BOI filing support for CPA firms

BOI

filing support for CPA firms — practical compliance guidance for US businesses Slug: boi-filing-support-for-cpa-firms Excerpt: How CPA firms can safely and efficiently help business clients with Beneficial Ownership Information (BOI) reporting under the Corporate Transparency Act (CTA).

Introduction The Corporate Transparency Act (CTA) requires certain companies to provide Beneficial Ownership Information (BOI) to the Financial Crimes Enforcement Network (FinCEN). Recent regulatory changes (an interim final rule published March 26, 2025) materially narrowed the definition of who must report.

This post summarizes the current rules, flags risks for CPAs (including unauthorized‑practice‑of‑law exposure), and provides step‑by‑step, practical guidance — client outreach, data collection checklists, engagement letter language samples, recordkeeping, workflow, pricing guidance and security controls — so your firm can offer BOI support efficiently and defensibly. 1) Current regulatory status — high‑level summary (as of 2026‑01‑03) - FinCEN’s March 26, 2025 interim final rule revises the regulatory definition of “reporting company” so that the BOI reporting requirement applies only to entities formed under the law of a foreign country that have registered to do business in any U.S.

State or Tribal jurisdiction (i.e., foreign entities that register in the U.S.). Domestic entities created in the United States are exempt under the IFR; likewise FinCEN stated that reporting companies do not need to report BOI for U.S. persons and U.S. persons are exempt from providing BOI for such reporting companies. (FinCEN primary guidance is linked below.) - The IFR is an interim rule subject to a comment period and FinCEN signaled it may issue a final rule later; firms should monitor FinCEN for any changes. (Treat the IFR as current guidance but expect refinements.) - New deadlines for foreign reporting companies: entities registered to do business in the U.S. before March 26, 2025 must file by April 25, 2025; entities registered on or after March 26, 2025 have 30 calendar days from notice that registration is effective.

Reporting companies must also submit updated reports within 30 days of any change to required information. (See FinCEN references below.) 2) Who is in scope (short checklist) - In scope now (per the March 26, 2025 IFR): foreign entities (formed under foreign law) that have registered to do business in any U.S.

State or Tribe by filing with a secretary of state or similar office and that do not qualify for a statutory exemption. - Out of scope now under IFR: entities formed in the U.S. (domestic entities) and their beneficial owners; U.S. persons do not need to provide BOI for reporting companies as defined by the IFR. - Exemptions (statutory): a long list of exempt entity types remains in the statute and regulations (e.g., many regulated financial institutions, large operating companies, certain tax‑exempt entities, public utilities as clarified in later rulemaking, and others).

Always check the current FinCEN exemptions list for details before concluding an entity is exempt.

Title: BOI filing support for CPA firms — practical compliance guidance for US businesses Slug: boi-filing-support-for-cpa-firms Excerpt: How CPA firms can safely and efficiently help business clients with Beneficial Ownership Information (BOI) reporting under the Corporate Transparency Act (CTA).

Introduction The Corporate Transparency Act (CTA) requires certain companies to provide Beneficial Ownership Information (BOI) to the Financial Crimes Enforcement Network (FinCEN). Recent regulatory changes (an interim final rule published March 26, 2025) materially narrowed the definition of who must report.

This post summarizes the current rules, flags risks for CPAs (including unauthorized‑practice‑of‑law exposure), and provides step‑by‑step, practical guidance — client outreach, data collection checklists, engagement letter language samples, recordkeeping, workflow, pricing guidance and security controls — so your firm can offer BOI support efficiently and defensibly. 1) Current regulatory status — high‑level summary (as of 2026‑01‑03) - FinCEN’s March 26, 2025 interim final rule revises the regulatory definition of “reporting company” so that the BOI reporting requirement applies only to entities formed under the law of a foreign country that have registered to do business in any U.S.

State or Tribal jurisdiction (i.e., foreign entities that register in the U.S.). Domestic entities created in the United States are exempt under the IFR; likewise FinCEN stated that reporting companies do not need to report BOI for U.S. persons and U.S. persons are exempt from providing BOI for such reporting companies. (FinCEN primary guidance is linked below.)

- New deadlines for foreign reporting companies: entities registered to do business in the U.S. before March 26, 2025 must file by April 25, 2025; entities registered on or after March 26, 2025 have 30 calendar days from notice that registration is effective.

Reporting companies must also submit updated reports within 30 days of any change to required information. (See FinCEN references below.) 2) Who is in scope (short checklist) - In scope now (per the March 26, 2025 IFR): foreign entities (formed under foreign law) that have registered to do business in any U.S.

State or Tribe by filing with a secretary of state or similar office and that do not qualify for a statutory exemption.

• The IFR is an interim rule subject to a comment period and FinCEN signaled it may issue a final rule later; firms should monitor FinCEN for any changes. (Treat the IFR as current guidance but expect refinements.)
• Out of scope now under IFR: entities formed in the U.S. (domestic entities) and their beneficial owners; U.S. persons do not need to provide BOI for reporting companies as defined by the IFR.
• Exemptions (statutory): a long list of exempt entity types remains in the statute and regulations (e.g., many regulated financial institutions, large operating companies, certain tax‑exempt entities, public utilities as clarified in later rulemaking, and others). Always check the current FinCEN exemptions list for details before concluding an entity is exempt.

Information required on a BOI report (what to collect) - Reporting‑company identity information (legal name, trade name, EIN/TIN if required, address and jurisdiction of formation/registration). - For each required individual

full legal name, date of birth, current residential or business address, and an identifying document (passports, driver’s licenses, or other FinCEN‑accepted identity docs) or FinCEN‑issued identifier, per the BOI form and instructions. Company applicants may also need to be identified for entities formed or registered after the statutory effective dates—monitor FinCEN guidance for company‑applicant treatment after the IFR. - Collect and retain client consents/authorizations for third‑party filing where applicable.

Deadlines and updates - Initial filing deadlines (per IFR)

foreign reporting companies registered before March 26, 2025 → file by April 25, 2025. Foreign reporting companies registered on/after March 26, 2025 → file within 30 calendar days of notice that registration is effective. - Updated reports must be filed within 30 calendar days following any change to reportable information. - Because the IFR is interim, FinCEN may further revise deadlines; keep clients apprised and document how you determine the “notice/registration effective” date (see state‑filing guidance below).

State registration and “actual or public notice” — what CPAs should do - The statute/regulations use the trigger “actual or public notice” of effective formation/registration to start filing timers. That can be a filing receipt, a secretary‑of‑state confirmation email, or the date the registration is listed in the state’s public database, depending on the state. - Practical steps for firms

confirm the effective date by (a) retrieving the filing confirmation/receipt from the client or state portal; (b) checking the state’s business entity database and saving an evidence screenshot/PDF; (c) if unclear, obtain written confirmation from the client or the state’s filing office. Document the source and timestamped evidence in the client file. - Recommendation: build a short state‑check SOP (secretary‑of‑state lookup, capture of filing receipt ID, and stored screenshot). Different states vary on whether filings are effective on submission, on acceptance, or on a later public posting — verify the specific secretary‑of‑state rules when precision is required.

Practical workflow for CPA firms (step‑by‑step) - Phase 0 — internal readiness

train staff; update engagement letter templates; ensure professional liability insurer and firm counsel are comfortable with scope; choose and test filing or practice‑management software that records client approval. - Phase 1 — client outreach: send a BOI alert to all small‑business clients explaining the change, impact (if any), and next steps. Keep a distribution list and delivery evidence. - Phase 2 — intake & KYC: use a standardized intake form to collect entity formation details, copies of formation/registration filings, ownership charts, and ID docs for listed individuals. Require client certification of completeness and truthfulness. - Phase 3 — analysis & exemption review: determine whether any statutory exemption applies (document the facts relied on). If a legal question outside accounting practice arises (e.g., interpretive legal questions about exemptions or control), refer to counsel and document the referral. - Phase 4 — prepare report and client review: prepare the BOI report, provide the client with a copy for review, and require written acceptance (email/text through secure client portal) before filing. Record who certified the filing on the company’s behalf. - Phase 5 — file and maintain copies: file using the FinCEN BOI E‑Filing System or approved vendor, save the filing receipt, and store the completed report in the client file. - Phase 6 — monitoring & reminders: set calendar reminders (and automated system reminders, if available) for ongoing update obligations and alerts to clients when a 30‑day change window is triggered.

Engagement letter and risk‑management language (sample clauses) - Mandatory items to include

clear scope (administrative‑only vs. advisory), statement that the firm is not providing legal advice unless a licensed attorney engagement is included, client responsibilities (to provide accurate data and maintain records), fee terms, data‑security responsibilities and retention, and limitation of liability where permitted. - Example short scope clause: “We will assist in preparing and submitting the FinCEN BOI report based solely on information you provide. We will not provide legal advice about whether the entity is a reporting company under the CTA. If legal interpretation is required, we will advise you to obtain counsel.” - Keep a separate, narrow engagement letter for BOI work; if you intend to provide substantive legal interpretation, coordinate with your firm counsel and insurers first.

Data collection checklist (what to request from clients) - Entity legal name, DBA(s), address, state (country) of formation/registration, FEIN/TIN (if applicable), filing receipt or certificate of formation/registration and filing date. - For each beneficial owner or company applicant (as applicable)

full legal name, date of birth, current residential or business address, a copy/photo of a government‑issued ID (driver’s license, passport—front/back), and email for contact/consent. - Confirmation of exemptions claimed: documentary evidence supporting exemption (e.g., tax‑exempt determination letter, evidence of being a large operating company, regulatory license confirmation) and an internal memo documenting the factual basis. - Authorized filer contact info and written authorization to file on behalf of the company.

Fees & time estimates (market guidance) - Market reports and practitioner articles indicate many CPA firms charged modest flat fees for initial BOI filings (commonly in the low hundreds — e.g., $350–$450) and considered annual or subscription fees for ongoing monitoring, reminders, and storage. Expect an initial manual intake and analysis to take 1–3 hours per simple entity; software automation can reduce the time dramatically. - Consider offering tiered packages

(A) basic administrative filing (data collection + filing), (B) exemption analysis + filing, (C) subscription monitoring + annual review.

Professional‑practice risks and mitigation - Unauthorized practice of law (UPL)

giving interpretive legal advice about the CTA may, depending on state law, cross into the practice of law. Mitigations: limit scope to administrative assistance or factual data‑gathering, include explicit engagement‑letter disclaimers, refer to counsel for legal interpretation, keep written documentation of referrals, and consult your malpractice carrier before offering legal‑style opinions. - Liability for false filings: persons who willfully submit false BOI can face civil/criminal penalties. Require client certification, obtain signoff, and retain copies of supporting evidence. Consider professional‑liability carrier notification if offering the service. - Privacy and misuse risk: BOI is sensitive personal data—treat it like other high‑sensitivity client data and apply strong security controls.

Data protection & recordkeeping best practices - Regulatory context

FinCEN’s Access and Safeguards Rule sets strict controls for authorized users; although FinCEN stores BOI in a protected federal database, firms that collect and hold copies of BOI must secure them. - Minimum controls to implement: encrypted storage (at rest and in transit), role‑based access controls, multi‑factor authentication for portals, secure client portal for uploads, restricted retention periods, documented destruction policy, and staff training on handling sensitive identity documents. - Follow NIST‑based controls as best practices (access control, logging, encryption, incident response). Maintain an audit trail for who accessed or modified BOI documents.

Sample client communications (brief templates) - Client alert subject line

“Action needed: Beneficial Ownership (BOI) reporting — potential filing requirement.” - Short body: explain what BOI is, whether the client likely is affected (based on formation/registration), what documents you need, and that the firm will hold documents securely. Ask the client to provide required documents within X days and sign the engagement letter.

Special topics & watch‑list - Company applicants

the IFR left interpretive questions about company applicants; some practitioner guidance flags that company applicants may still need to be disclosed depending on the facts and rule text. Monitor FinCEN clarifications. - FinCEN identifiers: FinCEN has signaled future options to allow deactivation or use of FinCEN identifiers to minimize repeated disclosure of personal data — watch for implementation guidance. - Litigation & rule changes: post‑IFR litigation, administrative finalization, or further Treasury action could change scope — maintain an internal “BOI rule change” watch and update client alerts promptly.

Quick action checklist for your firm (one‑page) - Confirm insurer and counsel comfort with BOI services. - Create or adopt a BOI engagement letter template and client intake form. - Train one staff member as the BOI coordinator. - Build a state‑filing SOP for establishing “effective” dates (save all evidence). - Implement secure client upload and encrypted storage for identity documents. - Set up reminders and a simple CRM workflow for filings and 30‑day updates. - Price packages and add subscription options for ongoing monitoring. Conclusion — Opportunity with caution BOI services are a clear opportunity for CPA firms to help business clients navigate new compliance obligations while adding a recurring client service. The IFR significantly narrowed in‑scope entities (for now), reducing the immediate universe of required filers, but CPA firms still face practice‑management and legal risks when providing these services. Use narrowly scoped engagement letters, strong documentation and modern security practices, and involve legal counsel when questions cross legal interpretation lines. Authoritative sources and additional reading (selected)