Panama papers leak

The Panama Papers have caused major reverberations around the world; in governments and businesses. There has been massive media and public interest in the content of this huge tranche of commercial documents. The disclosure of the off shore tax details of over 214 000 shelf companies has some quite extraordinary implications – including in Australia.

The fall out has spurred politicians and tax agencies around the world to implement a range of measures to clamp down on off-shore tax avoidance and to prosecute people allegedly cheating the system.

This crack down is being applauded by everyone who pays their full tax liabilities. But there are other consequences of this case that are worthy of further consideration.

However, to begin with, we need to recap on the facts – to understand what has occurred, the how and the why, so we can then reflect on what it all means.

Mossack Fonseca is a Panama headquartered law firm that had offices in over 30 countries and employed over 500 staff. It specialises in providing commercial, trust and taxation advice to wealthy clients and was extremely successful in terms of its client base and revenues. In April it became public knowledge that its email server had been hacked and that a person or persons had stolen 11.5 million documents that covered the period 1970 to 2015; these are the so-called “Panama Papers”.

The hacker gave all the data to the International Consortium of Investigative Journalists (ICIJ) after the latter agreed to certain conditions which the hacker had apparently negotiated with the ICIJ.

The revelations that have followed relate principally to the off-shore shelf companies set up by the law firm for various clients from all over the world; in various tax havens like the British Virgin Islands, Panama and the Seychelles.   The firm claims it has acted legally and properly but the documents raise very significant questions about the fine line between tax avoidance – legally seeking to minimise tax – and tax evasion – breaking the law of one or more jurisdictions to avoid tax liabilities.

The US Treasury has asserted that Mossack Fonseca‘s US clients have avoided paying somewhere between $40 to $70 million US dollars of tax each year for the last 30 or so years. As a consequence, President Obama and Treasury announced a raft of new legislative measures to try and close a number of tax loopholes identified in the papers.

The Australian Taxation Office is reportedly investigating over 800 Australians who had their off shore commercial arrangements included in the revelations. There is no suggestion that all of these people or companies are involved in illegal behaviour. However, Fairfax Media has alleged that 80 of these Australians are identified in the Australian Crime Commission (ACC) data base for persons known or suspected of being involved in serious and organised crime.

The Australian Tax Commissioner, Chris Jordan, is playing a lead role engaging with approximately 30 foreign taxation agencies to coordinate an international investigation to prosecute tax cheats identified by the Panama papers. The Australian Tax Office (ATO) has established a Serious Financial Crime Taskforce and established information exchange arrangements with around 100 foreign tax agencies.

The documents have proven to be a veritable bombshell and presumably have had the effect desired by the hacker. While the identity of that person is shrouded in mystery, we have been told by the ICIJ he or she was motivated simply by a desire to expose and stop tax cheats.

This is where the whole matter gets seriously intriguing. Some journalists have speculated this hacker is actually a foreign intelligence service and the Russian and US intelligence services have both been mentioned as having possibly orchestrated the public disclosure of the Panama Papers. The potential motivations that might have prompted such an intelligence operation are potentially credible but are certainly not conclusive.

One hypothesis that has been mentioned is the Russians may have been directed by President Putin to undertake the hack and released the data due to his anger over continuing western allegations that he and his so called cronies are corruptly accruing billions of dollars of assets. Some others have claimed that US intelligence services might have done it to expose the proliferation of international tax cheats and provide a basis for legislation to be put to Congress to close longstanding US tax loopholes.

In both instances, it seems a rather long bow to draw and frankly, I don’t regard either theory about covert intelligence operations as being particularly strong. However, it does highlight the problem when a server is hacked, sensitive information is stolen and then released publicly without a “whistle-blower” being identified and the claimed motivation being assessed as genuine.

We should also consider the legitimate question, could a hacker have materially benefited from the disclosures?   Certainly some of the material released has impacted the share price of a number of companies in different bourses around the globe. It is possible someone could have shorted a number of shares to benefit from stock price movements that could have been quite reasonably anticipated by the hacker prior to passing the data to the ICIJ.

Unsurprisingly, there has been significant damage done to Mossack Fonseca and its business; its principals and its employees. Is it deserved? That’s an interesting ethical question and probably only time will answer it fully. Certainly one of the key determinants will be to monitor how many of its clients are subsequently convicted of criminal charges relating to frauds, tax evasion or money laundering.

Certainly there has been widespread public outrage at the nature and extent of the tax avoidance the firm has coordinated. But, as the ATO Commissioner has publicly reaffirmed, minimizing taxation is not illegal. Tax evasion is of course illegal and, again, it will be important to see how many of its clients are proven to have had that intent.

There is another key aspect for which Mossack Fonseca might not be entirely responsible or accountable and that involves allegations that numerous organised crime figures engaged it to park their cash and assets in tax jurisdictions away from the eyes of law enforcement agencies. Provided Mossack Fonseca did reasonable due diligence checks prior to signing new clients, which it claims it did, then it has no or only indirect culpability. But did it do professional due diligence checks on aspiring clients?

Due diligence by banks and law firms involved in significant international commercial transactions is a key tool in global efforts to prevent and detect money laundering. Some companies take it quite seriously but frankly, some companies do the bare minimum to satisfy the relevant regulators.

Our company, Intelligent Risks, has been continuously involved in undertaking international due diligence checks for corporate clients for the last 15 years. There are obvious challenges in doing a due diligence enquiry on an individual or a company in certain jurisdictions; such as China, Iran or Indonesia. There is usually a requirement to do criminal and civil court searches and identify independent and objective referees. You also need to do the enquiries in the predominant local language.

Imagine our shock when the director of a large and quite well known forensic accounting practice confidently told me his firm were managing off-shore due diligence checks for their clients by doing English language internet searches from their Australian offices. This is absolutely inadequate and a complete travesty!

It will be very interesting to assess the effectiveness of the due diligence framework and processes Mossack Fonseca used before signing up and acting for new clients.


And of course there is another very significant element to the Panama Papers affair, one that has had minimal publicity to date. Someone illegally hacked a server in a law company and stole the data. Unquestionably, the ICIJ has rationalised this fact in the firm belief the disclosures are in the public interest and reveal, in its view, significant criminal activities. However, nobody has alleged all the persons and companies that were, or are Mossack Fonseca clients, are engaged in tax fraud or other torts. There are certainly persons whose privacy has been completely compromised who were acting legally and properly. The family of David Cameron, the British Prime Minister, was certainly in that category of Mossack Fonseca clients; and they were not the only ones.

We are in an era of sophisticated hacking and significant international ‘whistle-blowing. The most prominent case involved Julian Assange, WikiLeaks and, Bradley Manning. Some of those disclosures caused serious damage to national security in the US and elsewhere, including some damage to Australia’s national security. The release of intelligence by Edward Snowden, much of it publicly through media organisations, but some particularly sensitive material was allegedly passed direct to the Russian government, has caused incalculable damage to western security.

And most recently, sophisticated hackers were able to compromise the international banking transaction processing system, SWIFT, and successfully steal around US$100million through a series of cut-out companies and accounts. A violence free and brazen heist of major proportions and a criminal operation that has stunned central banks around the world.

Another case with some indirect relevance to these considerations involves two of Australia’s leading investigative journalists, Nick McKenzie and Richard Baker of Fairfax. They are winners of multiple Walkley Awards, the media’s highest accolade for journalists, and they have broken some astounding stories about corporate corruption in recent years. Nick and Richard gained access to a large tranche of electronic data from Unaoil, apparently some tens of thousands of emails. Unaoil, a private firm located in Monaco that principally assists corporate clients to secure hydrocarbon contracts in developing markets, was accused by Fairfax of being the middle man in paying bribes to corrupt officials globally to secure lucrative contracts for its corporate clients.

The intrepid Australian journalists have not revealed their sources but it is clear it involved one or more trusted insiders and, according to Nick “…the sources of this story never asked for money. What they wanted was for some of the wealthiest and most powerful figures in governments and companies across the globe to be exposed for acting corruptly, and with impunity, for years”.

The lesson that governments and corporations can take from all these cases, amplified by the circumstances surrounding the Panama Papers, is electronic data needs to be appropriately protected from hackers and from potential theft by a trusted insider. Cyber crime is markedly on the rise and a company can very quickly have its reputation hurt and its share value adversely impacted if it has sensitive commercial data taken or the privacy of its clients compromised.

In fact, there have been a number of cases in recent months, including at least one case in Australia, where hackers have stolen company data and then demanded an extortion payment to return the data and not misuse it to embarrass and harm the company. And it doesn’t mean the data necessarily indicates any malfeasance or wrong doing by the company. The extortionists are often aware that disclosure will simply dent public confidence in the management of the company and cause reputational harm.

Of course, there are well intentioned, ethical persons who turn “whistle-blower” in protest at the behaviours within certain companies; and it can be argued legitimately they are doing a public service when they expose corporate crime.

However, there are some other so called “whistle-blowers” who are simply disgruntled former or current employees seeking to wreak vengeance on a company they are at odds with; sometimes they have been made redundant or otherwise treated in a manner they regard as unfair and sometimes the person might have psychological issues or have even been dismissed for valid reasons. Then, as we’ve seen in the recent hacking of the SWIFT system, there are also sophisticated criminal cartels at work seeking to defeat electronic security systems – seeking to extort or steal large sums of money.

So, it begs the question, when will we see the next case like the hacking of the Panama Papers? And when will we see another sophisticated heist like the SWIFT case? There is one thing we can be certain of – there will be more cases where these types and companies need to consider the integrity of their systems, processes and behaviours very closely. Cyber crime is one of the fastest growing classes of crime in the world. How well protected is your organisation?

Neil Fergus
Neil Fergus is the Chief Executive of Intelligent Risks (IR); Australia’s leading provider of management services for security, risk and crisis management. He has been involved in the planning and delivery of numerous international major events including eight Olympics. He has been the Security Adviser to the Commonwealth Games Federation since 2004.