Nothing motivates a regulator more than a crisis that ignites public outrage. The recent disclosure of the Panama Papers, the latest in a series of monumental data breaches tracing back to WikiLeaks in 2010 and Edward Snowden in 2013 is exponentially larger than those previous events, involving 11.5 million individual files from a Panamanian law firm that assisted clients in forming a multitude of offshore companies. Initial reports allege that some of these companies may have been used to conceal funds from sources as diverse as government leaders, drug kingpins and international sports organizations. Banks stand directly in the path of this eruption, as tremors have re-energized a proposed regulation, first introduced by the Financial Crimes Enforcement Network (FinCEN) four years ago, that targets beneficial ownership of legal entities.

Building upon the customer due diligence (CDD) mandated by existing Customer Identification Program (CIP) regulations, the new FinCEN regulation, if implemented, would add a provision requiring banks and financial institutions to identify and verify, in a standardized format, the natural persons who are beneficial owners of their legal entity customers. According to press reports, Treasury Department officials will soon be sending the regulation to the White House’s Office of Management and Budget for approval to publish. Timing appears particularly favorable for issuance, with recent events bringing a new urgency just as the latest public comment period (relating to an extensive analysis of projected regulatory costs) closed on the 2012 proposed rule that will form the core of the new regulation.

It is not clear whether the new regulation will retain the definitional and practical limits of the proposed rule. Specifically, will a beneficial owner still be defined as an individual who owns 25% or more of the equity in a legal entity or who controls the entity in some manner? Even more concerning, will FinCEN continue to advocate requiring only verification of the identity, but not the status, of beneficial owners, thereby permitting a financial institution to rely on the certification obtained from its customer?

In the face of these recent developments, bank compliance officers need to focus their attention on information currently emerging from the Panama Papers and would be well-advised to take the following actions:

  • Reexamine the role of the compliance function as the main line of defense in mitigating risk, particularly regarding the effectiveness of their bank’s CIP program in identifying and monitoring beneficial ownership of customers.
  • Remain alert to preventing potential contagion risk to safety and soundness from enforcement actions and penalties U.S. regulators could bring against customers created by the Panamanian law firm, Mossack Fonseca.
  • Be generally alert to violations of law by any customers that may have been enabled or facilitated by operations of the bank or its affiliated offshore subsidiaries.
  • Frame the bank’s position concerning whether it is an unsafe and unsound practice to provide banking services to a customer conducting offshore activities through an offshore entity where the entity’s corporate purpose is obscure and its functional control is opaque and where it is difficult to assess and monitor the use of the banking services.
  • Determine to what degree the “high-risk” activity of a customer exposes the bank to liability for aiding and abetting the willful violation of law.
  • Generally, begin thinking about how the bank would handle the administrative burdens that may be imposed by the new regulation.

However the new regulation proceeds towards adoption, we expect that FinCEN will not seek to interfere with properly structured offshore bank subsidiaries and offshore legal entities. Nonetheless, banks must remain mindful that the functional regulators will continue to require the global enterprise to maintain safety and soundness by appropriately managing risk and minimizing susceptibility to illegal financial activity.