ALPS In Brief Podcast - Episode 75: What is the Corporate Transparency Act

A Brief Statement of Correction from Mark: “During this podcast I stated that under the Corporate Transparency Act, BOI reports were to be filed annually. That statement was incorrect. The correct requirement is that reporting companies have 30 days to report changes to the information in their previously filed BOI reports and must correct inaccurate information in previously filed reports within 30 days of when the reporting company becomes aware or has reason to know of the inaccuracy of information in earlier BOI reports.” 

Mark Bassingthwaighte: 

Hello, I am Mark Bassingthwaighte, the risk manager here at ALPS. And welcome to another episode of ALPS In Brief, the podcast that comes to you from the historic Florence Building in beautiful downtown Missoula, Montana. 

I was just out in Missoula just a couple of weeks ago and visiting the home office, I had a wonderful time. And I will have to say now that winter's kind of moving in here and it's nice to be back in Florida. But it's always good to get back to the old stomping grounds, if you will. 

It's November now, and I have been trying to think about, okay, what would I like to share with all of you this month in November? And I got thinking, well, it's November and they're also... I just felt that there are two topics that I'd like to talk about, two that I think a lot of lawyers don't know that they need to know a bit more about these two topics. And so given that it's the month of November, the theme is what two things that you don't know that you need to know... get the play here? No, I'm just having a little fun. 

So anyway, let's get to it. The first, we've just had October pass, and that is Cybersecurity Awareness Month. And I'm sure some of you're probably just dog-tired of hearing about cybersecurity, and it's just one of these topics that, man. I know, I know, I really get it. But I wanted to follow up. So one of these topics is going to be sort of cybersecurity related and just explore another topic here that I just think is very, very important. And it really deals with backups in light of ransomware. And I'm sure we've heard all kinds of things about ransomware. If you follow any of these stories going on and education going on in October. 

And for those of you that don't know, maybe I should stop very quickly. Ransomware, just as a reminder, it's these rogue programs that can be downloaded unintentionally by anybody in your office, your staff, another associate, partner, anyone, just being tricked into doing something that wasn't in their best interest. Clicking on a link they shouldn't have, downloading a document or opening a document that they were tricked into opening. And it may look legit. There's some stuff here. But it also comes with this payload of malicious software. And it will encrypt all of your data, sooner or later. It can sit at times. But it will again encrypt everything and then eventually you get this little ransom note that says, if you'd like access to your data, again, you need to pay this amount in cryptocurrency by such and such a deadline. And if you don't, you're not going to get your data back. 

As an aside, I would encourage you never to pay this because even if you get the decryption key, sometimes it doesn't work. Sometimes it only decrypts part of it and you need to pay more. Sometimes you can get some of your data back and then they'll say, "Oh, by the way, we want another ransom because if you don't pay us, we still have all your data. We upload it and we're going to sell it or we're going to post it online." 

It's just a heck of a mess. Well, one of the best ways to avoid having to pay ransom if you get hit with something like this is to have a good backup. And for quite some time, I've been talking about backups and I will share what I've been saying. But there's a change, if you will, in play, in terms of recommendations, in terms of what best practices are with your backup process. So I'd like to get us there to what this new change is and just to create some awareness. 

So initially, what I've been talking about and many others that do these kinds of things that I do in terms of trying to educate on cybersecurity, we talk about a backup process. And this has been sort of state-of-the-art for a while now. It's three, two, one. And I kind of have this little spin on it. I call it three, two, one plus archive. Well, what does that mean? And it means three copies of your backup in two separate media, one of which should be offsite, preferentially in the cloud. Okay, three, two, one. As an example, you might be backing up to an external hard drive and then also having a set of backups on Google Drive or IDrive or whatever your cloud backup provider might be. So you got it. You got the three, two, one. Now, one quick side note, if you are doing something like external hard drives, once you're done with the backup, please make sure that you disconnect. You pull that USB cord out. 

Because if you leave this always connected, the ransomware, should you ever get hit, and let's knock on woodier and hope that that never happens. But I assure you there are a number of firms that have been hit over the years and it's getting worse and worse. But the ransomware is going to scan the network. And if it's sees that we have a backup drive here, it's going to encrypt the backup drive too. So it's not good. The goal is to have a good backup so that you can recover and restore data that's encrypted because IT will come in and just delete all this stuff and rebuild from the backup, and we get off to a fresh start. So that's the ultimate goal. 

Now, I sort of add this archive spin, which is okay, so I may have some... let's say I have one, two, three month backups and just sort of rotate if you will, and that frequency might work. Sometimes you want it to be a little more, sometimes it's daily, weekly, whatever your process. But you have these rotations. Well, I would suggest keeping occasionally one, if you will, pull it out of the rotation and keep it as an archive. 

So let's say you have month one, two, and three, but then periodically take one and just sit it out there and it'll eventually become 6, 9, 12 months old. And you can sort of rotate those a little bit too. Now, why do I like an idea like that? Well, some of these programs are designed very intentionally to sort of sit and they will infect backups and whatnot. Again, because they're trying to make sure you have nothing to rebuild from. So if you have some archives out there that are a little bit older, the thinking is, okay, if your current backups are all destroyed because again, are not available because it's encrypted and just useless, you may have something that's six months old, but at least you got everything, you can restore everything up to six months. You see, I'd rather lose six months worth of information than everything. So I sort of like that as an extra little sort of precaution. 

Okay, so that's the three, two, one plus archive. The new thinking is now three, two, one, one, and I'll explain that in a minute. I still might put an archive out there, but I'm going to make what the second one is sort of these archives. So let me explain. We have three backups, two media, one should be offsite, preferentially, in the cloud. The second one is what we call an immutable backup, I-M-M-U-T-A-B-L-E. Immutable backup. 

Now, what is an immutable backup? Well, it's interesting, and I'm going to have some notes here as we go through some of these things. But an immutable backup, it's basically a copy of your data that cannot be altered. It cannot be deleted or changed in any way, even by a system administrator, users, applications or systems that created the data. This is really locked down. And when you create this backup, you're going to put a clock on it, a time. And so it will remain if you will, locked for whatever time period you set. Now, can you appreciate what's happening here? So if you can't alter the data, you can't delete the data. Ransomware programs, wiper ware programs and things will be unable to affect that at all. 

So it's locked. And now you have the ability to make certain you're doing as much as you possibly can, in other words, to make sure you have a good viable backup. Now, one of the things that I like about this is, again, it could even prevent an accidental deletion by somebody doing something silly or some employee that you've had a falling out with and he or she wants to do a little damage and start delete things. It's not just ransomware, but I love this idea. So when you lock it too, we talk about it, and I just love this phrase, I guess. We talk about these backups as being worm protected now. An immutable backup is worm protected, and I just love that word. What does that mean? Well, it means... I got to look here for a second, I'm so excited. Write once, read many times, write... WORM. Write once, but you can read it as much as you want. The data is there, you just can't delete it, you can't change it, you can't encrypt it, you can't do anything with it as long as that lock is there. 

Now, eventually you want to... I would not set these locks if you go indefinitely because sooner or later, I assume you want to replace them with more current versions. And if you just keep building, so you have some cloud storage, but these backups can be fairly significant in size. And if you have these things out there year after year after year, so I would not block them up forever. I might think about six months, nine months, because that can become your archive. And so just maybe setting it maybe every year and just hold them for a year and let them sort of, once the lock expires, that clock expires, you can delete it. But I think that is an outstanding idea. I'm a big fan of immutable backups. 

Now, one thing to think about here, again, the temptation can be, well, if we take this step, we can start to relax a little more because we're always going to have a good backup. This is our guarantee, our insurance policy, if we ever get hit, we can recover. That's not necessarily the case, okay? There's no such thing as 100% guarantee. 

Just as an example, you heard me talk earlier about how ransomware can sit sometimes for extended periods of time, just infecting things. So your immutable backup, if the network has the infection already, so when you back it up, you're backing up the software that's going to encrypt everything. So there's just one example of how this isn't 100% perfect. But boy, it is as close as we can get, based on me. But in terms of what the IT world can do to try to help you recover and keep you from being taken out by some ransomware, this is as good as it gets right now. So I strongly encourage you to think about immutable backups. I will share, I have not had any real time to really dig into these programs in terms of making any type of recommendation. All I can say is these are separate providers. 

You can't just work with your regular whatever cloud backup program you typically have and say, I want to make this immutable. Now, that may change at some point, but right now, the companies that are doing this, as far as I'm aware, are all companies are specifically selling or offering this service. I would encourage you, if you want to look at this, just to speak with it because she, they will know your systems and can make some recommendations about what service or product might work best for you. But I really truly believe that immutable backups really are the way to go. And I see them, and I'll just be very honest here folks, in terms of what is happening in the world today, geopolitically, things are getting crazier and crazier. 

And there are things happening in the cyberspace. So I think the risk that we are talking about here are going to go up, and that is already supporting that. It's going up very, very rapidly. So I think this is why I want to talk about it right now. I think having some knowledge of is there something else I can yet do that really may help protect me as things just get wild here for a while that it might be worth doing? And you can't do that without knowledge. So that's number one. 

The second issue that we need to talk about is the Corporate Transparency Act. I don't know how many of you're familiar with the Act or not. And boy, this is not going to be a primer on on all the things that you need to know about the CTA. But let me just share a little bit because more of us as lawyers need to know about the CTA than realize, and I'll explain why here. But the Corporate Transparency Act was passed in 2021, and basically, it requires the disclosure of identifying information of people operating certain US-based business entities. And a key reporting requirement coming, in beginning of 2024, is unfortunately going to affect many small businesses. And it's my understanding that's somewhat unintentional, but it's where we're at. 

There's law firms, particularly the solo and small firm space are going to be caught up in this. That's just the way it is. Now, the ACT is really in response to just, a lot of things have been going on with money laundering, tax evasion, financing of terrorist organizations, et cetera. And so this act is one of the things done in response to try to cut down and get some additional information. So here's the interesting thing. Who needs to comply with this act? And it's a domestic reporting company, which is this term [inaudible 00:17:18] in the act. But basically, it's any company that is created by the filing of a document with a state Secretary of State, or similar office under the law of the state or even an Indian tribe. So it includes corporations, LLCs, LLPs, and the list goes on. 

There's some deadlines here. If the reporting company existed prior, so if you're firm, and obviously if you're in a firm now it's existed prior to 2024, you have until January 1st, 2025 to file your first... what do we call these BOIs. And it's just a beneficial ownership information report. And in terms of what's required to be reported and how you report this, it's fairly straightforward. But I first off want you to hear that a lot of you that are in the solo and small firm space are not exempt from this. The act actually has, I think 23, 20... let me look here. Yeah, 23 specific types of entities that are excluded from reporting. None of them are small law firms and other types of small businesses. Now, the one thing that could get some of you out this reporting requirement is if you happen to qualify as a large operating company. 

Now, what does that mean? You need to employ more than 20 employees who are working in the United States for more than 30 hours per week. So you have to have 20 employees that are all US-based and work 38 plus hours a week. That your office or your firm is physically here in the United States, and that you report more than five million in gross income and federal income taxes each year. So if you meet those three requirements, you're considered a large corporation. A lot of law firms aren't going to meet that. But you know what your operation looks like, so there may be a possibility of not having to comply. 

Again, the first thing I need you or want you to be aware of is that you yourself may be subject to this act. If you happen to be formed, and I've actually been talking with some lawyers who are in the process of forming law firms, and if they form their law firm after January 1st, '24, any business has just 30 days to do this report, and it'll be an annual report. So some awareness there. 

Why do I bring it up? I bring it up, one, again, so you don't naively miss an obligation to report because there can be some significant or serious consequences for not reporting. But I also want to talk to any or all of you who are out there that may have clients. You've set up some businesses or you will be setting up businesses. You need to understand the Corporate Transparency Act, who needs to report, what needs to be reported, when does the report need to be made. 

I guess if you really want to go in this direction, you certainly could... it's a new service that you could add and help all these clients that would be subject to the act to follow through on the reporting. And if you want to go there, hey, great, that's awesome. Obviously, don't dabble here, come up to speed. I'm just giving you the lightest stuff. I have not done major research onto this, and I'm still coming up to speed myself. But I've learned enough that we need to be aware. 

But I could also see similar saying, no, no, no, no, no, I don't want to be responsible for this. Because think about there's an ethics opinion the ABA put out. I think it's a Formal Opinion when a 491 came out, I believe, about two years ago. And again, it talks about that as lawyers, we cannot allow our clients to use our services in furtherance of a crime or fraud. There's some language and rules too, RPC 1.2 has some language along those lines. The opinion made it clear that we can't even turn a blind eye here. We have to have some responsibility, we have to be asking questions. 

So if you want to dig down in the CTA and then also look in terms of managing risk, I encourage you to take a look at the Formal Opinion 491, and then think about the rules. 1.1, competency. If we are going to be competent, we have to know what questions to ask to make sure that we're not helping someone launder money. 1.2 is in play. We just talked about that, we can't allow our services to be used to commit or furtherance of crime or fraud. 1.3, diligence is going to be in play. 1.4, we have an obligation to communicate. Hey, this is not okay, explain the legal ramifications of the things that you're doing, if they refuse to follow your advice and want to continue on with some type of fraud or crime, 1.16 is going to be in play, withdraw and get out. 1.13 is going to be in play in terms of just representing the entity. 8.4, misconduct is going to be in play. 

So there are a lot of rules here that we need to be aware of so that we're making informed decisions. Do we want the responsibility to assist all these clients in filing this, the BOI, the business ownership information, report? Because there's all kinds of identifying information and it needs to be accurate. Then if you are lied to or something's incorrect, that can create some exposure for you. So I would want to be a little concerned about that. I'm not saying don't do it. I'm good. Hey, if you really want to come up to speed and you feel very competent in helping all your clients do this year in and year out, God bless, go for it. If not, I would want to at least make sure that clients, particularly current clients, are made aware of the act, and then I would want to document that you are not going to take on that responsibility to help them comply with the requirements under the act. 

I would just not want to leave this sitting out there unaddressed because particularly, if we have some ongoing relationships with any of these clients, and that's fairly common, and they're harmed at some point by not filing this document, they're going to turn to you and say, "What the heck? You're the lawyer. This is your fault. I had no idea. I thought you're looking out for me and my best interest or our company's." You see where this can go. And a claim like that's going to have some legs, folks. It really could. So I strongly encourage you. Let's think about, be intentional about what we want to do. Do we want to advise, not advise, help with these forms, don't help with these forms? And then document that the client has been informed and that we either are or we are not. So those are the two things that are the November knows. 

So I hope you found something useful from today's just ramblings of a risk guy. And as always, if you have any questions or concerns about either of these topics or anything else that I might be able to assist you with, please don't hesitate to reach out. My email address is mbass@alpsinsurance. ALPSInsurance.com. And you don't need to be an ALPS insurer to visit with me. There's no cost and visit with me. Again, I'm not a risk manager for ALPS. I'm hired by ALPS to be your risk manager. So that's it, folks. Bye-bye. Have a good one. 

ALPS In Brief Podcast Intro/Outro Music: Walk In The Park by Audionautix is licensed under a Creative Commons Attribution 4.0 license. https://creativecommons.org/licenses/by/4.0/

Artist: http://audionautix.com/