The Panama Papers Playbook

for Future Response


The Panama Papers Challenge

As widely reported, on May 9, 2016, the International Consortium of Investigative

Journalists (ICIJ) released a database on its website containing

information pertaining to approximately 214,000 offshore companies (the

ICIJ database) based on more than 11.5 million documents that had been

leaked to the ICIJ from the files of the Panamanian law firm Mossack Fonseca.

The leaked documents–dubbed the Panama Papers–are reported to

date back more than four decades and allegedly reflect Mossack Fonseca’s

involvement in assisting in the creation of secret shell companies and offshore

accounts, often for prominent persons, including in connection with

alleged illegal activities.

The ICIJ network of investigative journalists collaborates on investigative

reporting in over 65 countries, and in the immediate aftermath of their

release of the Panama Papers, there was a flurry of news stories by media

organizations across the globe. Journalists reported on the use of offshore

companies by politicians and their families, entertainers and athletes, as well

as persons who are alleged to be involved in criminal activities, including

corruption and the evasion of economic sanctions restrictions.

Given the regularity of the occurrence of events such as the release of

the Panama Papers, it is important to explore the challenges such events

present to financial institutions and examine how financial institutions have

responded. These responses can then be used by financial institutions as a

“playbook” for future responses to similar events. Another recent example

was the ICIJ’s September release of files relating to approximately 175,000

offshore companies formed in the Bahamas that allegedly involved politicians,

among others, in order to identify and mitigate risk.



How Have Financial Institutions Responded

to the Release of the Panama Papers?

Many financial institutions launched immediate responses to the

ICIJ release in order to assess their risk exposure to the release

of the Panama Papers. Those in particular were companies who

offered products and services likely to have been used by customers

operating through offshore companies. These financial

institutions took measures to:


Identify internal parties responsible for responding to the release;


Establish lines of communication and reporting;


Conduct searches against customer databases and perform

investigations of apparent matches; and


Report such findings to relevant internal and external parties.

KPMG recently surveyed a targeted group of compliance and

risk professionals, mostly from international financial institutions

based in a variety of jurisdictions, in order to understand how these

institutions have responded. Most responding financial institutions

(which are of varying size, geographic reach and customer

bases, and offer a variety of different products and services to

their customers) reported that they were actively reacting to the

release of the Panama Papers. In addition, their institutions’ Anti-

Money Laundering (AML)/Financial Intelligence Unit (FIU) or

Compliance Departments were leading the response with active

input from senior management and/or the Board of Directors.

Beyond that, however, the survey results were varied and reflect

that there has been no one standard approach to addressing the

risks presented by this massive leak of information, but rather that

institutions have taken an array of approaches in their responses.

For example, while most respondents indicated that they were

unsure if they would need to bring in additional resources, some

indicated that they would need to add staff in order to supplement

their existing task force/response team conducting the Panama

Papers review. Similarly, some respondents indicated that they had,

or intended to, seek external assistance, primarily with developing

their response strategy and/or in performing data enhancement and

data analytics. Such data analytics would be deployed to facilitate

the search of names against their institution’s customer database

and reduce the volumes of false positive matches.

The survey posed a number of questions focusing on the breadth

of the searches conducted by respondents against their customer

database, including whether the institution was conducting searches

on an enterprise-wide level or if the institution was applying more

of a risk-based approach and only targeting specific groups of

customers, business lines and/or other counterparties. At a high

level, more than half of all respondents indicated that they were

not applying a risk-based search approach in assessing their exposure.

Of those surveyed who indicated that the institution was

applying risk-based search techniques, varying approaches were

reported. Perhaps this reflects on the fact that the Panama Papers

date back as far as four decades and contain information relating

to now-defunct entities. In fact, some financial institutions stated

that they were only screening against individuals and/or entities

indicated as active and/or in good standing in the ICIJ database.

About one-third of the responses reported searching their customer

Such events are often hard-to-predict

and can strike with very little notice. As such,

in order to respond to events such as the

Panama Papers, an immediate cross-functional

and cross-organizational response

is generally recommended.

base only against names included in media reports relating to the

Panama Papers and not the full ICIJ database.

Further, while about one-quarter of financial institutions reported

performing full searches of their customer base against all

of the names in the ICIJ database, others employed more targeted

risk-based approaches, in which they only searched against active

customers, high risk customers, or customers from higher

risk jurisdictions. KPMG also queried institutions regarding

whether their Panama Papers response methodology included

searching for potential matches at an enterprise-wide level

for all customers, related parties, employees, vendors and

other counterparties, or if the institutions were taking

a more limited approach. The results were varied with

most respondents searching against customer lists, and

then smaller numbers of respondents screening the

ICIJ database against names of directors, employees,

joint venture partners, agents, vendors, and potential

acquisition targets.

Finally, in the months since the release of the Panama

Papers, respondents reported that the release has impacted

them, as one-quarter surveyed reported that they had filed

suspicious transaction or activity reports and over half of all

respondents indicated that they have been contacted by

regulatory/law enforcement authorities regarding their

response to the Panama Papers leak.

Response Playbook

The release of the Panama Papers comes in the wake of many

recent international financial scandals. Financial institutions

have become well aware of the financial, reputational

and regulatory risks linked with being associated with alleged

or actual misconduct from these incidents. Such events are often

hard-to-predict and can strike with very little notice. As such,

in order to respond to events such as the Panama Papers, an

immediate cross-functional and cross-organizational response

is generally recommended. For those financial institutions that

serve customers or geographies that are likely to be impacted by

the event, it is encouraged that the institution take immediate

action to at minimum understand their risk exposure to the event.

As financial institutions plan for this type of exercise, some

response steps are:



Establish a strategic approach: Crisis response can be won or

lost in the initial days of strategic planning. In order for a financial

institution to assess its potential AML or sanctions risk exposure,

response leaders first need a clear plan. To the extent that it exists,

pre-existing crisis management protocols help to quickly initiate

the response. Further, an awareness of the institution’s technology

and customer data infrastructure and any limitations in that

infrastructure will also help the response leaders to set reasonable

expectations and understand what can be achieved.

At this stage, response leaders should clearly define how broadly

the institution wants to “cast its net” for direct and indirect exposure

to persons or entities at issue in the release of information.

This decision will be based on a number of factors, including the

institution’s risk tolerance, dialogue with the institution’s regulators

and/or knowledge of regulatory expectations, resources that can

be allocated to the exercise, technology capabilities, and desired

timelines for completion. For example, an institution may initially

decide to only conduct a targeted search for direct exposure to

By responding in a timely and thorough manner,

a financial institution can do much to identify,

quantify, report and further mitigate the risks

presented by exposure to the event.

named individuals and entities against the institution’s

internal customer database(s). In contrast, other institutions

may elect to conduct a more expansive search that

also includes a search for additional customers or parties

who—while not named—may be indirectly related. Whatever

the decision, institutions should clearly define the

parameters for review. To the extent that parameters

need to shift, the response leader should consider

how to address this and document the decision to

modify the search scope.


Identify the customer population and perform

data scrubbing: Once the scope of the

search is determined, data analytics can be used

to query the institution’s internal customer database

against the names of individuals and entities

at issue. If the volume of names to be searched is high,

as was the case with the Panama Papers, there will likely be a

high number of potential matches generated by conducting a

direct name search. Such potential matches will need to be

reviewed in order to assess whether they are true matches

or false positives. The use of additional identifiers (such

as addresses, jurisdictions and birth dates, if available) in

a search may help to eliminate obvious false positives so that

the response team is more effectively utilized to review higher

risk potential matches. For events that involve extended periods



of time, the institution should also consider whether it will search

against all customer records or if it will confine the search to active

customers. In events where there are high volumes of names to

be screened, institutions should assess whether a tiered approach

should be considered in order to first review for customers with

the highest risk factors.


Remediate identified customers and perform a transaction

review: Once a population is established, the next step is to clear

any false positive hits and then investigate apparent matches to

parties at issue. Such remediation consists of a number of actions.

First, the institution should assess the nature of the information

contained in the release as it relates to the institution’s customer.

While it is expected that there will be instances in which information

published in the release will raise immediate regulatory or

reputational concerns and require a prompt response, in other

instances the information may not present such concerns. Based

upon the information disclosed in the event regarding a customer,

the financial institution should assess whether it’s Know Your

Customer (KYC)/Customer Due Diligence (CDD) files for that

customer need to be updated. The institution should then evaluate

the customer’s transactions within a specified timeframe in order

to assess for possible suspicious activity in light of the information

available from the release of information (as supplemented through

external research as well as from follow up with the customer, as

appropriate). As part of the transaction review, the institution will

also need to assess whether a suspicious activity report should be

filed and/or whether the customer relationship should be exited.

Further, by taking prompt action, the institution

will help to position itself such that it has a

good understanding of its risks, has informed

key stakeholders, and shapes the message and/

or response to third party inquiries regarding its

involvement with those named in the release.


Use of technology to enable the remediation and transaction

review/look-back: Technology can greatly streamline remediation

efforts. In addition to helping manage false positive volumes,

technology can be used to ingest and review structured (e.g.,

customer reference databases) and unstructured data (hard copy

KYC files) to facilitate the review of large amounts of data and

documentation by scanning for certain prescribed characteristics

in order to narrow the pool of customers that present escalated

risk requiring manual review. Technology can also be used to aid

the transaction analysis by reviewing large volumes of transactions

against pre-determined rules or typologies in order to assess for

possible suspicious activity. Further, there are a number of case

management and workflow tools that can be deployed in order to

facilitate the review of specific customers and transaction activity.


Continuous Feedback: Financial institutions should establish

lines of communication to ensure that key parties, including the

Board of Directors/senior management, regulatory authorities

and other key stakeholders are informed of material issues as they

are identified. In addition, as the search and transaction review

progresses, lessons learned should be identified, assessed and,

as appropriate, corrective actions taken in order to strengthen

going forward KYC/CDD policies and procedures, transaction

monitoring, and training to mitigate future risks to the institution.

The Way Forward

The release of the Panama Papers challenges financial institutions

to better understand how their customers operate, their business

purpose, and to make sure that transactions appear to have a legitimate

business purpose. In the absence of specific regulatory guidance

on how to address the risks presented by the Panama Papers

leak, it is understandable that differing institutions–with varying

risk profiles and risk tolerances–would adopt varying approaches.

Given the increasing frequency with which events such as the

Panama Papers seemingly occur, the response “playbook” that

financial institutions have developed in order to respond to such

incidents is becoming increasingly important. As such, the varied

actions that institutions have taken in response to the release of

the Panama Papers may serve as useful models in helping other

institutions tailor their responses to future similar events. By responding

in a timely and thorough manner, a financial institution

can do much to identify, quantify, report and further mitigate the

risks presented by exposure to the event. Further, by taking prompt

action, the institution will help to position itself such that it has a

good understanding of its risks, has informed key stakeholders,

and shapes the message and/or response to third party inquiries

regarding its involvement with those named in the release. ■


ROBERT SKRZYPCZAK is a Principal in KPMG LLP’s Regulatory

Enforcement and Compliance network. He has more than 25 years

of experience working as a risk and compliance professional. Prior

to joining KPMG in 2011, he spent six years as America’s regional

head of anti-money laundering for a large global European bank.

In this role, he was responsible for the bank’s enterprise-wide

anti-money laundering and sanctions compliance in the U.S. He

was also responsible for coordinating AML coverage for the bank’s

businesses in Latin America, the Caribbean, and Canada. Reach

him at

TERESA PESCE is the leader of KPMG’s Regulatory Enforcement

and Compliance network and Global Head of Anti-Money

Laundering Services. Before joining KPMG, Teresa was AML Director

for the North American operations of a global bank. She also

served as an Assistant United States Attorney for the Southern

District of New York. She spent about 11 years in the U.S. Attorney’s

office, rising through the ranks to become Deputy Chief of the

Criminal Division and Chief of the Major Crimes unit. Reach her at

BRIAN MOON, manager in KPMG’s Forensic Advisory Services, also

contributed to the article. Reach him at


Similar magazines