Shell companies are simple creatures: they exist on paper, have no physical place of business, and allow for a litany of fraud. Often used for legal purposes, shell companies have increasingly been used to facilitate crime, hide ownership, and threaten U.S. national security. The Corporate Transparency Act (CTA) is a notable step toward illuminating obfuscated corporate ownership, but various loopholes allow creative bad actors to circumvent its requirements. While the Act will likely deter such bad actors, resourceful nation-states have the means to defeat its protections. Nevertheless, the CTA will likely resolve many of the issues involving contractors using shell companies to conceal relationships with subcontractors, circumvent origin eligibility rules, and disguise other conflicts of interest. Here, defrauding the U.S. government will be more difficult. However, foreign adversaries interested in exploiting the U.S. defense supply chain may engage in complex ownership arrangements that do not trigger reporting under the CTA. This Article prescribes several solutions to mitigate these loopholes, including (1) amending the definition of “beneficial owner” under the CTA; (2) providing additional funds to States and Indian Tribes to require reporting to FinCEN as a requirement of company registration; and (3) increasing the severity of penalties associated with the CTA.
In 2016, shell companies came to the forefront of political debate when 11.5 million documents leaked from Mossack Fonseca, a Panamanian law firm. Detailed confidential financial information and attorney-client protected material for 214,488 offshore entities leaked to the public, exposing wealthy individuals’ and public officials’ efforts to hide money in anonymous offshore accounts. While there are many legal uses of shell companies, some shell companies used by Mossack Fonseca were used for illegal purposes, including fraud, tax evasion, and evading international sanctions. People named in the documents included King Salman of Saudi Arabia, three close friends of Vladimir Putin, and many other government officials and business people worldwide. The leak amplified discussion of international cooperation in combating illicit finance and illegal use of shell companies, which gained further momentum when the U.S. Government Accountability Office (GAO) found that shell companies were being used in the U.S. defense supply chain.
In November 2019, the GAO released a public version of a sensitive report that described how companies use shells to create opaque ownership structures. As the Federal Acquisition Regulation (FAR) does not require companies competing for federal contracts to report their beneficial owners, these potential bidders can use shell companies to hide the identities of their beneficial owners. While Congress amended the FAR in 2014 to require entities to report more information in the System for Award Management (SAM), businesses still needed to only include the “immediate” and “highest” level entity ownership of an offeror. Using shell companies allows bidders to defraud the Department of Defense (DoD) by creating a false appearance of competition, bidding on contracts they would otherwise be ineligible for, artificially inflating contract prices, or engaging in other fraudulent activity. The GAO describes shell companies as those that legally exist but “conduct either no business or minimal business.” While the GAO recognizes that shell companies may be used for legitimate business purposes, such as to obtain financing before starting an operation, they can be illegitimately used to disguise companies’ beneficial owners. A beneficial owner is one or more “persons who directly or indirectly own and control, or receive substantial economic benefit from, a company.” In so doing, these beneficial owners can use shell companies to facilitate fraud and other unlawful activity. Looking only at the thirty-two cases of fraud contained in its 2019 report, the GAO found that the DoD had lost at least $875 million in fraudulent contracts awarded to otherwise ineligible bidders.
The GAO identified several problems that contribute to companies exploiting the procurement system to hide their beneficial owners. Among other issues enabling such exploitation, the GAO found that there is no central database in the United States that contains company ownership information that and most states only collect minimal ownership data. In New York, for example, the Certificate of Incorporation only requires the name of the corporation, the county it will be in, and mailing addresses for both the corporation and the filer. The GAO confirmed that, across all fifty states and the District of Columbia, “very few states collect some form of entity ownership or control information from limited liability companies or corporations.” While the FAR requires reporting of the immediate entity owner and highest level owner in SAM, it does not require reporting of the beneficial owner. According to the FAR, the immediate owner is defined as “an entity, other than the offeror, that has direct control of the offeror,” and the highest-level owner is an “entity that owns or controls an immediate owner of the offeror, or that owns or controls one or more entities that control an immediate owner of the offeror. No entity owns or exercises control of the highest level owner.” Current FAR rules also require offerors to include Commercial and Government Entity codes for all reported entities. Offerors are required to obtain a “unique entity identifier,” which typically means obtaining a D-U-N-S number from Dun & Bradstreet, “a unique nine-digit identifier for businesses.” Because the FAR’s reporting requirements are framed in terms of entities, and not individuals, the beneficial owner is not reported.
At the time of the GAO report, the GAO ultimately discovered fraud and national security risks in the process of examining other procurement errors. Likewise, the DoD was able to identify fraudulent activity from procurement errors, such as contractors delivering defective parts, or from whistleblower reports. Without identifiable red flags, detecting fraud is more challenging. In its report, the GAO analyzed thirty-two adjudicated cases that highlight several types of fraud risks to the government, ranging from overpayment to the unlawful export of classified information, as described in Part III.
On December 11, 2020, Congress passed the Corporate Transparency Act (CTA) to address the many problems posed by shell corporations, such as their use in circumventing government contracting restrictions, by foreign adversaries to access the U.S. defense supply chain, and in connection with other money laundering concerns. As written, the CTA will likely discourage most low-effort use of shell companies but will fail to mitigate well-resourced actors who have the means to subvert it. Thus, Congress should amend the CTA to close exploitable loopholes and make it prohibitively difficult for well-resourced actors to undermine the CTA’s goals. Part II of this paper discusses what shell companies are, how they are formed, and their various legitimate and illegitimate uses. Part III focuses on the 2019 GAO Report, how illicit actors have used shell companies to defraud the government, and how they can be used by foreign adversaries to disrupt the defense supply chain. Finally, Part IV focuses on the CTA, demonstrating the ways in which its language creates loopholes, how illicit actors can exploit those loopholes, and some suggestions for closing them.
At its core, a shell company is no different than any other registered company with the legal right to conduct business. Shell companies differ in that they function without active business operations or significant assets, though they can be used as a tool for legitimate purposes. However, shell companies do have some limitations under U.S. law. For example, a Securities and Exchange Commission (SEC) regulation prohibits shell companies from using Form S-8, which allows public companies to register securities that it offers as part of an employee benefit plan. The Securities Exchange Act defines a shell company as one that has (1) “[n]o or nominal operations”; and (2) “[e]ither: (i) [n]o or nominal assets; (ii) [a]ssets consisting solely of cash and cash equivalents; or (iii) [a]ssets consisting of any amount of cash and cash equivalents and nominal other assets.” Otherwise, laws on shell companies deal with their use for an illegal purpose, rather than their existence.
The many legitimate uses of shell companies include (1) maintaining anonymity, (2) staging a hostile takeover, (3) holding money temporarily, (4) going public with a reverse merger, (5) investing in foreign markets, (6) hiding dealings between two companies, (7) protecting assets from lawsuits, and (8) hiding identity for safety. However, some of these uses can enable fraud, such as when people use shell companies to hide dealings between two companies to bid on a contract where there is a conflict of interest. Still, it is not in itself illegal to set up an opaque ownership structure if doing so is not in furtherance of fraudulent activity. Shell companies may also be legitimately used to preserve business optics, such as where a company sets up a shell company through which it conducts business with another company. This arrangement allows the company to avoid negative optics that may be associated with doing business with that other company. Shell companies can also be legitimately used as holding companies for assets, where the sole purpose is to track and maintain assets.
Setting up a shell company requires little identification, virtually no time, and a nominal amount of money. Surprisingly, setting up a shell company in the United States is easier than doing so in a foreign country, also known as “offshore.” In one University of Cambridge study conducted by Professor of Politics and International Relations Jason Sharman and two other researchers, facilitators impersonated twenty-one different fictitious consultants and sent 7,400 emails to 3,700 corporate service providers in 182 countries asking for help setting up a shell company. About half of the respondents did not comply with regulations requiring identity documents, and Professor Sharman concluded that it is “three times as hard to put an untraceable shell company in an offshore tax haven than in a developed country.” He also found that the three states preferred for setting up shell companies were Nevada, Delaware, and Wyoming, where set up can be achieved in about half an hour for as little as $200. Setting up a shell company typically involves hiring a registered agent who files paperwork and sends fees to the government on the person’s or business’s behalf. To mask ownership, beneficial owners of shell companies can hire nominee directors who file the necessary paperwork under their names. To provide even more anonymity, shell companies can be owned by other shell companies, which can be in a different country, making it difficult to uncover the full chain of ownership from any one country.
By design, shell companies conceal beneficial ownership. As Transparency International notes, shell companies are used, in part, to conceal bribery payments and kickbacks. In a 2020 report titled “Exporting Corruption,” Transparency International found that countries with centralized beneficial ownership databases reduced obstacles in determining beneficial ownership. In twenty-six of the forty-seven countries surveyed for that report, law enforcement had to rely on reporting entities, such as “financial institutions, corporate service providers, lawyers, notaries, accountants and real estate agents, as the main source of beneficial ownership information.” At the time of that report, the United States had no central registry.
The Federal Bureau of Investigation (FBI) has noted that the United States’ anti-money laundering regime has significant loopholes that complicate federal oversight of shell companies formed under state law. Testifying before the Senate Banking, Housing, and Urban Affairs Committee in 2019, the Acting Deputy Assistant Director of the FBI’s Criminal Investigative Division Steven M. D’Antuono said:
Under our existing regime, corporate structures are formed pursuant to state-level registration requirements, and while states require varying levels of information on the officers, directors, and managers, none require information regarding the identity of individuals who ultimately own or control legal entities upon formation of these entities.
He continued: “Not only does the state-level regime lack beneficial ownership information, no federal-level system exists to consolidate or supplement the information that is collected under the various state regimes.” Without a central database, the shell company regime in the United States is only as strong as the state with the weakest identification laws. In 2009 alone, “more than two million shell companies were formed in the United States,” representing a serious security risk. The CTA aims to mitigate these beneficial ownership reporting deficiencies, as is discussed in Part IV.
Apart from the recently passed CTA, a patchwork of regulations seek to close the beneficial ownership information gap. For example, under Sections 13(d) and 13(g) of the Securities Exchange Act, any person who “directly or indirectly acquires or has beneficial ownership of more than 5%” of any issuer’s outstanding “Section 13(d) Securities” must report such beneficial ownership to the SEC. However, these requirements only apply to publicly traded companies. Shell companies involved in duplicitous contracting ventures are unlikely to be subject to these regulations because they are not publicly traded. After all, the purpose of using a shell company to engage in malicious contracting with the government is to avoid attention and scrutiny, not invite it.
The Treasury Department, on the other hand, has issued its own set of regulations that aim to fix what legislation has not, enforcing the customer due diligence (CDD) rule. While the CDD rule was finalized in 2016, its implementation was delayed until May 2018. As of that date, covered U.S. financial institutions are required to “identify and verify the identity of any natural person who owns 25 percent or more of or has ‘significant responsibility to control, manage, or direct’ a company when that company opens an account.” There are several problems with this regulation that leave it open to exploitation by malicious foreign actors. First, including a twenty-five percent threshold is like providing a roadmap to foreign countries on how to open an account without having to report beneficial ownership. If five or more entities equally own a shell company, they own less than twenty-five percent (each owning only twenty percent). Second, the regulation only applies to new accounts, not existing accounts. With the recently passed CTA, the Treasury Secretary must revise the CDD rule within a year to conform to the requirements of the CTA, and the Treasury must retain its rule that “financial institutions identify and verify beneficial owners of legal entity customers.”
To put the difficulty of enforcement into perspective and underscore why some states opt not to clamp down on shell companies, company registration fees in 2018 accounted for more than a quarter of Delaware’s state budget. In 2018, Delaware had roughly 1.3 million registered entities, more than its population of about 960,000. A portion of these firms are legitimate, ranging from blue-chip corporations to small limited-liability companies (LLC). In 2017 in Delaware alone, 198,000 entities were formed, and over half of them were LLCs.
While there are various ways in which shell companies could be used for illicit gain, such as money laundering, some illicit uses also have serious national security implications. This section will describe these various uses, including (1) concealing relationships with subcontractors; (2) disguising conflicts of interest with subcontractors; and (3) circumventing origin eligibility rules. Together, these various uses enable foreign adversaries to inject themselves into the DoD supply chain, allowing them to introduce malicious components that threaten national security.
First, contractors can use shell companies to conceal relationships with subcontractors, allowing them to defraud the government by passing their product through their own subsidiary and marking up the price along the way. In this way, a beneficial owner who owns several subcontractors could have one subcontractor purchase a product from a supplier, mark up the price, sell it to a second subcontractor owned by the same beneficial owner, mark up the price again, and finally sell it to the government.
In one example, a privately held Swiss company, Supreme Foodservice GmbH, and Supreme Foodservice FZE, a privately held United Arab Emirates (UAE) company, pleaded guilty to defrauding the U.S. Navy and agreed to pay $288.36 million in criminal fines in addition to $146 million in damages stemming from a related civil suit under the False Claims Act. Together, the companies defrauded the Navy of $48 million dollars by using a wholly owned subsidiary registered in the UAE called Jamal Ahli Foods Co. LLC (JAFCO) as a middleman to mark up prices for food sold to the U.S. government, then hiding its inflated prices of bottled water. The Supreme companies tried to hide the fact that JAFCO was a wholly owned subsidiary and made it look like JAFCO was instead an independent company. Emails between company executives showed that the Supreme companies sought to intentionally inflate the prices of goods sold to the government, including an intentional markup of non-alcoholic beer from 25% to 125% through JAFCO.
The Supreme companies are not unique in their use of a middleman strategy to markup prices: in 2017, John Wilkerson was sentenced to five years in prison for a similar venture. Wilkerson was a partial owner of Superior Communications Solutions, Inc. (SCSI) while serving as a DoD Account Manager for Iron Bow Technologies, LLC (Iron Bow). After a company won a contract from a request for proposal that he had helped to develop, leveraging his involvement with both SCSI and Iron Bow, he submitted a lower quote for labor on behalf of SCSI than on behalf of Iron Bow. After SCSI was picked as the subcontractor, it “subcontracted with Iron Bow to provide most of the labor SCSI was supposed to provide.” Wilkerson earned an income by marking up the prices on Iron Bow’s work while creating fictitious invoices that documented hours that SCSI employees spent on the contract.
Second, contractors can use shell companies to disguise conflicts of interest. In one case, a DoD contractor employee formed a company with his spouse, and that company then became a subcontractor to the DoD contractor. To disguise this conflict of interest, the contractor employee then wrote letters justifying awards of purchase orders to the subcontractor. The subcontractor’s formation documents did not list the employee and his spouse; instead they listed the couple’s family members. This listing constituted fraud for illicit financial gain, which would have affected the subcontractor’s eligibility for certain awards if the DoD had known this information. In another example, provided in the Encyclopedia of Ethical Failure published by the DoD, a Program Manager (PM) responsible for administering computer contracts schemed to receive kickbacks by negotiating a deal with a contractor that raised the price of computer storage by $500 per unit. Allegedly, the increase was for “additional services” needed to fix a defect in the equipment. An investigation revealed that the services were unnecessary, and the added costs were paid to a shell company owned by the PM’s wife. The same individual used a shell company to purchase generic equipment and resell it to the government as name-brand products at above-market rates. The PM was ultimately convicted for bribery and fraud, sentenced to five years in prison, and ordered to repay $3.2 million with a $2,400 fine.
Third, using shell companies that are incorporated in the United States but affiliated with foreign companies to bid on contracts circumvents many protections contracting authorities incorporate into procurements to ensure that contracts are awarded to small or domestically owned businesses. As a national security matter, exporting blueprints and other technical specifications to a foreign company is illegal unless it has received approval under the Arms Export Control Act. Logistically, to produce protected items, a contractor would need to export the items’ blueprints and other technical specifications to a production facility in a foreign country, presenting many security concerns. First, the country wherein the production facility is located may intercept the specifications; second, adversarial actors could sabotage the produced parts. In this context, the shell companies being used to evade national security requirements may either be owned by domestic suppliers, who want to cut costs by outsourcing production to a foreign facility, or may be front companies for foreign adversaries seeking to inject themselves into the U.S. defense procurement process. In a press conference, the former Undersecretary of Defense for Acquisition and Sustainment, Ellen Lord, warned that “[w]e see a lot of shell companies coming in where the beneficial owner ends up being one of our adversaries.” Foreign adversaries use shell companies to buy struggling small defense firms, recently exploiting the coronavirus pandemic, in particular, to buy into the defense industrial base. Some of these small defense firms produce critical components for the Air Force and Navy, while financial pressures makes them vulnerable to purchase by adversaries looking to gain access to their company secrets.
Sometimes, domestic contractors without capacity to perform all of a contract’s requirements may outsource certain needs to foreign companies. For example, on October 23, 2013, the owner and general manager of Allied Components LLC plead guilty to emailing sensitive military technical data to India and providing faulty aircraft parts to the DoD. In violation of the Arms Export Control Act, Robert Luba, the owner of Allied Components LLC, transmitted “information about a component of a nuclear-powered submarine to India” without first receiving approval from the State Department. In 2011, Luba began working with One Source USA LLC, which he used as a source of defense hardware and spare parts, which Allied Components would then provide to the DoD. When Luba accepted the contract award for fighter aircraft parts, he failed to mention to the DoD that One Source produced its parts at a facility in India, when the contract explicitly called for the parts to be produced in the United States. In 2012, Luba received the aircraft parts in a FedEx shipment from India at his home address in New Jersey. He then sent the parts to the DoD and accepted payment for them. However, the parts were not of the hardness required under the contract, causing the DoD to ground forty-seven fighter aircraft pending inspection, costing the government about $166,000. When Luba emailed Hannah Robert, the owner of One Source, for certification of the materials used in the contract and inspection records for the wing pins, One Source sent Luba documents that only listed a New Jersey address. There was no mention of their production in India. Luba, in turn, provided those misleading documents to the DoD.
Separately, Luba also admitted to having a contact in India associated with One Source with whom he would communicate about Allied Components’ business with the DoD. Luba sent his contact, via email, technical data regarding spare parts needed by the DoD; the contact would use this information to decide how much One Source would charge, then Luba would decide if he could bid on the DoD contract. The technical data that Luba emailed his contact, however, contained data protected by export control laws, including a technical drawing for a piece of hardware for a nuclear-powered military submarine. Hannah Robert of One Source was also indicted in connection with violating export control laws when she used a “password-protected website” of a New Jersey church to “transmit blueprints for hundreds of defense hardware items” to the contact in India, without the church’s knowledge. While this example does not strictly involve the use of a shell company, it nevertheless provides an example of how a shell company could hide the origin of goods that it sells to the government. Just as Luba used his company as an intermediary to hide the fact that he imported certain parts from India, shell companies can be used for the same purposes.
In another example, the Pentagon discovered in 2019 that network-linked surveillance cameras “installed on dozens of military bases and Navy aircraft carriers” had cybersecurity vulnerabilities. These vulnerabilities could allow hackers to seize control of the cameras and obtain data recorded on them. The Pentagon revealed that the cameras were manufactured in China. The Justice Department alleged that New York-based company Aventura Technologies intentionally violated the domestic production requirements of the contract under which it provided the cameras by lying about where the cameras were made. Aventura disguised its illegal importation of Chinese surveillance equipment by passing them off as having been made in America. According to the Justice Department, Aventura won the federal contract by their representation as a woman-owned business, then ultimately imported the products from Chinese manufacturers and passed them off as American. Moreover, at the time of the criminal complaint, Aventura did not manufacture anything in the United States, instead “importing products primarily from the [People’s Republic of China], then reselling them as American-made or manufactured in a small number of countries.” To hide their illegal profits, Aventura’s management “siphoned [their] illegal profits out of the company through a network of shell companies and intermediaries.”
Apart from posing a national security risk when United States’ suppliers outsource manufacturing to foreign countries, foreign adversaries may conversely use shell companies to inject malicious components into the defense supply chain. Officials from both the Defense Intelligence Agency (DIA) and the Defense Logistics Agency have warned that foreign adversaries are able to access sensitive systems to conduct sabotage or surveillance, and can also introduce malicious components such as “circuit-board chips and routers modified to fail,” facilitate corporate espionage, or compromise DoD information-technology systems. While SAM requires contractors to identify if they are foreign owned, this information is self-reported. In other words, foreign adversaries could set up shell companies and intentionally fail to report the companies’ foreign ownership.
In 2017, the Office of the Director of National Intelligence’s National Counterintelligence and Security Center (NCSC) released a background paper on supply chain risk. The NCSC described how U.S. adversaries have augmented traditional intelligence operations by exploiting supply chain risks, in part because of a complex network of contracts and subcontracts for various “component parts, services, and manufacturing extending across the country and around the world.” Through shell companies and multiple layers of concealed ownership, foreign adversaries can insert themselves at the weakest point, threatening to inject malware into critical systems, steal intellectual property and personally identifiable information, and exert influence over otherwise legitimate defense suppliers. Together with willing companies, hackers, organized crime, and shell companies, foreign adversaries can make it exceedingly difficult to counter breaches into the supply chain. Doing so would require cooperation with the private sector to expose these threats. In compiling its 2019 report, the GAO also spoke with DoD officials who identified opaque ownership structures as a direct threat to troops and military installations. Officials from the Joint Staff Logistics Directorate “acknowledged the risk that government funds could be provided to contractors owned by a person or entity that is actively opposing U.S. or coalition forces involved in a contingency operation in which service members are actively engaged in hostilities.” DIA officials stated that foreign or adversarial entities may try to exploit those contractors with financial difficulties to gain access to the supply chain. Unfortunately, the government may not always have visibility into foreign entities’ acquisitions of domestic contractors. That being said, the DIA does conduct its own supply-chain risk management using public and nonpublic intelligence information, though the details of this endeavor remain nonpublic.
When the government debars a contractor for violating a regulation, sometimes that company can insert itself back into the defense procurement process using shell companies, triggering a futile game of “whack-a-mole.” Robert Burton, a former top government procurement attorney, now in private practice, commented on these contractors stating, “I do know that some of these folks have become quite proficient at disguising ownership.” In 2019, the Air Force had to scrap a $420 million contract for bunker-busting bombs after a competitor complained that the contract was awarded to a foreign-owned company. It turned out that the foreign company had ties to a Russian oligarch against whom U.S. sanctions were in place. While the Pentagon has tried to identify the beneficial owner of some allegedly foreign-owned contractors, the DoD has been using a patchwork solution to a growing problem. Though contractors are supposed to self-report ownership to the government, it is often difficult to verify that information.
The current manner of reporting in SAM is inadequate and contributes to difficulties in determining the beneficial owners of contractors seeking to contract with the federal government. Federal contractors are supposed to self-report ownership to the government when they register in SAM. Unfortunately, the government may have difficulty identifying the beneficial owners of contractors, including those that are registered in SAM, because the reporting requirements only require single-level entity information. Through shell companies, contracting officers often have trouble determining connections between offerors, leading to conflicts of interest, inflated prices, and sabotage by foreign adversaries.
On December 11, 2020, Congress passed the National Defense Authorization Act for FY2021, which includes the Corporate Transparency Act (CTA). Essentially, the CTA will require corporations, LLC’s, and similar entities organized under state law to report their beneficial ownership to the U.S. Department of the Treasury to prevent bad actors from using shell companies in illicit financial activities. Ostensibly, the CTA aims to remove a shell company’s most sought-after feature: anonymity. Because the illicit use of a shell company typically requires that the beneficial owner remain unknown to the government, mandating reporting of beneficial ownership will mitigate illicit use.
As written, the legislation remains flawed, incorporating several exceptions that can be exploited to legally excuse a company from reporting its beneficial owners. For example, companies are exempt from reporting requirements if they employ “more than 20 employees on a full-time basis in the United States” and filed more than $5 million “in gross receipts or sales in the aggregate,” inclusive of subsidiaries, in the prior year. It would be possible, but unappealing, for an illicit actor to create a shell company for a fraudulent purpose and fulfill these requirements, as it would require committing a significant amount of assets to a single entity. If this entity were then to be prosecuted, those assets would likely be seized. Whether an illicit actor chooses to risk losing assets to avoid reporting requirements depends upon whether the illicit activity contemplated is profitable enough to offset potential losses.
The CTA requires all registrants who apply to “form a corporation, limited liability company, or other similar entity under the laws of a State or Indian Tribe” or anyone who “registers or files an application to register a corporation, limited liability company, or other similar entity under the laws of a foreign country to do business in the United States” to report their beneficial ownership to FinCEN. While the CTA excludes many people from the term beneficial owner, such as minors or persons acting as agents, it specifically defines a beneficial owner as one who “exercises substantial control over the entity” or as one who “owns or controls not less than 25 percent of the ownership interests of the entity.” In other words, if four entities each own twenty-five percent of a company, they must be reported to FinCEN concurrently with the company’s registration in its respective state. But with five such individuals, each owning only twenty percent, none of them meets the legal definition of beneficial owner unless they also exercise substantial control over the entity. Still, if a beneficial owner owns or controls, directly or indirectly, any combination of entities that together equal twenty-five percent or more ownership of the reporting company, then that beneficial owner must be reported under the CTA. That being said, this requirement puts an onus on the reporting company to not only know what those higher level entities are, but that they are, in fact, owned or controlled by the same individual or individuals. In other words, while the CTA creates a legal obligation for a company to report any beneficial owner that owns or controls at least twenty-five percent of that company, complex ownership arrangements can obscure relationships between entities, leaving the reporting company unsure of who its beneficial owners are, or whether they own or control at least twenty-five percent of the reporting company. For purposes of this article, in the following hypotheticals, the author assumes that the reporting company has no way of discerning whether entities above the first level are controlled or owned by the same individual(s).
While ownership percentage can be determined using a bright-line test, the definition of substantial control is vague. The CTA requires the Secretary of the Treasury to promulgate regulations to enforce the Act, which as of this writing remain unwritten. While these regulations may explain the definition of substantial, enforcement of this vague term can be deduced from existing case law. In an unrelated case in the Eighth Circuit, the court defined substantial control in the context of the Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA), also known as Superfund. The court concluded that determining “substantial control” requires a fact-specific analysis with consideration of the “totality of the circumstances.” While United States v. Vertac Chemical Corp. addressed whether the U.S. government can be held liable as an operator under CERCLA, the case turned on whether the government exercised “actual or substantial control” over the operations at a facility. The Eighth Circuit looked to the Third Circuit for a test, which had a similar case before it in FMC Corp. v. U.S. Department of Commerce, providing that, “at a minimum, substantial control requires ‘active involvement in the activities’ of the other corporation.” The Third Circuit then looked to its test in a prior case where it explained that the fact-extensive inquiry to determine whether sufficient control should focus on “the extent of the corporation’s involvement in the other corporation’s day-to-day operations and its policy-making decisions.” While these cases deal with an unrelated law in a different set of circumstances, it is conceivable that a similar standard would be applied to identify “substantial control” in the beneficial ownership context given the similar nature of the inquiry. As the author will explain, it is possible to hide which entity exercises control where two entities have a relationship. While the CTA does state that a reporting company must report a beneficial owner if they exercise substantial control “directly, or indirectly, through any contract, arrangement, understanding, relationship, or otherwise,” enforcing this provision requires the reporting company to be honest in its reporting.
Congress drafted the CTA to prevent foreign-owned shell companies from contracting with the DoD, as well as preventing money laundering and other fraud by ensuring that beneficial owners do not inflate the cost by passing their products through subsidiaries. That being said, the CTA fails in at least three scenarios. The first is when the true beneficial owner embeds individuals in the reporting company who unofficially act at the direction of the beneficial owner while making it seem as if the reporting company is operating independently. The second scenario is when the real beneficial owner hires an individual, or several, to act as beneficial owners on paper. The third scenario is when a foreign government uses domestic intermediaries with no official ties to the foreign government obtain ownership of an entity that then contracts with the government.
Figure 1 [see PDF download]
In the first scenario, a beneficial owner can hide their identity from the government by (1) controlling entities that each own less than twenty-five percent of the reporting company and (2) embedding individuals in the reporting company who unofficially act at the beneficial owner’s behest. As seen in Figure 1, in such a scenario, there could be three layers of entities above the reporting company, with the top-level entities owned by the beneficial owner. Under the FAR, the reporting company must already report the top-level entities as the “highest level” owners but does not have to report the beneficial owner. For the purposes of government contracting, the intermediate level entities are irrelevant as the contractor must always report the highest level. In such an arrangement between the beneficial owner and its entities, the CTA can be circumvented and leave the government with the limited information already required under the status quo.
Under the CTA, the first level entities need only be reported if they either own twenty-five percent or more of the reporting company or exercise substantial control over the reporting company. In this scenario, neither criterion requiring reporting will be met. Nothing in the CTA prevents the beneficial owner from embedding individuals in the reporting company who unofficially act at the beneficial owner’s behest, while otherwise making it seem as if they are operating independently. The key is for none of the entities to overtly exercise any level of control that could be construed as meeting the “substantial control” prong of the CTA. However, this scheme works only when the individuals embedded in the reporting company are not explicitly working for the beneficial owner in any official capacity. Making this arrangement work requires unofficial backroom communications, no direct flow of capital between the beneficial owner and the embedded individual(s), and no direct lines of communication, such as emails, between parties involved. One example could be an entity owned by one or more members of an organized criminal group, with embedded individuals consisting of low-level members who keep their affiliation with the criminal group a secret. Thus, as no entity “substantially controls” the reporting company, the reporting company would not be legally obligated to report affiliated criminal entities, especially not their owners.
One drawback to this scheme is that it assumes that the reporting company will not report its entity owners. While not required under the CTA in this scenario, volunteering this information is always a risk. If someone were to direct the reporting company not to report, that itself could meet the prong of “substantial control,” requiring the very report that they were ordered not to produce. The second drawback is difficulty embedding individuals in the reporting company, as neither the beneficial owner, nor any of its owned entities, can directly hire co-conspirators into the reporting company, as doing so could constitute substantial control. While existing case law has found substantial control to require “active involvement in the activities” of another corporation, whether a hiring directive meets this test adds risk to possible exposure. Thus, ensuring that individuals successfully embed in the reporting company could require sheer luck in the hiring process, bribery of the hiring official, or some other active arrangement. On the whole, subverting the CTA in this scenario is difficult, and the CTA mitigates such schemes unless the beneficial owner has substantial resources at its disposal, such as those of a foreign government.
Figure 2 [see PDF download]
In the second scenario, beneficial owners can evade reporting by using hired fake owners as a red herring. In the illustrative example outlined above, a U.S.–based beneficial owner organizes five entities that each own twenty percent of the reporting company, but the beneficial owner legally only owns four of them. The fifth is a paid individual who is the beneficial owner on paper, and otherwise has no relationship with the real beneficial owner. In this scenario, this paid individual is much like the nominee director used to set up a shell corporation, exercising no operational control at all. Now, let us assume that the terms of this arrangement involve this “Fake Owner” controlling the entity that owns twenty percent of the reporting company and using this partial ownership to issue directives to the reporting company. The other four entities do not participate actively in the operations of the reporting company, except by passively signing off on whatever directives the “Fake Owner” issues. This scenario functions by creating a red herring for the government. Under the CTA, Entity 1 would be reported to FinCEN, along with the paid fake beneficial owner, who ideally is an individual with no red flags, criminal history, or suspicious affiliations. As far as the government is concerned, they are legitimately exercising control under the terms of their ownership. Unless the reporting company volunteers the information of the other four entities, the real beneficial owner is in the clear.
As in the previous scenario, the success of such an arrangement turns on how the standard of “substantial control” is defined. Here, only Entity 1 exercises substantial control at the behest of its fake beneficial owner, who is covertly operating at the behest of the real beneficial owner. Whether the reporting company accepts the passive signoff of the other four entities as “substantial control” will determine whether they are reported. Under existing case law, as discussed in the previous example, because these entities do not actively participate in the operations of the reporting company, they do not satisfy the prong of substantial control. While the CTA does state that a reporting company must report a beneficial owner if they exercise substantial control “directly, or indirectly, through any contract, arrangement, understanding, relationship, or otherwise,” enforcing this provision requires the reporting company to be honest in its reporting. It also requires the reporting company to have actual knowledge of who the real beneficial owner is and to believe that there is an arrangement between the real and fake owners that meet this requirement. As the CTA operates by requiring self-reporting, the government’s ability to learn about the real beneficial owner is left partially to luck.
Figure 3 [see PDF download]
In the third scenario, foreign governments can continuously inject themselves into the U.S. defense supply chain using U.S. intermediaries, also known as spies. In the illustrative example above, U.S. intermediaries set up five shell companies that each own twenty percent of the reporting company. Let us assume for this hypothetical that the entities that own the reporting company are otherwise unrelated to each other and that each is set up by and owned by unique individuals. None of these individuals has any personal, financial, or other relation to each other except that the intermediaries are agents of a foreign power. At the instruction of the foreign power, they set up five entities that equally own a legitimate U.S. business in the defense supply chain. Only the individual who owns Entity 1 communicates with the foreign government, while only the individual who owns Entity 4 exercises control over the reporting company. Under the CTA, only Entity 4 must be reported by the reporting company for meeting the “substantial control” prong. If, for any reason, there were a red flag to suggest that schematics or other controlled information were being exported to a foreign company, the only entity on record with beneficial owner information would be Entity 4, while all foreign communications would be conducted through the individual owning Entity 1. Let us assume now that the five entities collect no financial benefit from the reporting company and own it only to export controlled information and disrupt the defense supply chain. FinCEN would have no means of tracing the money, as there is no cashflow, and any legal documentation of beneficial ownership would have to be uncovered by law enforcement using existing tools. In other words, the CTA provides no benefit or any additional toolset to mitigate foreign control and disruption. Naturally, the foreign government would not own the entities set up by their agents, and there would be no filing at the state or federal level to suggest such a connection. If a foreign government wanted to infiltrate the supply chain, the CTA creates a bureaucratic hurdle that an illicit actor with the resources of a foreign government could overcome.
Because the FAR requires a contractor to report only its highest-level owner in SAM, obfuscation of the immediate-level owner through many layers of ownership is technically irrelevant so long as the registrant reports the highest-level owner. The CTA aims to fix this problem by requiring federal contractors and subcontractors to report the same beneficial ownership information required under the CTA to the federal government “as part of any bid or proposal for a contract with a value threshold in excess of the simplified acquisition threshold.” Unfortunately, the same schemes that could obscure ownership information or circumvent reporting requirements would apply equally to the information reported in a bid or proposal. As the CTA does not include different criteria for contractors, the only benefit that it would create is that the procuring agency would, ideally, receive the same information as FinCEN. That being said, complex ownership structures that do not trigger mandatory beneficial ownership reporting under the CTA leave the government with the status quo.
Because the CTA hinges on self-reporting, an illicit actor can use the same techniques to conceal the beneficial owner that they can use to create shell companies. For example, individuals who want to conceal their ownership of a shell company can hire nominee directors to file registration paperwork with the state in their name. In the same manner, nothing prevents individuals from hiring fake beneficial owners with no recorded relationship with the masked owner, as illustrated in Figure 3. In other words, if reporting is triggered under the CTA, the reporting company will report the name of the hired beneficial owner, who, like the nominee director, exercises no operational control over the reporting company. To again use a criminal organization metaphor, fake beneficial owners would likely be low-level organization members promised with a pay-off if they are ever caught. With a foreign government, nothing prevents U.S.-based agents of a foreign power from being beneficial owners while taking orders from their home state. Relying on self-reported information to FinCEN presents the government with the same problems that self-reporting has in SAM: there is no easy way to verify the truth of the information reported.
The CTA is an act that provides few disincentives for lying, as the penalties associated with knowingly submitting false information to the government in this context are relatively weak. Under the CTA, any person who violates the reporting requirements “shall be liable to the United States for a civil penalty of not more than $500 for each day that the violation continues or has not been remedied” and “may be fined not more than $10,000, imprisoned for not more than 2 years, or both.” In other words, the advantages associated with subverting the U.S. defense supply chain or laundering money to beneficial owners from government contracts to which they were not entitled will likely significantly outweigh the potential penalties. At worst, this requires a two-year prison sentence, providing no real incentive to comply with the reporting requirements. For example, 26 U.S.C. § 7201 criminalizes tax evasion and imposes a maximum prison sentence of five years, yet bad actors continue to find creative ways to hide their money from the government.
The CTA will likely dissuade some individuals from trying to defraud the government by creating shell companies to circumvent eligibility requirements. However, it poses no threat to illicit actors with adequate resources at their disposal, such as state actors, who want to create complex and opaque ownership networks to circumvent the requirements of the CTA. While the CTA does create additional risks and bureaucratic hurdles, the relatively minimal penalties associated with lying mean that bad actors may be willing to take the additionally imposed risks. Legitimate and honest business owners will likely comply with the CTA and report beneficial ownership information, while illicit actors will seek to subvert its requirements to prevent such reporting. In other words, FinCEN will have abundant information about people who do not participate in illicit activity, while having no or false information from the people who do.
Enforcement of the CTA is undercut by its own provisions, particularly those establishing lax penalties, passive information gathering, and reliance on the honesty and good faith of those reporting information. To address these concerns, Congress should:
1. Amend the definition of Beneficial Owner in § 5336(a)(3)(A) to say that the term:
a. “Means, with respect to an entity, an individual who, directly or indirectly, through any contract, arrangement, understanding, relationship, or otherwise, owns, controls, or benefits from any ownership interests in the entity.”
2. Amend § 5336(e)(2) to allow for additional funds to States and Indian Tribes that not only notify filers of their reporting requirements to FinCEN but additionally amend their procedures to require reporting to FinCEN as a condition of company registration.
3. Amend § 5336(h) to increase the severity of the penalties associated with violating the CTA.
The first solution above would mitigate the creation of five or more entities by a beneficial owner to artificially ensure that they are not subject to the twenty-five percent ownership minimum for ownership reporting. By creating a bright line threshold for when reporting is triggered, the CTA is counterintuitive in that it provides a blueprint to its own subversion. By requiring that reporting companies report entities that own any ownership interest in the reporting, whether it is ten percent or half a percent, beneficial owners would be subject to reporting regardless of their ownership stake. While the reporting requirement, as written, ostensibly means that the beneficial owner must own or control at least twenty-five percent when all their interests are combined, complex arrangements can prevent the reporting company from knowing which entities must be added together to reach that twenty-five percent minimum. Thus, amending this section to require reporting regardless of the ownership percentage would mean that the reporting entity would be free from doing the math and investigating ownership relations on its own, and instead paving the way for the government to connect the dots.
This solution would mitigate the creation of complex arrangements whereby entities own less than twenty percent each of the reporting company. While bad actors could create a multitude of entities that do not meet the twenty-five percent ownership threshold at varying levels, requiring reporting of entities with any ownership stake helps to mitigate this risk. This solution would also help mitigate the loophole that Congress sought to fix by requiring contractors to report their beneficial ownership in their bid proposals, as the same tests apply. In other words, the same complex arrangements that bad actors use to deceive FinCEN could also be used to deceive the government when bidding on a contract, making the reporting requirement self-defeating. By removing the twenty-five percent ownership minimum, it would make it more difficult, but not impossible, for bad actors to conceal beneficial ownership.
The second solution rests on cooperation from States and Indian Tribes, with new funds being conditioned on the States and Tribes requiring registrants to report beneficial ownership to FinCEN as part of their registration process. This solution could entice States and Indian Tribes to collect beneficial ownership information on their own, in turn receiving more funds from the federal government by reporting that information themselves. This new provision would be in addition to, and not instead of, conditioning funds on States and Indian Tribes informing filers of their reporting requirements. As the federal government cannot compel States and Indian Tribes to enforce federal regulations, the States and Tribes would be free to reject. However, provided that the financial incentive outweighs the additional bureaucratic requirements, FinCEN would have another avenue as a backstop to obtain beneficial ownership information.
The third solution listed above is to increase the penalties associated with the CTA, both civil and criminal. The CTA, in its current form, does not provide a sufficient disincentive for submitting false information as penalties are capped at $10,000, up to two years imprisonment, or both. The penalties should instead be capped at no less than $1 million and up to ten years imprisonment, or both, allowing a court to determine the appropriate sentence based on the facts before it. While there may be other applicable laws in cases involving terrorism, organized crime, and espionage, the CTA alone should provide a sufficient disincentive to report false information. The severity of the falsification, together with the degree of the overall offense, should be factors for a court in assessing a fair penalty.
The CTA is a step forward in mitigating the damage that shell companies cause; however, it depends upon honest reporting to achieve its ends. That being said, more information is better than no information, and, while the information gap will not be closed by the CTA, FinCEN will likely have more information to work with than it did prior to the CTA. Unfortunately, the CTA is only as good as the most honest thief. Sufficiently determined malicious actors, both foreign and domestic, can inject themselves into the defense supply chain if they choose to. While the CTA provides additional bureaucratic burdens for well-financed and organized adversaries, its own threshold requirements for reporting mean that the United States will likely see a rise in company registrations, more complex entity ownership structures, and false beneficial owners reported where needed. Moreover, the CTA’s lax penalties mean that in the worst-case scenario, a convicted bad actor goes to prison for two years. The solutions in this Article are imperfect, and some may prove burdensome for reporting companies, but, by reducing the threshold for reporting requirements, enticing cooperation from States and Indian Tribes, and increasing the penalties associated with false reporting, the government can shed light on whom they do business with. All the same, no single approach will entirely solve the problem of hidden beneficial ownership, meaning that a whole-of-government approach is still required to keep sensitive contracts out of foreign control.
