On the second anniversary of the Panama Papers (the Papers), new information published by the International Consortium of Investigative Journalists (ICIJ) makes for interesting – and even entertaining – reading.
Stunning details are splashed out about how the scandal erupted and the involved individuals and firms’ reaction to the corporate nightmare.
Importantly, it makes good reading for eagle-eyed compliance staff and financial crime professionals because some lessons can be gleaned from the chaos.
More details emerge
First, let’s get a refresher on what happened.
The Panama Papers were first published in April 2016. In June 2018, the ICIJ revealed more data.
This latest information is understood to comprise 1.7 million documents covering the period from April 2016 to December 2017 of the internal documentation of Mossack Fonseca, a Panama law firm, which specialised in the creation and operation of legal structures based in tax secrecy jurisdictions.
The data reveals that, in the weeks before the original disclosures in April 2016, staff in the firm realised there had been a significant breach of client confidentiality.
Following the disclosure across the world, Mossack Fonseca, their clients and the advisers used by their clients, sought to deal with the consequences.
On 9 March 2016, Mossack Fonseca staff realised there had been a significant data breach of their client files. The breach covered 11.5 million documents, including emails, bank statements and correspondence.
On 3 April 2016, the ICIJ together with partner media organisations across the world, including the BBC and the Guardian newspaper, simultaneously published stories and articles linking prominent and well known people to offshore structures established by Mossack Fonseca.
“The client has disappeared!”
With global condemnation ringing in their ears, Mossack Fonseca sought to protect their clients, their reputation and their firm.
They soon realised by the end of May that year that they were unable to identify the beneficial owner of 70% of the 28,500 companies they operated in the British Virgin Islands (BVI) and 70% of the companies they operated in Panama.
It appears that Mossack Fonseca used an exemption in the BVI laws that permitted company formation agents, such as themselves, to rely on an introducing bank or intermediary to perform the Know Your Customer (KYC) checks where the underlying documentation was available on request.
“THE CLIENT HAS DISAPPEARED! I CAN’T FIND HIM ANYMORE!!!” responded one Swiss intermediary who had used the firm to establish 80 companies when Mossack Fonseca sought the KYC details of one client.
A US lawyer wrote “This is ridiculous! WE CAN’T GO BACK a day after asking for papers to ask for something else. WE LOOK LIKE … AMATEURS. A Mickey Mouse operation.”
These examples clearly show that the statement issued by the firm in March 2016 gave a misleading impression – it had claimed it conducted “thorough due diligence on all and new prospective clients that often exceeds the stringency of the existing rules and standards to which we and others are bound.”
Later, a lawyer representing Mossack Fonseca stated that the firm viewed its clients to be the banks, lawyers and accountants who asked the firm to establish offshore structures and not the intermediaries’ own underlying clients.
The lawyer assured the ICIJ that Mossack Fonseca “always” knew what it was required to know about the owners of the companies.
Ripples of chaos
The latest leak shows how Mossack Fonseca tried to identify beneficial owners whilst clients began to drift away.
Meanwhile, other intermediaries expressed their frustration and anger at the data breach.
An intermediary from Uruguay revealed the purpose of his client’s offshore structure – “the main purpose of this type of structure has been broken: confidentiality”.
Another commented “the names of our customers have been known to the authorities of their countries. Thanks to Mossack, customers have to pay income taxes”
The documents from April 2016 to December 2017 include passport copies, emails and evidence of the authorities conducting criminal investigations.
The day the story broke across the world, a lawyer representing Mossack Fonseca demanded the Attorney General of Panama to prevent journalists from the US, Germany, France, Denmark and Australia who pursuing the story from leaving Panama until the reporters disclosed how they received the client data.
The demand was ignored.
A Swiss advisor contacted Mossack Fonseca “This French journalist wants to publish an article in the newspaper Le Monde which is not acceptable for me!!!”
The compliance and KYC factor
So apart from being a good read, what lessons can financial crime staff learn from the latest disclosures?
Firstly, the disclosures demonstrate the importance of complying with basic KYC rules and checks, no matter where the client is located or how important they are.
In cases where clients are based in different jurisdictions, it’s important to know what the KYC regulations are and to also keep abreast of legislative or regulatory developments.
Secondly, it is vital to have ongoing monitoring, including that of politically exposed persons (PEP) accounts and transactions. If Mossack Fonseca and the related firms and individuals had taken ongoing monitoring more seriously, there would not have been statements like ‘The client has disappeared! I can’t find him anymore!!!’, when the data leak struck.
Thirdly, where a firm relies on other regulated persons, such as banks, lawyers and accountants, for identification and verification purposes, they should consider whether such a policy is prudent and whether they are, in effect, “outsourcing” a part of their KYC function.
As mentioned above, it appears that Mossack Fonseca used an exemption in the BVI laws that permitted company formation agents to rely on an intermediary to perform kyc checks where the underlying documentation was available on request.
Apparently there was a lot of panic and shock when it turned out that a Swiss intermediary did not have basic details of a client.
In addition, bearing in mind a firm cannot transfer its legal responsibility for KYC issues, it is important to request copies and kyc documentation and information from the introducing party and then conduct your own risk assessment on the underlying clients.
Fourthly, of major importance, is the question: is the firm satisfied that it can withstand a cyber attack against its IT systems that contain client data and would regulators deem its IT systems and controls to be satisfactory?
This issue of cyber security is actually a number one priority – not just for the IT and top management departments, but also for the compliance department too.
Compliance officers are not expected to be tech wizards, but it’s important they confirm that there is a sound cyber security policy in place to protect data and other sensitive information.
They should ensure that the IT security department and the firm’s senior management are continually addressing this issue.
Finally, does the firm have a crisis management team of senior managers to implement a pre-defined implementation plan that includes relevant advisors such as law firms, media consultants and computer specialists?
Don’t wait for the night before or the morning after a data leak disaster to plan how to respond to a compliance nightmare … get cracking on it today, if you haven’t already.
After all, readers will not want their firm to be the next financial services organisation to be at the centre of a media storm with all that brings, including possible regulatory and parliamentary inquiries or significant reputational damage over regulatory and compliance failures.
About the author
Denis O’Connor is both a Fellow of the Institute of Chartered Accountants in England & Wales and the Chartered Institute of Securities and Investment. He was a member of the British Bankers’ Association Money Laundering Committee from 2003 -10; and a member of the JMLSG’s Board and Editorial Panel between 2010 and 2016.
He has been a frequent speaker at industry conferences on financial crime issues, both in the UK and abroad.
This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.
This article was originally published on KYC360 on 6th July 2018.