The buzz is in the air with more questions than answers.
FinCEN published its Final Anti-Money Laundering Regulations for Residential Real Estate Transfers on August 28, 2024 (“Final Rule”), throwing the entire real estate industry into a state of high anxiety. What does it all mean? How do we meet its requirements? Will the expense of compliance be a financial drain — or even put us out of business? Title agents — who most often also fill the role of settlement or closing agents and would be the first elected reporter under the Final Rule — have been asking themselves these questions. While law firms and industry associations, as well as news outlets, have discussed the black letter text requirements set out in the 120-page Final Rule, no one knows exactly how this is going to play out. Of course, our biggest fear is always the great and looming unknown.
So, what can we say and do to allay those fears? First of all, the Final Rule does not become effective until December 1, 2025. This gives the industry time to become prepared and adapt to the new requirements. Secondly, ALTA has stated in its Industry News publication of August 29, 2024, that it “will develop and provide several education and training opportunities to prepare the industry for the rule’s requirements.”
Moving forward to operationalize the Final Rule, FinCEN released the unpublished version of its draft Real Estate Report on November 12, 2024 with the formal published version to follow; thereafter the collection form is open for a 60 day comment period. Additionally, FinCEN agreed to provide FAQs as it goes through implementation. If saying “help will be on the way” doesn’t quite do it for you, then think about the things that you can do now — including strategic planning — to take control, empower, educate and prepare yourself.
What kind of strategic planning are we talking about? Here are a few ideas:
Consider setting up a workflow to help you identify reportable transactions and direct the information, documents and forms to the appropriate personnel for processing the required report; including providing a secure intake portal to accept and store documents and forms containing non-public personal information
This would include identifying any order regarding a purchase of residential real property by an entity or trust/trustee for cash (without a traditional lender that has a required AML program and who must file SARS) as the term “residential real property” is defined:
1-4 family occupancy residential units (e.g. a stand-alone, such as a single-family residence or townhouse; or even a unit within a multi-unit complex, such as a condo or shares in a coop; or even a residential unit in a mixed use building; as well as entire buildings designed for occupancy by one to four families)
Vacant land upon which the purchasing entity or trust/trustee intends to build a structure that is designed principally for occupancy by 1-4 families building such a residential real property
So, if you have an internal IT team or outsource your IT needs with a particular vendor, having a conversation with them now about how they can help you accomplish the work discussed above would not be premature.
Consider the Final Report’s required information, identifying what you already have and what you need to obtain from other sources – i.e. from the bank, from the purchaser’s representative, the seller or seller’s representative, and from the signer for the purchaser.
The Final Rule requires bank account information for the bank from which the source of funds originated. A title agent does not typically get that information on the wire confirmation or receipt that it receives from its own bank when an incoming wire or certified check is received or deposited. However, you can talk to your bank manager and inquire if the bank would be willing to provide you with that additional information on the documentation that it sends to you.
While the Final Rule only requires retention of the Purchaser’s Certification of Beneficial Ownership Information (and of any Designation Agreement that you may enter into), it is still both important and smart to retain all of the data in writing that is provided to you by others. If a question regarding your compliance should ever arise, then you would have documented evidence to show what you relied upon. This would apply to even an analysis of whether or not you have a reportable transaction under the Final Rule. For example, if the transaction is a purchase of vacant land, you may want to have the buyer’s representative state its future intent for the land in writing (because if it doesn’t intend to build a structure that is designed principally for occupancy by 1-4 families, then you don’t have a reportable transaction under the Final Rule).
Consider the cost of compliance with the Final Rule and how you can make your process be the most efficient and effective in terms of the expense — and perhaps even recoup some of the expense depending upon what your state law and regulator allow.
The biggest cost driver is going to be the administrative personnel’s time for those who will be working on collecting the data and reporting it. Here are some tips that may help:
Have two well-trained staff members whose education, experience, workload and market rate are appropriate for the time and tasks required to comply with the Final Rule. In case one staff member is unavailable to do the reporting, you will have ready coverage by having a backup person. Remember that there is a due date for compliance – which is the later of either:
(i) the final day of the month following the month in which the date of closing occurred; or
(ii) 30 calendar days after the date of closing.
In other words, if November 1st is the closing date, then December 31st would be the last day for submitting a timely report to FinCEN.
If you have very few transactions that would be subject to reporting under the Final Rule, perhaps it does not make sense for you to have your own staff members trained to take on the task. In that event, you may want to investigate your options for designating another reporter as identified in the Final Rule. In this event, you would want to do your due diligence and vetting in advance of December 1, 2025. Be aware that if you see a vendor advertising to provide this service, unless it is identified as an optional designated reporter within the Final Rule, it cannot relieve you of your reporting responsibilities.
This can’t be stressed enough: collect the data from the respective parties or people before the closing date. Our experience with FinCEN’s Geographic Targeting Orders has shown that if you wait until after closing, then you will be wasting a lot of time (and money) chasing after the needed information.
If you have repeat entity or trust customers who typically purchase residential real estate for cash, educate them in advance of the effective date of the Final Rule regarding what to expect. This may help your customers to have their information ready for data collection while at the same time building their trusted relationship with you. The Final Rule does not require confidentiality as to its contents.
Since the Final Rule does not discuss recoupment of cost, there is no federal prohibition against it. Your state laws and regulators will be the ones who ultimately determine what kind of recoupment, if any, is allowed for the expense you will incur to comply with the Final Rule. Start having conversations with your state land title association early, as they are your advocates and may be able to provide you with guidance from your state regulators.
Stay abreast of developments (e.g. any amendments to the Final Rule or FinCEN FAQs) by subscribing to FinCEN News Updates (sent to you via email or text messages). Also, keep an eye out for ALTA’s publications and resources as they become available.
When a data breach occurs, it’s an intense, frightening moment. Who you ‘gonna call? Ghostbusters aren’t the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.
While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which Alliant National is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts – either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we’ve made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.
Understanding State Reporting Responsibilities
There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who “own” data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of Foley & Lardner. Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of Lewis & Brisbois.
Now that we’ve discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don’t even fall under the category of such laws), and bulletins issued by insurance regulators.
State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:
Notification to affected state residents without unreasonable delay.
Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.
The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.
Consumer Reporting Agency Notification
For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:
Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state’s specific requirements. However, these laws generally include the following common notification components:
Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
Notification to affected state residents without unreasonable delay.
But if you’ve had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred. *(for Alliant National Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at eschweitzer@alliantnational.com)
MARYLAND NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION
Contact Information Pursuant to State Data Breach Notification Laws
Md. Code Com. Law § 14-3501 et seq., Maryland Personal Information Protection Act. *(Md. Code Com. Law § 14-3504 and § 14-3506 are the notification/reporting sections).
Prior to giving the individual notification required under the law, provide notice of a breach to the attorney general:
*Attorney General notification requirements are disclosed on website at https://www.marylandattorneygeneral.gov/Pages/IdentityTheft/businessGL.aspx; send notice to the OAG by one of the following methods: (1) By Mail: Office of Attorney General, Attn: Security Breach Notification, 200 St. Paul Place, Baltimore, MD 2101; (2) By Fax: Attn: Security Breach Notification, (410) 576-6566; (3) By Email: Idtheft@oag.stat.md.us.
When breach affects > 1,000 residents, notify:
*Consumer Reporting Agencies
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
Md. Ins. Code § 33-101, et. seq., Insurance Data Security Law, with MIA Bulletin 22-13. *(Md. Ins. Code § 33-105 is the notification/reporting section).
Notify: * Access Maryland Cybersecurity Event Initial Notification Form at https://marylandinsurance.jotform.com/222405158165048
When a data breach occurs, it’s an intense, frightening moment. Who you ‘gonna call? Ghostbusters aren’t the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.
While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which Alliant National is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts – either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we’ve made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.
Understanding State Reporting Responsibilities
There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who “own” data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of Foley & Lardner. Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of Lewis & Brisbois.
Now that we’ve discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don’t even fall under the category of such laws), and bulletins issued by insurance regulators.
State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:
Notification to affected state residents without unreasonable delay.
Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.
The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.
Consumer Reporting Agency Notification
For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:
Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state’s specific requirements. However, these laws generally include the following common notification components:
Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
Notification to affected state residents without unreasonable delay.
But if you’ve had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred. *(for Alliant National Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at eschweitzer@alliantnational.com)
WASHINGTON D.C. NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION
Contact Information Pursuant to State Data Breach Notification Laws
D.C. Code § 28-3851 et seq. *(D.C. Code § 28-3852is the notification/reporting section).
When breach affects ≥ 50 residents, notify: *Office of the Attorney General for the District of Columbia Ph: (202) 727-3400 Fax: (202) 347-8922 Email: oag@dc.gov 400 6th Street NW Washington, D.C. 20001
When breach affects > 1,000 residents, notify: *Consumer Reporting Agencies
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
No Insurance Data Security Law
Courtesy/Optional contact information: *Philip Barlow, Associate Commissioner of Insurance, philip.barlow@dc.gov *Jocelyn Bramble, General Counsel, Jocelyn.Bramble@dc.gov 1050 First Street, NE, 801, Washington, DC 20002 Ph: (202) 727-8000 Fax: (202) 671-0650
When a data breach occurs, it’s an intense, frightening moment. Who you ‘gonna call? Ghostbusters aren’t the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.
While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which Alliant National is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts – either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we’ve made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.
Understanding State Reporting Responsibilities
There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who “own” data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of Foley & Lardner. Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of Lewis & Brisbois.
Now that we’ve discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don’t even fall under the category of such laws), and bulletins issued by insurance regulators.
State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:
Notification to affected state residents without unreasonable delay.
Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.
The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.
Consumer Reporting Agency Notification
For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:
Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state’s specific requirements. However, these laws generally include the following common notification components:
Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
Notification to affected state residents without unreasonable delay.
But if you’ve had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred. *(for Alliant National Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at eschweitzer@alliantnational.com)
ARKANSAS NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION
Contact Information Pursuant to State Data Breach Notification Laws
Ark. Code § 4-110-101 et seq. *(Ark. Code § 4-110-105is the notification/reporting section).
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
No Insurance Data Security Law, but *A.C.A. 23-61-113, Disclosure of nonpublic personal information (Effective August 1, 2017), requires notice to be given to the Insurance Commissioner. Notify: *insurance.legal@arkansas.gov *Attorney Amanda Rose, amanda.rose@arkansas.gov; ph. (501)371-2838
When a data breach occurs, it’s an intense, frightening moment. Who you ‘gonna call? Ghostbusters aren’t the ones for this job, so the best way to make the specter of a breach less scary is to have an incident response plan in place; to know what your legal and regulatory requirements are; and to have the contact information that you need close at hand.
While this new series of blogs is not intended to provide legal advice, it is intended to provide you with recommendations for resources that may be useful; to increase awareness regarding notification and reporting requirements; and to provide helpful notification contact information, unique to each state. In each issue, we will present you with contact information regarding a different state in which Alliant National is licensed, and in which you may be its appointed agent. It is up to you to make sure that you know when to use these contacts – either because you are legally required to do so, or because you have optionally decided to provide notification. Lastly, for our legal disclaimers, we’ve made our best efforts to acquire the correct and current contact information, but we can make no guarantees as to its accuracy or that the information will not change over time.
Understanding State Reporting Responsibilities
There are two kinds of laws that impact your reporting responsibilities: (1) state data breach notification laws that generally apply to all entities who “own” data, and (2) insurance data security laws that apply to those who are regulated for doing the business of insurance. A great summary of the state data breach notification laws is published quarterly by the law firm of Foley & Lardner. Another useful resource for tracking both the state data breach notification laws and the insurance data security laws is a tool published by the law firm of Lewis & Brisbois.
Now that we’ve discussed both the general and insurance data breach notification laws, please be aware that sometimes notification requirements derive from other sources, including statutes which are not labeled as Insurance Data Security Laws (or which don’t even fall under the category of such laws), and bulletins issued by insurance regulators.
State data breach notification laws vary from state to state and may have some exemptions which apply to you, but often include the following common components:
Notification to affected state residents without unreasonable delay.
Notification to certain agencies, including state attorneys general and/or consumer reporting agencies under certain circumstances.
The variances are quite considerable and include (but are not limited to) how (e.g. by what method) to give notice, permitted delays when a law enforcement agency investigation is pending, timing of the notice, what particular information is required to be provided, and record retention.
Consumer Reporting Agency Notification
For your convenience, when these laws do require notification to Consumer Reporting Agencies, the following information may be helpful to you:
Insurance Data Security Laws also vary from state to state and may have some exemptions that apply to you (typically based upon the size of the licensee, its year-end total assets, and its gross annual revenue), so, again, be sure to check your state’s specific requirements. However, these laws generally include the following common notification components:
Notification to the insurance commissioner of the cybersecurity event (usually within three days in most states).
Notification to affected state residents without unreasonable delay.
But if you’ve had a breach and determined that notice is not required (according to the state law or other authority), then typically that determination is required to be documented in writing and retained for at least five (5) years.
Notification (usually within 10 days) to a covered third-party (such as your *title insurance underwriter) when you have determined or believe that a breach occurred. *(for Alliant National Title, you can contact Elyce Schweitzer, Regulatory Compliance Officer, at eschweitzer@alliantnational.com)
WISCONSIN NOTIFICATION REQUIREMENTS AND CONTACT INFORMATION
Contact Information Pursuant to State Data Breach Notification Laws
Wis. Stat. § 134.98. Notice of unauthorized acquisition of personal information. *(Wis. Stat. § 134.98 is the notification/reporting section). When breach affects > 1,000 residents, notify: *Consumer Reporting Agencies
Contact Information Pursuant to Insurance Data Security Laws (or Pursuant to Other Authority Requiring Notice to Regulator):
Wis. Stat. § 601.95, et seq., Insurance Data Security Act. *(Wis. Stat. § 601.954 is the notification/reporting section).
This blog contains general information only, not intended to be relied upon as, nor a substitute for, specific professional advice. We accept no responsibility for loss occasioned to any purpose acting on or refraining from action as a result of any material on this blog.
Let's Connect
Discover more stories and conversations on our social media networks, or drop us a line on our contact page.
The Independent Underwriter for the Independent AgentSM