Sunday’s revelations about the leak of more than 11½ million documents from the Panamanian law firm Mossack Fonseca have significant ramifications in a whole host of different areas of compliance. The leak does not just affect Panama. According to the Mossack Fonseca the firm has offices outside of Panama including 12 offices in Europe. There are indications that other jurisdictions which have traditionally been associated with front companies, including Malta, are also implicated.
The effects of the leak will also be felt outside the financial community. A twitter hashtag relating to the leak #Panamaleaks has been the top-trending hashtag around the world with more than 1.5m tweets sent with the hashtag on Monday alone.
What is the breach about?
It is still not clear how the documents came into the public domain and, as a result there, is a need to treat the information with caution. Reports suggest however that the documents show links to 72 current or former Heads of State. It seems the leak reveals the beneficial owners behind companies set up by the law firm for their clients. Companies, especially in some ‘offshore’ jurisdictions, can be used to disguise the true ownership of assets and bank accounts. These companies – known variously as ‘front companies’, ‘shelf companies’ or ‘shell companies’ seem to feature prominently in the leaked documents.
More than 214,000 offshore entities appear in the leak, connected to people in more than 200 countries and territories. Amongst the compliance issues will be:
Bribery Act 2010
The UK Bribery Act 2010 which came into force in 2011 introduced a new offence under section 7 of the Act of failure to prevent bribery. Under this offence a company can be liable for the acts of an individual or company associated with it. There are more details about the section 7 offence and who an “associated person” is in our FAQS on the Bribery Act 2010. Many organisations will have done due diligence based on the apparent owners of companies they associate with. It is likely that as a result of the Mossack Fonseca leak there are doubts as to whether those apparent owners are the beneficial owners of the entity. Front companies are often used in bribery schemes. Recent examples include the Standard Bank case (details here) and the Graham Marchment case here. For many businesses their associated person due diligence will now need to be renewed.
News of a big leak of data relating to prominent Russian politicians has been circulating in compliance circles for the last few days. The Mossack Fonseca data includes documents incriminating senior Russian politicians and their connections. In January the EU extended its sanctions against Russian (see our alert here). As we said in our January alert, the EU sanctions regime is quite complex but it would seem to the be the case that some individuals and companies on the US, EU and Canadian sanctions lists have masked their involvement by the use of front companies. Again, as a result, due diligence in ongoing transactions may need to be refreshed.
Anti-Money Laundering & PEP issues
Anti-money laundering (AML) laws are a feature of many jurisdictions and over 80 countries have specific legislation mandating some form of due diligence check. Many jurisdictions also have laws requiring caution when dealing with politically exposed persons (PEPs). The leak apparently contains data on at least 140 PEPs. Some laws are better than others but again companies can be used as a mask to launder money or to disguise the fact that the real owner is a prominent politician. Banks and other financial institutions and other organisations subject to AML laws should consider refreshing their due diligence after this leak. Again this will not be an easy task. Some individuals with a dubious past have been using right to be forgotten requests (see http://www.corderycompliance.com/blog-bbc-news-and-attempts-to-use-the-right-to-be-forgotten-to-forget-the-past/) to remove information about them from the public domain. Others have altered their Wikipedia entries (a process recently described as ‘manicuring’) to present a different picture of themselves. Simple internet searches are unlikely to unravel these structures and a thorough approach to due diligence will be needed.
What does Mossack Fonseca say?
In a statement to the BBC Mossack Fonseca said: “Your allegations that we provide structures supposedly designed to hide the identity of the real owners, are completely unsupported and false. We do not provide beneficiary services to deceive banks…”. The firm’s website says “Our offices are supported by secure, state-of-the-art technology that is upgraded continually.” The firm also claimed to be “Panama’s first ISO 9001 certified Law Firm International Trust & Corporate Service Provider”.
Authorities in a number of countries have already announced investigations. The Swedish Skatteverket (tax agency) has reportedly asked for documents from the leak relating to the tax affairs of between 400 and 500 Swedish nationals. The Australian Tax Office (ATO) has said it is examining the tax affairs of some 800 individuals connected to the leaks. ATO Deputy Commissioner Michael Cranston said his office was working with the police, the Australian Crime Commission and the anti-money laundering regulator. He said that some cases may be referred to the Serious Financial Crime Taskforce. Reports suggest that the German, UK & US authorities had some of the documents in advance of yesterday’s leak and are already investigating.
Information in the papers also includes data connected to at least one ongoing corruption and money-laundering case in the UK.
A number of well-known corporations including BHP Billiton and HSBC have also been implicated although there is no evidence to suggest any wrong-doing on their part.
What happens next?
This is a story which is likely to run and run. Further details of those allegedly involved are scheduled to be released next month including emails, financial spreadsheets, passports and corporate records from 21 offshore jurisdictions. Apparently 2.6 terabytes of data stretching back almost 40 years will be released.
Most organisations will need to act now to reduce their exposure. Given the provenance of the data, careful thought will be needed as data protection and other laws are likely still to apply, albeit possibly with exemptions being available. Some of the data may be protected by privilege in addition. It is important to note that using a front company does not of itself amount to criminal conduct. Companies will need to think carefully about any exemptions they rely on to use the data – as we have seen in other investigations there can be consequences for those investigating too. Proper procedures will need to be put in place to review the information already in the public domain and the further releases which are likely to follow.
An earlier version of this blog appeared on 4th April. We have updated it to reflect recent developments.
For more information contact Jonathan Armstrong at Cordery in London whose focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784