely disabling external user accounts, which could have resulted in unauthorized user access to BSA data.  FinCEN’s failure to properly manage the BSA database, leaves Congress reluctant that the agency will properly safeguard the data in BOSS as mandated.


“As FinCEN continues to collect data from small businesses throughout the country, the agency must ensure Americans’ financial privacy in both the BSA database and BOSS are appropriately protected. FinCEN’s commitment to privacy and civil liberties should not be a question. To that end, GAO’s review will assist the Congress in understanding any deficiencies in FinCEN’s information management and security, including whether FinCEN is complying with congressional intent.”


###