On April 3, 2016, the International Consortium of Investigative Journalists (“ICIJ”) reported one of the largest data leaks in history. With approximately 11.5 million confidential legal records threatening to expose the shell companies and offshore bank accounts of some of the world’s most powerful people,[1] the fallout for global financial institutions could be significant. Much attention has been paid to the 140 politicians and public officials currently linked to the release, but with only a fraction of the leaked records currently available for review, a flurry of civil and criminal investigations likely awaits the estimated 500 banks, their subsidiaries, and branches that registered nearly 15,600 shell companies with Panamanian law firm Mossack Fonseca.[2]

It is important to note that not all services provided to offshore entities are illegal and not all offshore entities are engaged in illegal or inappropriate conduct. The ICIJ, however, has reported that many financial institutions named in the Panama Papers have failed to adhere to certain legal requirements to ensure that their clients are not involved in criminal enterprises, tax evasion, or political corruption. Even though U.S. regulatory and law enforcement agencies have reviewed only limited data, investigation strategies already are starting to emerge—both the U.S. Attorney’s Office for the Southern District of New York (“SDNY”) and the New York Department of Financial Services (“NYDFS”) announced the opening of their own investigations into potential tax, fraud, and money laundering issues exposed by the data leak. Further, the Treasury Department and the NYDFS have pending rules that will heighten customer due diligence standards for financial institutions (including beneficial ownership identification) and enhance Bank Secrecy Act/anti-money laundering requirements for New York-regulated entities. These rules, and others, likely will draw additional attention to the entities and the compliance issues flagged by the Panama Papers release.

Accordingly, ahead of the increased government inquiries that will result from the ICIJ’s release of a searchable database on May 9, 2016 (which will include information on more than 200,000 offshore entities tied to the Panama Papers investigation),[3] financial institutions should take this opportunity to understand the legal risks, assess potential civil and criminal liability, and take proactive steps to minimize their exposure. This is true not only for the institutions, but also for directors, shareholders, and beneficial owners who may be implicated—either directly or indirectly—for facilitating such transactions.

With a storm of government investigations and related enforcement proceedings on the horizon, at-risk entities must be strategic about their own internal investigations, proactive disclosures, and compliance infrastructures moving forward.

I.   Emerging Federal Investigations

The Panama Papers likely will amplify the level of scrutiny that financial institutions face with respect to anti-money laundering and anti-corruption compliance, economic and trade sanctions, and tax evasion. While the Department of Justice (“DOJ”) has not yet commented publicly on the specifics of the document leak or the scope of its investigation, a spokesperson for the DOJ has emphasized that it “takes very seriously all credible allegations of high level, foreign corruption that might have a link to the United States or the U.S. financial system.”[4]

The SDNY took the first of what likely will be many steps on behalf of the DOJ to investigate companies and individuals implicated by the Panama Papers. In a letter sent to the ICIJ by U.S. Attorney Preet Bharara, the SDNY announced that it had opened a criminal investigation “regarding matters to which the Panama Papers are relevant” and wished to speak with “any ICIJ employee or representative involved in the Panama Papers Project.”[5] In response, the ICIJ has stated that it will not turn over unpublished data and does not “intend to play a role in that investigation.”[6]

When the ICIJ releases the names of more than 200,000 offshore entities incorporated by Mossack Fonseca and the individuals connected to them (as directors, shareholders, and beneficiaries), the DOJ likely will begin scrutinizing the transactions of high-profile entities and individuals linked to the papers. If Bharara’s prosecutorial record is any indication of what is to come, we expect the SDNY to focus on “large-scale, sophisticated financial frauds” for potential securities fraud, tax fraud, wire fraud, conspiracy, money laundering, anti-corruption issues, and other potential criminal violations.[7]

In the wake of the Panama Papers leak, the U.S. Department of Treasury also has been vocal about its obligation to enforce compliance and promote meaningful transparency within U.S. financial institutions. In a recent speech delivered by Assistant Secretary Daniel Glaser on the role of transparency in fighting corruption in financial systems, the Treasury Department reiterated its commitment to “effective implementation of measures regarding anti-money laundering and countering the financing of terrorism.”[8] While a proposed rule promulgated by Treasury’s Financial Crimes Enforcement Network—which would require financial institutions to identify the beneficial owners of companies as they open accounts—is not yet final,[9] Treasury has several existing avenues to pursue financial institutions and individuals connected to the Panama Papers, including new sanctions designations and blocked property identifications after cross-referencing leaked data with the Office of Foreign Assets Control’s Specially Designated Nationals list.[10]

The Treasury Department is expected to be particularly active in this respect, as it continues to ramp up its assessment of regulatory and criminal penalties. Last year alone, fines reached more than $1 billion for egregious, willful behavior, with lower regulatory penalties or informal remedial actions imposed for less egregious or unknowing behavior.[11] Now, as Treasury seeks to leverage the information released by the ICIJ to help strengthen customer due diligence obligations, it likely will partner with a variety of U.S. regulatory and law enforcement agencies to pursue those who have facilitated—either directly or indirectly—the use of anonymous companies to launder the proceeds of illegal activity in the U.S. financial sector.

Global financial institutions also should note that their exposure is not limited to the United States. Formal investigations related to the Panama Papers have been initiated by authorities in Australia, Austria, Belgium, France, India, the Netherlands, New Zealand, Sweden, Mexico, Norway, and the United Kingdom, among others.[12] The United Kingdom has been particularly active thus far, with its financial regulatory body—the Financial Conduct Authority (“FCA”)—issuing letters to approximately 20 banks and other financial companies the day after the initial Panama Papers leak.[13] Each recipient was required to complete, by April 15, 2016, an initial internal investigation and identify any ties to Mossack Fonseca or to companies formed or managed by the firm.[14] The FCA also recently announced a second tranche of 44 firms required to complete internal investigations.[15] With a total of 64 banks and financial companies now under review, the FCA appears to be widening its inquiry and prioritizing resources to assess the current flood of information.[16]

II.   Inquiries by State Banking Regulators

In addition to enhanced scrutiny at the federal level, financial institutions may find themselves subject to investigation by their state banking regulators as well. The NYDFS sent letters to more than a dozen foreign banks requesting any “communications, phone logs and records of transactions between their New York branches and employees or agents of Mossack Fonseca, as well as any subsequent communication with shell companies formed as part of these transactions.”[17] These banks also were asked to “identify any New York-based personnel who may have held positions at the shell companies” and provide any additional information stemming from internal probes or investigations conducted by regulators.[18] The letter, which reportedly is similar in form to a subpoena, gives each entity 10 days to provide the requested materials.[19]

At this time, no bank has been accused of wrongdoing; however, as the names of additional financial institutions are released by the ICIJ, we expect the NYDFS to add to its list of entities and individuals under review. Presumably, any self-disclosures or documents provided to the NYDFS will aid the Department in uncovering evidence of wrongdoing, which is critical given that the ICIJ currently refuses to release additional, non-public information directly to regulatory and law enforcement agencies.

With additional subpoenas and requests for information likely on the way, financial institutions may be well advised to conduct their own internal investigations (including an inventory of customer accounts) in advance of these requests. Doing so will help identify pressure points unique to the organization, quantify potential civil and criminal liability, and ensure a more thoughtful and measured approach should an investigation escalate.

III.   Individual Liability Concerns

While large financial institutions may bear the brunt of prosecutorial scrutiny, directors, shareholders, and beneficial owners may not be exempt from personal liability, particularly where an institution has failed to implement sufficient compliance procedures, determine beneficial ownership, or identify and prevent tax evasion. The imposition of individual liability for anti-money laundering compliance failures is nothing new—under the Bank Secrecy Act, willful violations of the statute or its implementing regulations by partners, directors, officers, or employees of a financial institution are punishable by a civil penalty of $25,000 or the amount of the transaction (up to $100,000).[20] But there has been a recent uptick in the number of actions brought by the SDNY and other regulatory bodies against individual compliance officers for the failures of their employers to adhere to applicable policies and regulations. With individual accountability on the rise, those with managerial responsibility over compliance obligations should evaluate their own exposure in the event their employer is subject to civil or criminal investigation.

Senior executives and compliance officers also should note a new rule proposed by the NYDFS in December 2015 that would require New York-regulated financial institutions to comply with enhanced Bank Secrecy Act/anti-money laundering requirements, in addition to subjecting chief compliance officers to potential criminal liability for noncompliance.[21] While the NYDFS historically has been active in examining anti-money laundering and sanctions law violations, the Department recently has “become aware of the shortcomings in the transaction monitoring and filtering programs” of supervised institutions, including “a lack of robust governance, oversight, and accountability at senior levels.”[22] To remedy this issue, the NYDFS rule, as proposed, would require chief compliance officers (or their functional equivalents) to provide an annual certification to the NYDFS that their financial institution maintains a transaction monitoring and filtering program that is compliant with the proposed rule’s requirements.[23] This annual certification is not unlike those required of principal executive and financial officers under the Sarbanes-Oxley Act of 2002. As with Sarbanes-Oxley, under the NYDFS proposed rule, a compliance officer who files an incorrect or false annual certification would be subject to criminal penalties.[24]

IV.   Action Items

As U.S. regulators and enforcement authorities eagerly await the ICIJ’s release of additional information on entities and individuals linked to the Panama Papers, and begin initiating investigations, financial institutions should evaluate their potential exposure and consider taking the following steps:

  • Appoint an individual from within the organization to formulate and lead the appropriate internal investigatory approach;
  • Because investigations may involve all aspects of a financial institution’s interactions with offshore structures, review procedures and activities associated with those offshore structures, including but not limited to those involving funding, structuring, and wealth management functions to identify potential risks;
  • Identify relationships with law firms, external asset managers, and other organizations that facilitate the formation of offshore structures, particularly in jurisdictions with rigorous data privacy regulations that could enable improper conduct;
  • Gather publicly known information about the Panama Papers and review this information for any compliance issues relevant to the organization;
  • Review documents, screen client accounts, and conduct internal interviews to determine whether the organization has any ties to Mossack Fonseca or to companies formed or managed by the firm;
  • If the organization or its employees have assisted in the creation of offshore accounts or engaged in transactions with Mossack Fonseca, it should assess whether these activities involved any improper conduct;
  • Where certain accounts or transactions are likely to raise red flags or draw investigatory scrutiny, the institution should collect the necessary documentation and prepare an appropriate disclosure strategy; and
  • For internal investigations that are particularly expansive or where inquiries from regulators or enforcement authorities appear imminent, consult with outside counsel that is well-versed in the intersection of these legal issues and complex cross-border investigations.