The need for effective Know Your Customer (KYC) procedures in light of the “Panama papers” leaks


Recent revelations from the “Panama papers” leaks have again highlighted concerns over undeclared assets and possible misuse of secrecy jurisdictions.
Public scrutiny of the affairs of prominent individuals arising from associated press and media reporting reinforces the importance for regulated financial institutions and professional advisors to understand the background and reputation of customers with whom they transact. Regulated financial institutions and certain professional intermediaries are obliged to know their customers for a number of reasons:

  • To ensure client funds are not sourced from illegal activities;
  • To provide an adequate understanding of clients’ affairs, so unusual account activity can be detected and, if necessary, reported to a competent authority;
  • To detect and prevent financial crime arising from illegal activities such as:

– Bribery and corruption
– Fraud
– Tax evasion
– Narcotics or human trafficking
– Trade in restricted goods, such as conflict minerals or endangered species

The processing of transactions arising from such activities through the banking system may give rise to money laundering offences. Other ethically-questionable activities (such as aggressive tax avoidance), whilst not strictly illegal, could also cause damage to reputation by association.

Increasing compliance requirements

Although financial crime matters are commonly of interest to individuals in the professional field tasked with managing these risks, or to certain non-government organisations and public interest groups, they are also increasingly recognised as a mainstream public interest issue, given a growing awareness of their impact on the general population. A number of developments in the past 15 years have raised public attention, including:

  • In response to the 9/11 terrorist attacks, the United States introduced extensive legislation to counter terrorist financing in the form of the US PATRIOT Act.
  • In recognition of the negative impact of bribery and corruption on society and business, countries have introduced tighter legislation (such as the UK Bribery Act) or have stepped up prosecution of bribery and corruption offences (such as under the US Foreign Corrupt Practices Act). A range of countries have introduced updated anti-bribery and corruption legislation, or have proposed to do so (such as France). Allegations of corruption have swept continents, and threaten the very fabric of countries such as Brazil and Ukraine.
  • There has been a widespread groundswell of public opinion against tax evasion and aggressive tax avoidance practices, particularly in the aftermath of the global financial crisis, given a perception that an elite few have avoided austerity measures imposed on the general public.
  • The beneficial ownership debate, interwoven with tax transparency demands, has gathered momentum in recent years, with calls for greater transparency and the ending of so-called secrecy jurisdictions.
  • Ongoing and more recent leaks, such as the Panama Papers, Luxleaks, Swissleaks and the Unaoil scandal, have reinforced the notion – rightly or wrongly – that some individuals, their advisors and financial institutions have acted illegally in the narrow interests of a minority, and to the detriment of the majority.

The issues above, coupled with the near inevitability of future leaks, means that regulated financial institutions and professional intermediaries will face increasing levels of scrutiny, even in situations hitherto considered highly private and confidential. It would be a wholly false economy to assume that “light touch” due diligence measures for situations that present higher risks would stand regulatory scrutiny. Regardless of legal obligations, firms also risk being judged harshly in the court of public opinion if due diligence measures are regarded as insufficient, or material adverse matters are overlooked in favour of short-term commercial interests.

How much due diligence is reasonable?

The risk-based approach to countering the threats of money laundering, terrorist financing and bribery and corruption is well established, and is variously set out in documentation published by the Financial Action Task Force, the EU Fourth Money Laundering Directive, and in guidance to the UK Bribery Act 2010. The Bribery Act guidance, for example, emphasises: “No policies or procedures are capable of detecting and preventing all bribery. A risk-based approach will, however, serve to focus the effort where it is needed and will have the most impact.”

For a range of reasons – including its flexibility, avoidance of “box-ticking”, and exercise of professional judgement – proponents of the principles-based approach believe it is superior to a rules-based approach that is more rigid and mechanistic. Others dispute this, pointing to recurrent compliance failures under the principles-based approach where discretion allows risk-taking that could be viewed as unreasonable.

A case in point involves an enforcement action in 2012 by the Financial Services Authority (now FCA) against Habib Bank AG Zurich, in which the FSA said “Habib’s policy of excluding Pakistan and Kenya from its High Risk Country List was seriously misconceived, as the higher risk of money laundering they presented was not negated by Habib’s physical presence in those countries or any specialist knowledge of them.” Country risk is regarded as a key indicator in determining overall customer risk although, in the UK, the Money Laundering Regulations also identify situations at high risk for money laundering; including those involving links to high risk business sectors, unnecessarily complex or opaque beneficial ownership structures (which could include complex offshore structures), transactions that are unusual, lack an obvious economic or lawful purpose, are complex, large, or might lend themselves to anonymity. Other factors, such as a customer not being present, correspondent banking relationships, or relationships with politically exposed persons (PEPs), would also present higher-risk situations for money laundering.

A principles-based approach may be less effective in situations where the culture of an organisation does not support robust compliance measures, such as through a lack of adequate compliance resourcing and support, or because a company’s incentive scheme is skewed in favour of risk-taking, to the point where commercial interests override other considerations. There are ample examples in recent years of such failings and, until such time as individuals become personally liable for their actions, arguably fines and penalties may be regarded as a cost of doing business – although high-profile compliance failings are increasingly damaging to corporate reputation in general.

Key due diligence considerations

Due diligence conducted on a risk-based approach will typically seek to identify issues such as ownership/control, source of wealth or source of funds, and exposure to financial crime risk, including sanctions exposure or terrorist financing risks.

  • Identifying the true beneficial ownership of a legal entity and/or individuals with significant control can prove challenging, particularly in jurisdictions where there are low levels of transparency, or for certain types of legal structures. Whilst reliance may need to be placed on third parties (such as legal representatives or, as they become available, public registers of persons of significant control) to validate this information, it is important not to treat such information at face value without some level of healthy scepticism. It is still possible for an individual who is – to all intents and purposes – the stated ultimate legal owner, to be holding an interest on trust (or even under coercion) for another individual. This may be a particular risk where the individual who does not wish to be identified is wealthy or influential, and can therefore exert authority without being personally named on any documentation.
  • It is therefore important that once the identity of a stated Ultimate Beneficial Owner (UBO) is known, that sufficient, additional research is conducted on the individual. For example, does the individual have a discernible profile which is consistent and commensurate with the activities of an underlying business, its expected turnover, or the value and range of any underlying assets? If this is not clear, how did they personally amass this wealth? From how and from where are they deriving the income? If the individual is a relative or business associate of another wealthy individual, how did that person acquire their wealth – particularly if they are a PEP? Enhanced due diligence procedures are automatically required for PEPs, and hence identifying their possible relationship with another individual/organisation is critical. If a UBO is not adequately identified and recorded, other processes such as sanctions screening or evaluation of terrorist financing risks cannot be concluded adequately, which can compound compliance and reputation risks.
  • How much is known about a business, including where and how it operates, the industry sectors in which it operates, and its supply chain? If a business has touchpoints with sanctioned countries, this potentially opens up legal risks for third parties, such as banks dealing with the organisation. If it sources materials or services from third parties or countries over which there are concerns, this may also result in legal risks as well as reputation concerns, particularly if the organisation operates in a non-transparent manner, or has questionable corporate governance practices. If a company’s financial performance is materially better than its peer group, it may be as a result of innovation, quality of service, quality of management, or other differentiating factors. However, it may also be a result of collusion, anti-competitive behaviour, or profit maximisation through illegal or unethical activities. Sometimes, but not inevitably, such organisations will be known for this type of activity and may have faced repeated fines or penalties. Organisations may be benefiting from hidden relationships with government officials to win or retain public sector contracts, giving rise to possible bribery and corruption risks. If a company is regularly involved in opaque public contracts, this may represent a risk issue.


In response to recent high profile compliance failures, as well as revelations such as the Panama Papers, it is inevitable that increasing attention will be given to how regulated organisations and professional intermediaries conduct business. Aside from the legal risks of not performing adequate due diligence measures, there is a very real risk that future leaks caused by internal or external actors could suddenly expose a company’s internal processes and decision-making to widespread public scrutiny. Firms should ensure that they are comfortable that, should this ever happen, their customer evaluation processes would withstand this scrutiny.

Posted in KYC