Article

Trouble in paradise: how a Bermuda data leak exposed the missing link in SAR reporting

Just 18 months after the Panama Papers electrified financial media, the recent Paradise Papers leak has recast the spotlight on offshore bank secrecy, revealing lingering voids in Ultimate Beneficial Ownership (UBO) screening.

In November 2017, the International Consortium of Investigative Journalists (ICIJ) began to publish 13.4 million documents leaked to German newspaper Süddeutsche Zeitung, many of which were linked to Bermuda-based law firm Appleby and corporate services provider Estera. This data dump exposed the offshore interests of multinational corporations and high-net-worth individuals and celebrities, along with the organizations that advise secrecy-seeking clients.

This “trouble in paradise” also revealed the nontransparent ownership and tax structures used by more than 120 politicians and world leaders, including 13 advisers and key associates of an elected U.S. official.

Documents show that Appleby devised and incorporated a hidden “constellation of companies” to help a key U.S. official disguise his ownership stake in Navigator Holdings – “a shipping firm with business ties to a Russian oligarch subject to American sanctions.”

Beyond the anti-money laundering (AML) questions raised by the opaque corporate structures this official used to circumvent U.S. sanctions, regulators are carefully probing loan agreements, bank statements, emails, and trust deeds revealed by the leak for evidence of tax evasion and other financial crimes.

Exposing the complex architectures of trusts, foundations, and shell companies, going back as far as seven decades in some cases, the Paradise Papers highlight the operational challenges that financial institutions (FIs) face when verifying UBO data.

UBO implementation challenges
According to Thomson Reuters 2017 U.S. Anti-Money Laundering Insights Report, the top-three most frequently cited UBO operating challenges include: The inability to validate information, the increased length and complexity of the onboarding process, and difficulties in keeping the information timely.

Verifying information is difficult because roughly 90 percent of financial institutions rely on customer self-reporting as their primary means of UBO diligence, which poses significant counterparty risk to financials. The survey also revealed that the second most utilized UBO diligence resource was corporate registries.

But when it comes to conducting UBO diligence in offshore contexts, corporate registries are unreliable, because only 39 and 48 percent of these databases publish shareholder and manager data online, respectively.3 Additionally, registration data for private companies is even more scant.

While ownership data collection typically occurs during the client onboarding phase, Phil Cotter, the managing director of Thomson Reuters Risk business, says, “the task of continuously monitoring ownership changes and verifying client-provided details can present serious challenges due to the lack of transparency, especially for privately held companies.”

Specifically, Cotter says the lack of transparent databases with meaningful insights about shareholders or managers remains a major blind spot for FIs. This weakness is magnified by the rapidly approaching May 2018 deadline for compliance with the Financial Crimes Enforcement Network (FinCEN) Customer Due Diligence (CDD) Final Rule on UBO data collection.

Compounding the stress of UBO process restructuring is the latest guidance from FinCEN Acting Director Jamal El-Hindi, indicating that UBO data collection should be regulated in a risk-based context. El-Hindi’s language suggests that compliance with the UBO regime could become increasingly open to regulators’ interpretations.

Cost concerns
Inflating compliance spend is also the by-product of malfunctioning risk management processes on an industry-wide scale, where first- and second-line compliance staff allocate 80 percent of their time to issues of “low or moderate materiality, and only 20 percent on critical high-risk issues,” according to McKinsey & Company.5

Nowhere is this imbalance more pronounced than in suspicious activity reporting (SAR) systems, which are so ineffective that an estimated 98 percent of risk alerts generated by FIs are actually false positives, according to Marc Andrews, the vice-president at IBM’s Watson Financial Services Solutions.6

Furthermore, Thomson Reuters AML survey found that 71 percent of survey respondents could not quantify the proportion of false positives their institutions generated, while 78 percent were uncertain about their false-negative rates.

Better UBO screening adds context to SAR reporting
Rampant inefficiencies in transaction monitoring and SAR process illustrate the value of better UBO screening. Specifically, proactive diligence of UBOs and their associated shareholder and legal entity networks, on the front end, can help compliance analysts build a more holistic view of a client’s AML risk profile, thus bolstering future SAR reports.

Consider a scenario where a SAR suspect’s transactional history, analyzed by itself, raised no major flags. But if third-party CDD data identified this individual as an owner, operator or manager of other companies compromised by negative news or other risk factors, these findings would enhance the SAR’s standard of proof.

Thus, more dedicated UBO discovery creates another filter for SAR data, enabling compliance teams to hone in on the most critical risk issues, while supplying law enforcement with more meaningful financial intelligence.

Another compelling use case for UBO insight are correlations between customer transaction histories and changes in customer-account ownership.7 Take a cash-intensive business like a restaurant, for example. A higher volume of cash deposits over a given period may seem slightly abnormal, but on its own, would not offer a compelling standard of proof for investigators.

However, if that spike in cash deposits coincided with a sudden change in ownership or control of the restaurant, and if individuals in those networks were linked to negative news or other risk factors, then the resulting SAR would be significantly more relevant.

By making UBO data the pillar of transaction monitoring and SAR processes, FIs can screen customers in broader network contexts, enabling them to identify AML risks more accurately and efficiently. This framework will also help institutions reduce the backlog of false positive and negative SARs that are draining precious compliance resources.


While complying with FinCEN’s Final Rule continues to pose significant operating challenges to institutions, the Paradise Papers leak serves as a timely reminder that the long-term benefits of CDD diligence far outweigh the costs.

Ready to learn more?

See how Thomson Reuters CLEAR makes it easier to locate people, businesses, assets, and other critical information

Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.