A Primer on the Pandora Papers

The Pandora Papers were released by the International Consortium of Investigative Journalists (ICIJ) on October 3, 2021, and consisted of 11.9 million records, of which over 6 million were paper files. Out of all the prior leaks from the ICIJ, the Pandora Papers is the largest of three, comprised of over 2.9 terabytes of data. This leak also differed from the prior leaks because 14 providers contributed information for the Pandora Papers while only one firm provided the leaked information for the prior two.

These leaks all have one thing in common—exposing the dark side of corrupt politicians, the elite and those that wanted to hide assets. While the Pandora Papers can be very flashy and distract from current anti-money laundering/counter-terrorist financing operational tasks, it is important to take these findings—and those to come—in stride. Think of this leak as a big chip in your windshield. It makes a dent and the cracks spider out from the main dent. As time goes on, the spidering cracks become bigger, longer and sometimes can obscure your view. The Pandora Papers will continue to spider out as more articles are written and as more data is organized and released.

Every day, the journalists at ICIJ are releasing two to four articles that contain a humanitarian impact as it relates to the elite, powerful and political that are the main target of the Pandora Papers. This leak once again highlights the global need for highly effective regulatory frameworks at the country level as well as enforcement of the framework. Negative news penalties—where a country is noted in the news for having lax controls or enforcement—only last as long as any other headline, which is about 24 hours. At what point can a global body, such as the Financial Crimes Enforcement Network or possibly the United Nations react with some type of repercussion that impacts the country for true change? As it stands, the world has experienced three major leaks as it relates to the offshore ownership and tax havens—a total of almost seven terabytes of data. But where have these leaks really impacted any operational day-to-day requirements of law firms, accountants, trust companies or hedge funds? The answer is they have not. The righting of a big ship takes time, but it should not take this much time. There are many reasons for the delay, but from an anti-money laundering (AML) practitioner’s viewpoint, there are too many parties that benefit from nascent tax reporting structures and corporate establishment practices that are also responsible for approving the regulatory framework that closes the gaps.

While AML practitioners may feel like they need to be on top of the daily updates from the ICIJ, the bottom line for practitioners is that this an evolving situation that requires change from whole country frameworks, to include AML regulatory and tax structures, to see a true difference. If they only impose more stringent AML regulations without addressing the underlying framework in which tax avoidance and tax evasion are split, then it is like putting duct tape on a hole in a boat. There are real improvements that must be made by many countries, including the U.S., in which they extend full prescriptive AML program requirements on all designated nonfinancial businesses and persons (DNFBPs), to include gatekeepers like lawyers and accountants. When these entities are unregulated or are regulated in letter only with little to no enforcement, it leads to the pervasive issues in the industry now.

Given the nascent regulatory framework, it transfers risk to the regulated institutions. One of the net effects of the Pandora Papers result in real risks in every institution that are either directly related to these named parties or individuals or are indirectly related via a typology or similar threat nature. It may be too much at this point to try and implement one-off searches of names or entities that are named in the Pandora Papers. If your institution already incorporates negative news searches, then your daily task load has increased with regard to management of alerts. In addition, these alerts will require the review of multiple articles to determine if the name matched is truly involved in illicit activity or simply just a duplicitous or unethical harboring of riches, which may not be illegal. If your institution is not performing negative news searches, it may be too soon to start running names through your system. The most important step is to evaluate the threat landscape of your institution. State-regulated trust companies, or trust companies that have federal oversight but may not be subjected to exams that are laser-focused on AML compliance, should take the Pandora Papers as a warning sign. Threats that were once not considered should now be considered in light of the exposé by the Pandora Papers. This evaluation results in high-level takeaways that are applicable to wealth management departments, trust companies, private banking departments and depository institutions. These institutions may consider evaluating their foreign established trusts (or trusts created in higher risk U.S. states like South Dakota, Nevada, Wyoming or Delaware). While these are not sole indicators of high risk, they are an important contextual risk factor that may allow an institution to see other risk elements clearly. If foreign or high-risk established trusts are combined with other factors, such as indicators of shell companies, ties to foreign governments or political persons, then that may indicate a higher risk trust. Is it worthy of a suspicious activity report (SAR) or a suspicious transaction report (STR)? Maybe, but maybe not. There are many factors at play including the country regulatory framework for tax reporting and entity creation. The critical takeaway is not just limited to SARs and STRs but whether the institution aware of the risks and whether they have been documented, resulting in a mitigation or assumption of risks by the institution. In addition, there may be policy restrictions or assumptions that may not be true. For example, many trust companies or institutions simply state that they do not do business with politically exposed persons (PEPs), but there is no effort behind the scenes to ensure this policy statement. These institutions should ensure they are undertaking efforts to ensure compliance, not just assume a PEP would be readily apparent.

The greatest takeaway for AML practitioners is to take this leak, and all prior leaks, in stride. These types of leaks can serve as indicators of effectiveness (or ineffectiveness) for AML programs, especially those in the trust and service provider arena. It may be a huge undertaking to incorporate all the names, entities and countries into your day-to-day compliance program. Instead, an AML officer can take a threat-specific approach to ingesting and operationalizing the information. Note that this is not a risk-based approach but a threat-specific approach. A risk-based approach only comes after the threat landscape is established. Once that has been established, ensure that onboarding procedures and documentation requirements are aligned with the identified threats. Finally, try and become familiar with some of the stories that outline how a person or business moved funds or hid funds related to a named crime, rather than focusing on names that are in the news for unethical or duplicitous behavior. AML employees are not the “morality police” and they know that line pretty well. So, do not make it a habit now to start crossing over that line. Stay on course and operationalize what is related to your threat landscape.


By Sarah Beth Felix, CAMS, MFS, president, Palmera Consulting, TX, USA, October 8, 2021