The impact of the Panama Papers
Forensic Foresight: July 2016
Since the initial leak in April this year, the Panama Papers have continued to be a global hot topic in the financial crime space. We have brought together our global leaders to bring you a briefing paper outlining the key reputational and regulatory risks for financial institutions, response options and highlighted some challenges you may face in implementation.
The Panama Papers are reported to be a leaked set of 11.5 million internal records detailing information about more than 214,000 offshore entities allegedly established with assistance from Panama-based law firm Mossack Fonseca (MF). It is not yet known exactly how these papers were acquired. All or part of the records were made available to Süddeutsche Zeitung in early 2015 and, since 3 April 2016, information allegedly based on the documents is being publicly disclosed in piecemeal fashion by the U.S. based International Consortium of Investigative Journalists (ICIJ). On 9 May 2016, ICIJ released a searchable database of the above-mentioned offshore entities. The documents allegedly cover a period starting back in the 1970s and reportedly comprise 2.6 terabytes of data.
Panama papers by numbers
ICIJ searchable database
So far, the documents themselves have not been released. Only journalists’ reports have been issued. The ICIJ release of 9 May 2016 purports to contain data relating to more than 214,000 offshore entities incorporated by MF, and to the persons associated with them (as beneficiaries, shareholders or directors). It is expected that further information will be released in due course.
According to ICIJ, the main locations used to incorporate these offshore entities were:
- The BVI (British Virgin Islands)
- The Bahamas
- The Cayman Islands
- New Zealand.
Risks for Banks, Financial Institutions and other intermediaries
There are generally two categories of companies that are at risk:
- Those that have been named in reports related to the Panama Papers, and
- Those not yet named but that may be exposed due to offshore business or their use of registered agents (not only MF) in offshore locations, either for their own purposes or on behalf of their clients.
Banks, financial institutions and other intermediaries run the risk of becoming associated with the matter and may find themselves on the receiving end of allegations of having provided assistance to launder the proceeds of illicit activity, or of having taken part in tax evasion, thus affecting their reputation. A number of banks, financial institutions and other intermediaries have been mentioned in the papers and have made the headlines already.
Across Europe, financial watchdogs and regulatory authorities are reported to have launched inquiries regarding various aspects related to the Panama Papers. These include Swiss, German, French, Luxembourg, UK, Swedish, Dutch and Austrian financial watchdogs. It has been reported that some regulators (such as FINMA in Switzerland, BaFin in Germany, CSSF in Luxembourg and the FCA in the UK) have requested banks to report on their exposure to the matter, imposing tight reporting deadlines for affected banks.
Leaked information led regulators to question banks on the following topics, among others:
- Statistical data regarding offshore structures
- Exposure to (the) Mossack Fonseca (Group)
- Proper account opening procedures and documentation, including anti-money laundering (AML) and ‘know your customer’ (KYC)
- Proper risk assessment / identification of politically exposed persons (PEPs)
- Clarification and plausibility checks on beneficial ownership of the funds and source of funds
- Application of sanctions provisions
- Assistance or active involvement in tax evasion and tax avoidance
- Adequate transactional monitoring
- Failure to report suspicious activity to local money laundering reporting officers (MLROs) and regulators
- Unauthorised cross-border banking activity.
For banks that have been under regulatory review regarding other issues (such as sanctions, AML / KYC or FATCA-related issues), there is an additional risk that the terms of deferred or non-prosecution agreements may be revisited and invite new regulatory scrutiny or that regulators may supplement the remediation requirements imposed.
An Approach for Banks, Financial Institutions and other intermediaries to explore
Banks, financial institutions and other intermediaries should be able to demonstrate to financial regulators and other relevant stakeholders (such as the board of directors) that they had in place reasonable policies and codes of conduct, but that in light of the disclosures, has undertaken to ascertain the presence of these issues and, if present, remediation, as well as a concomitant tightening of the control environment.
Assessing the impact
Use of offshore companies appears to be increasingly subject to public and government scrutiny. Offering services to such customers may imply stricter due diligence and KYC requirements and higher compliance and monitoring costs, with banks likely required by regulators to more thoroughly assess the risks of being associated with complex account ownership structures from a broader perspective. In particular, banks may want to consider enhanced procedures regarding offshore accounts, at least where no clear and plausible reason has been communicated by the customer as to the purpose of the account.
It is recommended that the following preliminary steps should be considered:
- Identification from all public sources available materials relating to the Panama Papers matter
- Conducting an analysis to determine the initial scope of potential investigation
- Consultations with legal counsel on issuance of legal preservation hold notices to all relevant jurisdictions, businesses and employees, based on the scope of the investigation and applicable laws
- Consideration of potential issues on data protection and banking secrecy that may require the attention of legal counsel.
It is recommended that banks, financial institutions and other intermediaries anticipate possible regulatory inquiries and the impact of the information releases, by pre-assessing their potential exposure by mapping the accounts held by legal entities incorporated in offshore jurisdictions such as those identified by ICIJ. Consideration should also be given to expanding analysis to other firms providing services similar to MF (including some of which have already been publicly identified). It is highly probable in our view that the Panama Papers matter may lead to more general enquiries by regulators into the use of offshore registered agents and requisite levels of KYC for high risk clients (FINMA has already indicated that it intends to enforce existing regulation stricter in this regard).
Two approaches may be alternatively applied or combined:
Top down approach
For banks that do not record information pertaining to registered agents, we would propose to allocate corporate accounts to “baskets” of categories based in particular on:
- Their risk ratings
- Countries of incorporation
- Residence/nationality of persons associated with the accounts (in particular the beneficial owner)
- Volume of transactions
- Status (open/closed).
Optical character recognition procedures may be considered on all or part of the account documentation in order to identify those ones associated with MF (or other similar firms).
Alternative approaches may consist in tracking administrators associated with MF (possibly recorded in client relationship management systems) or identifying accounts paying fees to this firm or other similar firms.
Bottom up approach
Banks, financial institutions and other intermediaries may have already identified potential accounts linked to the Panama Papers. From this initial population, networks of accounts may be identified based on:
- Flow of funds or other assets
- Group of persons (parents, business partners)
- Relationship managers’ actual knowledge.
Control framework and spot check
Banks, financial institutions and other intermediaries have policies and processes in place applied to the identification of actual beneficial owners, source of funds, risk assessment of business relationship, existence of any sanctions, documentation of the business case background and transaction monitoring. However, recent events have reinforced the importance of monitoring compliance as well as reviewing regularly the banks’ control frameworks to ensure they remain fit for purposes and reflect best practice in a rapidly changing environment. A review of a sample of potentially problematic accounts may need to be performed in order to assess the effectiveness of controls and the correct application, and identify possible breaches of compliance.
Depending on the outcome of the previous steps, the following actions may be considered:
- No further actions required at this stage (to be reviewed after release of further information)
- Deep-dive review and remediation
- In case of reported weaknesses, the update of internal policies and procedures, and the redesign of control frameworks with respect to new client acceptance and identification of the source of funds
- Re-assessment of the risk categorisation of the business relationships in the scope of the investigation. Depending on the updated risk assessment, continuous monitoring of these relationships
- Monitoring the opening of accounts for legal entities, in particular where the funds are transferred from a bank that is mentioned in the Panama Papers or other similar source of information
- Reporting to MLROs and regulators (if applicable).
Banks, financial institutions and other intermediaries should consider how to deal with the following potential challenges during the process:
- Reporting pressure from the regulators and relevant stakeholders (such as the board of directors), and short timeframes
- Limited data and/or destroyed data
- Access to data and whether some of it may be stored in paper, microfiche files, etc.
- Communication (internally and externally)
- Continuous exposure to drip-fed disclosure in the media
- Data protection and privacy concerns (see above)
- Conduct assessments and reviews by regulators once facts are established.
This briefing paper addresses the Panama Papers matter from a generic point of view and is intended to be used as a guideline. The proposed approach should be specific to each bank’s, financial institution’s and other intermediaries’ business case and specific situation.
Deloitte proposes an approach that will enable the design of the best options to minimise risks and report to regulators and/or stakeholders (where needed) without major business disruption. The leak of the Panama Papers makes it prudent for banks to revisit measures taken in order to understand their exposure to this event and similar future ones, to take corrective steps if necessary, and – if applicable – report to the relevant authorities.
Deloitte’s Forensic and Risk practitioners in many countries have supported banks in specific projects around offshore and tax matters as well as regulatory AML and KYC related issues over the past four years:
- Our Swiss and UK Forensic and Risk teams have assisted various Swiss private banks in the past few years in meeting their obligations under the US Tax Programme for Swiss Banks. Our technology teams have assisted in identifying the relevant structured data and ran electronic searches of ‘indicia’ for US accounts (as defined by the US Department of Justice); provided eDiscovery services setting up and maintaining review platforms, and managed email and document reviews. The Deloitte teams were staffed from member firms across Europe
- Deloitte Forensic and Risk Advisory teams have also been performing KYC remediation and transaction reviews at various banks in countries across EMEA. These reviews happened in various contexts, such as US, French and German tax investigations, a probe for corruption launched by US Department of justice, sanctions and potential terrorist financing breaches, breaches of KYC compliance, and also in anticipation of the Panama Papers leak. Reviews have been performed by teams on-site or – in the case of UK-based banks – as a comprehensive managed service
- Deloitte has assisted banks and legal counsel in their decision-making processes and communication with authorities (such as FINMA, the FCA and the US Department of Justice), and has also assisted them in meeting their obligations under agreements with regulatory authorities (such as non-prosecution or deferred prosecution agreements)
- Further credentials can be provided from our specialist FS regulatory and forensic teams in other countries that have not been included above, for example the Middle East, Luxembourg, Germany and France.
In the course of the current Panama Papers leak, Deloitte is already heavily involved in assisting banks, financial institutions, other intermediaries or authorities in reviews and investigations of e.g. the exposure to Mossack Fonseca, the offshore business in general, framework with law firms and other enablers, KYC, procedures, risk assessment and potential involvement in tax evasion and tax avoidance topics.