The Governance, Risk Management and Compliance and IT Security (GRC)
issues from The Panama Papers
Governance components of Transparency
and Accountability.
Financial institutions of offshore tax havens have in the past, either
hidden behind the sovereignty of their local laws, which allowed them
to guarantee the anonymity of their investors. However, the Digitisation
of Documents and their exchange via the internet has created a definite
weak link in their banking secrecy. In future, the digital papers and
the internet will be the most active enemies of muddy financial transactions.
Risk Management issues of the Panama Papers
Almost all sectors will be affected by the leaks, particularly those companies
that traditionally have paid bribes to win may and large public contracts
and related corrupt activities thru money from offshore tax shelters.
The financial sector will mainly face the risk of exposure due to the
knowledge of the financial transaction and for being in a position to
recommend or assist companies with offshore investments. The banks like
all commercial enterprises are at the forefront of corruption, AML or
monitoring flows of capital if the right due diligence on 'Know your Customer'
is not conducted.
The Panama Papers underscore the fundamental injustices and inequalities
created by the offshore system, when taxes are evaded, state assets are
robbed, and the need for public registries in which information about
who ultimately controls a company is accessible to all. However, it is
ultimately the law enforcement and oversight authorities that must hunt
the real people behind anonymous companies used in money laundering and
other wrongdoing.
Compliance lessons from the Panama Papers
The Panama Papers highlights the importance of performing proper due diligence
on the people and entities with which a company does its business. Every
jurisdiction has issued guidelines on corruption prevention emphasises
the importance of adequate due diligence.
The documents demonstrate the importance of identifying the ultimate beneficiary
of those on the receiving end of due diligence. It is not enough to limit
the diligence to the first level of shareholders but determines the shareholders
and stakeholders of all parts and subsidiaries. All individuals must be
subjected to the appropriate level of due diligence.
IT Security Lessons from the Panama Papers.
Mossack Fonseca & Co., the Panamanian law firm and corporate service provider
have 40 global offices and 600 lawyers worldwide. The enormous cache of
the leaked documents reveals some IT- Security flaws. The primary reason
is that the front-end computer systems of Mossack Fonseca were outdated
and riddled with security flaws and has apparently shown an "astonishing"
disregard for IT-security and IT discipline. Mossack Fonseca & Co. is
the first and only ISO 9001:2008 certified legal services company in Panama.
ISO certification is, therefore, no guarantee. Companies are recommended
from the data leaks and pay particular attention to the data, and IT challenges
in handling personal data when EU's General Data Protection Regulation
(GDPR) goes live in 2018. The GDPR security and data protection policies
need entirely new roles and responsibilities to address the data and safety
information system within the organisation and to proactively monitor
their networks and identify any potential security threat in real-time.
The dramatic changes on how personal data will be collected, stored, accessed,
disclosed and utilised to avoid the same leaks as with so many other companies,
causing irreparable reputation damage.
Perhaps Panama is the tip of the offshore iceberg. There are several other
jurisdictions posing similar problems. OECD has conducted well over 200
Phase 1 and two peer reviews in the past seven years called the Global
Forum. It has identified some member countries and jurisdictions whose
legal and regulatory framework for the exchange of information is not
up to international standards. They include Guatemala, Kazakhstan, Lebanon,
Liberia, Micronesia, Nauru, Trinidad and Tobago and Vanuatu. It is clear
that there are many other jurisdictions where a lack of information on
beneficial ownership of corporate and other entities can facilitate illicit
cash flows.
The full dataset is also available for download.
https://panamapapers.icij.org/blog/20160509-offshore-database-release.html