On May 9, a further trove of confidential information from the files of the Panamanian law firm Mossack Fonseca & Co. was released to the web by the hacker(s) who penetrated the firm’s e-mail system. As we all know, the firm’s clients were largely nominees or intermediaries: banks, financial administrators, accountants, etc., who carried out their clients’ bidding via the formation of “shell companies” in foreign tax havens. The creation of the companies and use of intermediaries created an expectation of anonymity. That anonymity was however shattered with the publication of the Panama Papers. They contain the names of the intermediaries, the ultimate beneficiaries, related correspondence and contracts and, most importantly in the case of corporations, the identity of shareholders and directors.
The still-unknown hacker(s) approached the German newspaper Süddeutsche Zeitung, which invited reporters through the International Consortium of Investigative Journalists to help sift through 11.5 million documents, comprising a staggering 2.6 terabits of data.
Holding money in offshore accounts isn’t necessarily illegal. There are legitimate uses for offshore companies, foundations, and trusts; however, they can also be used to circumvent codes of ethics, political financial disclosure laws, launder money, fund terrorist activities, evade taxes, and other illegal or dishonourable activities.
The release, which Edward Snowden called the “biggest leak in the history of data journalism”, has highlighted the importance for companies, their boards, and shareholders to ensure that they are using best practices in regard to corporate governance, onboarding, and IT security. In-house counsel can and should play a key role in the creation, monitoring, and reporting of related measures, policies, and procedures.
Digging deeper — onboarding
Anti-bribery, corruption, financial disclosure, and sanctions legislation as well as codes of conduct require that clients carefully screen customers and suppliers before moving forward with a business or other relationship (“onboarding”). Unfortunately, less than half of jurisdictions where companies can be incorporated provide public information on corporate directors and shareholders, so, often, their identity is not known by clients. This is, however, slowly beginning to change. The identification of shareholders is gradually becoming a more common component of third-party screening conducted by multinational organizations concerned with anti-bribery and corruption legislation, as governed by the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act, and the Ukraine’s reforms in the area of sectoral sanctions.
Forms and screening practices should be reviewed and disclosure requirements toughened up. Clients should be asking whether they should be requiring more information than they have in the past; for example, the identity of directors and shareholders. This presents a challenge, however, in that onboarding in the case of large corporations and institutions already often takes weeks if not months to complete. The challenge will be to dig deeper in terms of required disclosure while improving on processing times.
The task of surveying ownership changes and verifying client-provided details provided at the time of onboarding on a going-forward basis presents another challenge. Customers, suppliers, and other business partners often fail to proactively advise of material changes, such as changes in shareholders and the like. It would be prudent for in-house counsel to ensure that there is a mechanism to harvest this information on a regular basis. For example, clients should seriously consider requiring that firms and individuals who have been onboarded re-submit forms on a regular basis to ensure that the data inventoried by the client is accurate and up to date to ensure continued compliance with applicable laws, codes, and policies.
Avoid getting caught flat-footed
Companies that have not been directly named in the Panama Papers may nevertheless face some exposure for regulatory non-compliance, criminal sanctions, and reputational risk because of illegal conduct on the part of agents, intermediaries, and business partners who have been named in the leaks with whom they are doing business or to whom they may otherwise be connected. It would be best to not be caught flat-footed and learn of the connection through an irritated shareholder, board member, or a member of the media. Subpoenas and other orders are time-consuming to respond to. When the authorities come knocking, it would be best to have performed searches a priority to determine whether parties named in the Panama Papers have a connection to the client, the nature of the relationship, and whether there are any legal or moral concerns in the circumstances. Internal databases should be checked against the names that have been published so far. Consideration should be given as to whether there are any reporting requirements, for example, to the board, insurers, perhaps even a press release if there is a material concern.
News seems to be travelling ever faster thanks to the spread of social media. Clients are often forced to be constantly “on,” in a state of media readiness. Damage to reputation can be quick and severe and difficult to recover from. This requires a culture of preparedness. A multi-pronged media/board/executive team preparedness strategy must include the ability to anticipate, and see around corners to prevent and diffuse issues.
In addition to performing searches of internal databases to determine whether clients’ customers, suppliers, and other partners have been named in the Panama Papers, it would be useful to test other third-party due-diligence procedures: for example, ethics compliance reporting lines, clients’ shareholder lists, list of advisors, and other substantive connections, including a list of investments. For example, following an internal investigation, CBC recently reported that Power Corporation held shares in a Chinese company named in the Panama Papers. Power Corporation was forced to respond that it no longer held shares in the company in question and that regardless it had followed all laws and regulations.
The Panama Papers highlight once again the importance of maintaining tight security over computer networks. It would appear that the law firm in question did not have state-of-the-art firewalls, was using somewhat outdated software, and e-mail was not encrypted. In-house counsel have a duty to ensure that IT security is brought up regularly with senior management and with board members. It tends to often slide off the agenda, being regarded as too technical or not mission-critical. The leak demonstrates that it is anything but so.
While, traditionally, lawyers have been suspicious of using the cloud for practice management and storage of legal documents (i.e. the Patriot Act) and have preferred to maintain their documents on-site, the Panama Papers may lead the legal profession to re-think this view on cloud security.
There are clear steps that can be taken perhaps not to guarantee that there will not be leaks but at least to make it harder for people to leak documents.