Risk Management and the Corporate Transparency Act (including sample engagement letter)

Learn how to mitigate the unique risks CPA firms may encounter when delivering CTA compliance/BOI reporting services. A sample engagement letter is included.

The Corporate Transparency Act (“CTA” or “the Act”) took effect on January 1, 2024, and requires “reporting companies” to report information related to the business’ owners, officers, and controlling persons to the Financial Crimes Enforcement Network (“FinCEN”). For more background on the CTA, including which entities are considered “reporting companies” for purposes of the Act, see FinCEN’s Beneficial Ownership Information Page.
A client’s failure to comply with CTA or missing filing deadlines can result in criminal (fines and/or imprisonment) or civil (monetary) penalties. If a client incurs damages related to their noncompliance with the Act, they may blame the CPA and such claims may be significant. If a CPA decides to assist clients with their CTA reporting requirements, understanding the risks presented by the service is a key step in helping to mitigate the risk of a claim. Careful planning and consistent application of risk management techniques may help mitigate potential downsides.
The purpose of this article is to provide information on the professional liability risks to CPAs who have chosen to perform services related to the Act and suggest ways to mitigate those risks. Performing services related to CTA includes risks not typically encountered when performing other services. The CTA is new and limited interpretative guidance is currently available. This article is not intended to provide legal analysis or advice. CPAs are also encouraged to review Risk Alert: Navigating Corporate Transparency Act/Beneficial Ownership Reporting prior to deciding whether or not to perform services related to the CTA.

Determine what services the firm can and will provide

What level of service will your clients request? What services are you comfortable providing given your jurisdiction and risk tolerance?
Depending upon the answer to these questions, some firms may decide that they will only make the on-line submission based on the information provided by the client, similar to preparing Forms 1099. Other firms may assist clients in gathering the information to complete the submission or even help the client determine if an exemption applies or who is a beneficial owner. Services which involve interpretation of the Act may be more likely to be considered the practice of law rather than data input. The “practice of law” is defined by the states (not federally), and many have an express prohibition against the unauthorized practice of law (“UPL”). UPL is considered to be the practice of law by an individual who is either not licensed to practice law at all, or who is licensed to practice law but has not received permission to practice in the state where acts which equate to “practice” occur. Depending upon the state, a UPL violation may be treated as a criminal matter.
As a result, before agreeing to provide CTA-related services, we recommend consulting an attorney familiar with the CTA to provide jurisdictionally-specific advice based upon your firm’s actual practice.

Perform thorough acceptance procedures

Like any new client or new engagement for an existing client, an acceptance evaluation should be performed first.
Be selective of the clients for which the firm chooses to provide CTA services. Clients with more complex fact patterns and ownership/management structures or clients with non-equity or minority owners that exercise substantial control may present higher risk to the CPA. Consequently, a thorough client or engagement acceptance evaluation should be performed before accepting any Beneficial Ownership Interest reporting engagement, including engagements for existing clients.
Examples of clients that present increased complexity or challenge when delivering CTA may include clients with:

  • Foreign, private equity, venture capital, or court-ordered ownership;

  • Multiple classes of stock or ownership units, or complex equity option/incentive compensation arrangements;

  • Many members of management or informal management structures;

  • Where obtaining information on beneficial owners, including copies of their identification, may be challenging;

  • Who do not provide information on a timely basis or are otherwise unresponsive;

  • Who have experienced management turnover or internal ownership dissension;

  • Who have minority owners with whom you rarely or do not interact; or

  • Who are involved in equity ownership disputes, such as with transfers incident to death or divorce.

For certain clients, you may even want to consider conducting a criminal background check on management and key individuals before agreeing to provide services. Why? Section 1010.380(g) of the Act states “it shall be unlawful for any person to willfully provide, or attempt to provide, false or fraudulent beneficial ownership information, including a false or fraudulent identifying photograph or document, to FinCEN in accordance with this section, or to willfully fail to report complete or updated beneficial ownership information to FinCEN in accordance with this section.” If a CPA firm assists a client who is alleged to have violated Section 1010.380(g), the firm may be viewed as having is found to have aided or abetted the client in committing a criminal act. This may result in the CPA firm, likewise, being criminally charged with violating Section 1010.380(g) of the Act or any other statute which makes aiding and abetting a crime. A criminal background check may help reveal information or prompt additional questions which may help a CPA firm better understand if the client is trying to use the firm’s services to violate the Act.
Draft a concise engagement letter
Make sure the scope of services succinctly describes the exact services to be delivered. Limit the firm’s services to the specific report to be prepared (initial, updated, or correction of an error). Why? After submitting the initial report to FinCEN, it may be years before a client experiences a triggering event requiring an update or correction, such as a change in beneficial owners or a change in the information of a beneficial owner. Alternatively, a client may experience multiple or frequent changes in their BOI. If the client misses a deadline to report a change in BOI, they may blame the CPA, even if the change occurs long after the CPA’s services related to the initial report have concluded. Additionally, changes to the Act itself, including administrative guidance subsequently issued by FinCEN or Treasury, may necessitate additional or corrective filings/compliance. If the engagement letter does not clearly limit the scope of services, the CPA might be blamed for non-compliance with the reporting requirements related to any future changes, and the associated penalties. Just as important as clearly documenting the scope of service in an engagement letter is actually delivering the services in accordance with the scope outlined in the engagement letter.
The client responsibilities section of the engagement letter should include language that the client is responsible for monitoring their BOI for triggering events and notifying the CPA, in writing, of any potential future compliance needs. If the client needs additional assistance after the initial reporting, a new engagement letter should be issued.
Other client responsibilities to include in the engagement letter are:
  • To determine that they are a reporting company and not exempt from compliance with the Act;

  • To identify their beneficial owners, including those that exercise substantial control of the business;

  • To provide timely, complete, and accurate information to the CPA;

  • To review and approve a draft BOI report prior to submission to FinCEN; and

  • To consult with and engage their own legal counsel where necessary.

A sample engagement letter is available for download in the Resources section below.
Documentation, including client representations
Professional liability claims against CPAs are generally document intensive. As a result, documentation will be key to a CPA firm’s defense if a claim should arise related to CTA services. Workpapers that support the services rendered can greatly aid in the defense of a future claim.
Document all discussions held with the client and decisions made by them, including the identification of beneficial owners for inclusion in their BOI report to be submitted to FinCEN.
There may be situations that are ambiguous on how or what to report. In those situations, explain the risk associated with the ambiguity and suggest the client consult legal counsel familiar with CTA to help them decide how to proceed. Follow-up the discussion with an email.
Consider obtaining management’s written representations regarding the completeness and accuracy of information provided by the client to the CPA firm, particularly in more complex fact patterns. This may assist the CPA if the client is later found to have willfully provided, or attempted to provide, inaccurate, false or fraudulent beneficial ownership information to FinCEN.
Keep abreast of technical developments
Stay alert to new developments and written guidance from reliable primary sources of information related to CTA compliance, such as FinCEN, the AICPA, state bar associations, and the American Bar Association. Secondary sources, such as blogs, listservs, or social media feeds, may not always be reliable, are not typically vetted for accuracy, and should not be relied upon as authoritative sources of guidance or information.
Other considerations
  • Evaluate data security protocols
The personal information to be included in a client’s BOI submission is highly sensitive and includes the name, date of birth, address, and an image of a form of identification such as a driver’s license, for each beneficial owner, some of whom you may not have previously worked with. This information is generally subject to various laws, rules and regulations that govern the protection of personal information.
In addition, the Act makes it unlawful for any person to knowingly disclose or knowingly use BOI obtained by that person from a report submitted to, or an authorized disclosure made by, FinCEN, unless such disclosure is authorized under the CTA and imposes monetary and criminal penalties for such. In other words, if BOI information is disclosed to someone without authorization, the CPA firm may be liable for monetary and criminal penalties.
As a result, CPA firms should review their data security risk management protocols and take steps to prevent the unauthorized disclosure of this information.
  • Be careful of providing “off-the-cuff” advice
Even with a narrowly defined scope of service, a client may still ask a question, possibly framed as a future hypothetical, which is outside the scope of your agreed-upon engagement. CPA firms should exercise caution in addressing any questions related to the Act or the Act’s impact on other business matters, as reliance on these answers may be alleged to contribute to a client loss.
  • Decline third party verification requests
Third parties with whom your clients transact may request that you confirm the identification of the client’s beneficial owners or certify, or otherwise attest to the client’s compliance with the Act. As with any comfort letter request, these should be declined.
An alternative
Some CPAs may not want to perform services related to CTA because they feel the services exceed their risk tolerance, don’t want to learn another set of laws, or simply don’t have time available to perform the services. However, those same CPAs may be concerned about the perception of being unresponsive to client needs. What to do?
Direct the client to FinCEN’s Small Business Resources, including the Small Entity Compliance Guide and FAQ. Depending upon the client, they may be able submit the report themselves.
Alternatively, consider referring clients to other professionals familiar with the CTA that can assist the client. If this is done, read Unintended consequences of professional referrals for risk management practices to mitigate the risk of a negligent referral.
Download Sample Engagement Letter


This information is produced and presented by CNA, which is solely responsible for its content.

This sample engagement letter contains illustrative language to include in an engagement letter. The letter should not be construed as legal advice or legal opinion on any factual situation. As legal advice must be tailored to the specific circumstance of each case, the general information provided herein is not intended as a substitute for the advice of a professional or legal counsel. This sample is not intended to be all-inclusive of the types of services performed by accountants. It should be customized for each engagement and prepared in accordance with applicable professional, legal and regulatory requirements.

The information, examples and suggestions presented in this material have been developed from sources believed to be reliable, but they should not be construed as legal or other professional advice. CNA accepts no responsibility for the accuracy or completeness of this material and recommends consultation with legal counsel and/or other professional advisors before applying this material in any particular factual situations. This material is for illustrative purposes only and is not intended to constitute a contract. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All CNA products and services may not be available in all states and may be subject to change without notice.

Any references to non-CNA websites are provided solely for convenience, and CNA disclaims any responsibility with respect thereto.

"CNA" is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the "CNA" trademark in connection with insurance underwriting and claims activities. Copyright © 2024 CNA. All rights reserved.

How Helpful Was This Article?


Related Content

Related Products