The "Pandora Papers", a global investigation by the International Consortium of Investigative Journalists (“ICIJ”), revealed on Sunday the latest and largest financial data leak in history. With over 11.9 million confidential records amounting to 2.94 terabytes of data, the leak includes information gathered from 14 offshore financial services industry firms containing information on more than 330 politicians and public officials, including 35 current and former country leaders. While the leak exposed the numerous assets and wealth connected to people and companies accused of fraud, bribery, and human rights violations, the investigation further revealed the complex data privacy issues faced by the financial services industry.
Privacy, Secrecy, and South Dakota
The Pandora Papers gathered data from text documents, including passports, bank statements, tax declarations, company incorporation records, real estate contracts, and due diligence questionnaires maintained by financial services firms. The collection and maintenance of such personal information is a common occurrence in the financial services industry; the disclosure or unauthorized use of this data however, is prohibited. Generally, the maintenance of personal information equips financial services institutions with endless benefits. Due to the value placed on this data, financial services firms are inevitably at risk of data breaches and subject to leaks such as the Pandora papers.
For instance, during the ICIJ’s investigation, reporters were able to identify files that contained beneficial ownership information and link beneficial owners to the companies. Notably, ICIJ researched and analyzed the use of U.S.-based trusts, identifying more than 200 trusts settled, or created, in the U.S from 2000 to 2019, with the largest number registered in South Dakota. Like many states, South Dakota follows a sectoral approach when it comes to data protection laws. This framework protects personal information by enacting laws that address a particular industry sector but fails to offer a data protection authority. Critics of this framework have expressed concern regarding the regulatory gaps that emerge as a result. Nonetheless, South Dakota has positioned itself as an attractive option for individuals looking to establish trusts, with state-level laws that have abolished the Rule Against Perpetuities, no requirement for trust documents to be filed publicly, and no state tax on income or capital gains.
The Pandora Papers revealed information regarding U.S.-based trusts registered in South Dakota and appear to be linked to individuals or companies accused of misconduct overseas—calling to question the states’s tax haven policies. While pulling back the curtain on South Dakota has exposed the state as a top destination for wealth migration, the leak also revealed the type of sensitive personal information that is at risk during a breach. To perform the analysis of U.S.-based trusts, ICIJ manually gathered information on trust settlors, the beneficiaries, and the assets held by the trusts. Using this information, ICIJ was able to identify and gather data on trusts from 15 U.S. states and the District of Columbia. For legitimate business owners and multinational corporations, unauthorized access of personal financial information violates their reasonable expectation of an appropriate level of privacy security, making them prime victims of theft and fraud.
Although the financial services industry is subject to a wide range of government regulations, the U.S. trust industry is not as widely regulated as other areas of the industry. Since the release of the Pandora Papers, state lawmakers have been seeking comprehensive data protection and privacy regulations to address this issue. Recently, a bipartisan bill titled the Establishing New Authorities for Business Laundering and Enabling Risks to Security (ENABLERS) Act introduced on October 6, 2021. If passed, the Enablers Act would close many of the loopholes used by accountants, public relations firms, art and antiquities dealers, investment advisers, and some lawyers. Anti-corruption experts said the leaked revelations published by ICIJ expose many professions that the Enablers Act now seeks to regulate.
For financial services providers suddenly facing privacy threats with no legislative guidance, their success in states like South Dakota requires intensive self-regulation. Self-regulation, similar to government regulation, can occur through the three separation-of-powers components: legislation, enforcement, and adjudication. Providers must balance confidentiality alongside efficiency by paying close attention to currency transactions, transportation of monetary instruments, and the purchase of currency-like instruments. Furthermore, in light of the Pandora Papers, financial experts advise the U.S. trust industry to implement a policy of investigating and turning away clients whose wealth was amassed amid credible accusations of crimes or human rights abuses or through ties to corrupt regimes.
Given the vast amounts of personal data processed by financial services institutions and their third-party vendors, the financial services industry is the richest source of personally identifiable information—both general and financial. Consequently, collecting and maintaining this data has made the financial services industry a primary target for data breaches and leaks such as the Pandora papers. Therefore, financial services providers must carefully examine their practices with personal information and ensure privacy security and compliance.
Recognizing success in the financial services industry requires effective information management that addresses the legal and reputational risks while using information appropriately to meet the organization’s goals. As regulators at both the federal and state levels work to create a uniform data privacy standard, below are recommendations that financial services providers can utilize to address the current data protection and privacy issues:
- Financial services should maintain a comprehensive data privacy program in an organizational setup that allows for:1) Identifying and classifying sensitive information; 2) Scaling down the accessibility of information through data monitoring as well as identity and access management solutions; 3) Safeguarding information through a variety of data security controls and advanced technologies such as encryption, tokenization, and data masking; 4) Having a clear data disposal policy in place 5) Planning for a security breach by having a contingency breach response plan.
- Federal laws and regulations in place that apply to how banks and financial institutions manage consumer privacy may be utilized as guidance. This guidance includes the Gramm-Leach-Bliley Act, which is enforced by both the Federal Trade Commission and the Consumer Financial Protection Bureau. Many financial institutions in the US are also using the California Consumer Privacy Act as a stepping stone for building out their compliance strategy. Rather than focusing on applying rules where they are currently relevant, these companies are proactively working to enable broader implementation and the flexibility to adjust course as new regulations arise.