Mossack Fonseca Leak Highlights Importance of Data Security and Client Protocols

April 5, 2016 Posted by China Briefing Reading Time: 5 minutes

The so-called “Panama Papers” involving a huge leak of client information from the Panamanian Law Firm Mossack Fonseca highlights the absolute need for strong IT protection and security. Over 11 million documents were shared with a German newspaper, investigating the financial backgrounds of world leaders, in a haul larger than the documents released by Edward Snowden.

Thus far, the media has concentrated on world leaders and politicians, although the firm also has a significant presence in China. In fact, I was engaged at the practice in Hong Kong for a short while back in the early 1990s, assisting to process corporate documentation, mainly involving clients in the British Virgin Islands. Mossack Fonseca’s clients at the time were nearly all other Hong Kong based law and accounting firms, with only a handful of individuals. Most clients were using BVI companies to hold WFOE and similar investments into China, which was standard practice at the time given that China was still perceived as having some political and development risk in those days. Those that weren’t were simply using companies to own properties in Hong Kong, China, and elsewhere. All perfectly normal, standard procedures.

Mossack Fonseca’s position as a major international law firm, supplying mainly other professional services firms, is that those firms themselves will have conducted client due diligence. I recall the practice being very strict on insisting upon verifiable client data and documents having to be signed off by clients stating that any offshore company usage would not be for tax evasion or other nefarious purposes.

The industry has subsequently moved on, and since my day has become more aggressive, while China has also changed and become less risky. Foreign investors tend to use Hong Kong incorporations to hold investments into China, mainly because the documentation is bi-lingual, Hong Kong is also a tax haven, and mainland China is considered more secure. BVI companies are also difficult to use in China as the Chinese authorities also discourage their use, and have done so for over 15 years – documentation to use them in China has to go through a screening process in London, adding to expense.

What has changed since my time in that industry is that an increasing amount of privately wealthy individuals have begun using offshore companies to distribute and keep wealth offshore. That aspect, which is decades old, exists purely because different countries have differing tax codes and charge different rates. If there was a global, unified tax code, there would be no need for the likes of Mossack Fonseca to exist. But there is, and tax and financial planning has long been the preserve of sensible monetary planning – offshore trusts being set up, for example, to pay for children’s education overseas – something which did not exist in my day – is now commonplace. It is a legal way to ensure children receiving income while in education in the United States, for instance, are not taxed on that income while at University. It is a common and legal practice. Estate planning and a huge variety of tax planning schemes have come to dominate the industry. To my knowledge, Mossack Fonseca has always abided by the relevant laws in doing so.

They now have a China practice, which apparently has eight offices which didn’t exist in my day. The leak, which will no doubt reveal data concerning clients from the Chinese mainland, will be of interest both to the Chinese tax bureau and a potential embarrassment to others. What has significantly changed since my time there 24 years ago, however, is the administration of such companies. In my day, much was written down on a card index filing system and floppy discs. There was no email – documents were sent by post. Now, however, administration has completely changed: it has all become computerized and software developed to assist. Mossack Fonseca, being a large, global practice with over 40 years of clients work behind them, will have invested in systems to cater for and support such a volume of work. The difference between then and now is that 25 years ago, leaking documents on that scale would have been impossible – it would involve physically shifting boxes and boxes of paperwork. Today, it can be stored on a powerful USB.

It remains unclear how this leak occurred. Mossack Fonseca was targeted not because of what it does – which was and remains legal – but for who its clients are. Within the leak was 2.6 terabyte of data, containing 11.5 million documents from around 214,000 offshore entities. The probe was led by the International Consortium of Investigative Journalists (ICIJ) and German daily Sueddeutsche Zeitung. There are also disturbing emerging rumors of Mossack Fonseca’s database having been hacked.

The media surrounding the case are demonstrating a desire to ‘expose’ those who may have abused tax or investment laws and deliberately hidden information. Just a look at the press shows the real underlying motive – outing users and looking into their assets. While some of this is justifiable, I urge some caution – it remains unclear how journalists are also able to act as financial auditors and present themselves as such for the public good. The danger is that perfectly innocent individuals will be painted with the same brush. Will the media care? Probably not.

Eventually it will come out how that leak happened – financial incentives, disgruntled employees, or the essential stealing of that data – which could in itself become a case for a criminal enquiry. But what it does demonstrate is that even in today’s data and software driven world, and amongst tight data security, it remains easier than ever to gain access to and steal confidential material.

The message here is this – is your data secure? A sound data system should have several layers of access arranged on a need-to-know basis. Key personnel need to be trusted and kept close to the inner corporate environment, meaning HR has a key role to play in who is selected for such responsibilities. Key staff need to be motivated to stay close to the body corporate. Should staff be corrupt or disenfranchised, trouble can result. And with USBs being simple to slip into a pocket, it can be very easy for confidential information to walk out the door.

Another issue is what should be the mantra for all professional services firms – Know Your Client (KYC). As the majority of Mossack Fonseca’s work (and therefore its clients) were provided to them by other law and accounting firms, it is apparent that Mossack Fonseca relied too heavily on those firms already having conducted a due diligence on their clients. Clearly, that is not only a failure of Mossack Fonseca, but also suggests that KYC protocols are not very thoroughly followed through by many other professional services firms, period. I am sure that this scandal will usher in a new, self-imposed layer of security at practices worldwide. KYC will become an important part of standard operating procedure for firms even before they engage. In short, clients will need to prove who they are and their intentions before taking on legal or tax counsel.

The lesson for professional services as concerns the Mossack Fonseca case is not the varying debates over the use of offshore services – while they remain permitted by law, people will always use them. The real lesson to be learned is simple – how secure is your data, and how well do you know your clients?

Chris Devonshire-Ellis is the Founding Partner of Dezan Shira & Associates – a specialist foreign direct investment practice providing corporate establishment, business advisory, tax advisory and compliance, accounting, payroll, due diligence and financial review services to multinationals investing in emerging Asia. Since its establishment in 1992, the firm has grown into one of Asia’s most versatile full-service consultancies with operational offices across China, Hong Kong, India, Singapore and Vietnam, in addition to alliances in Indonesia, Malaysia, Philippines and Thailand, as well as liaison offices in Italy, Germany and the United States. For further information, please email china@dezshira.com or visit www.dezshira.com.

Chris can be followed on Twitter at @CDE_Asia.

Stay up to date with the latest business and investment trends in Asia by subscribing to our complimentary update service featuring news, commentary and regulatory insight.