As a result of the 11.5 million document hack of a Panama law firm’s database, law firms and other service providers reassessed their information technology, online client portals and security systems in order to better secure client data. In the context of the global financial milieu, such a detailed evaluation was necessary to ensure that clients with legal purposes for their business conduct were (and continue to be) able to operate in an environment where non-public information is not inadvertently disclosed (which could trigger a series of events in a particular market sector) and confidential transactions do not lose the nature of their privacy where discretion is required (for example, a merger, acquisition or management buy-out). The sequel to the foregoing data breach, now known as the Paradise Papers, illustrates the ongoing challenges facing firms that conduct legitimate business offshore.

Ongoing Challenges

In light of the new data breach, one of the biggest challenges facing law firms is ongoing diligence in maintaining an effective data protection regime. This involves:

**Guarding against technical data security compromises (from e.g. breaches of security architecture, utilisation of software without updated security patches, phishing, intrusion, compromise from failure to establish and enforce effective policies for internet browsing, the use of mobile devices and the use of removable media)

**Guarding against non-technical vulnerabilities such as rogue employees, ineffective password creation protocols, inadequate back-up and recovery procedures and hardware disposal.

For years, firms addressed these challenges in many ways, including the implementation of systems teams with ongoing responsibilities to assess vulnerabilities, establish and review relevant policies and procedures, make recommendations to the firm’s partners, implement agreed programmes and procedures and provide regular reports to the partnership. Simply put, safeguarding client data in light of cybersecurity risks (the same reason data is protected onshore).

The Cayman Islands Regime

In the case of the Cayman Islands, anti-money laundering and anti-terrorist regulations and legislation have been in existence for several years and were revised as recently as 2017 to exceed global standards. This requires robust due diligence procedures (including background checks) to be completed prior to the acceptance of new business and on an ongoing basis. Due diligence must be in place for directors, officers, shareholders and ultimate beneficial owners of relevant entities. Cayman Islands service providers can therefore be expected to “know their client”.

In addition to the know your client regime, the Cayman Islands is a signatory to FATCA and the Common Reporting Standard, all of which have been implemented through domestic regulations and legislation in the Cayman Islands. Cayman Reporting Financial Institutions subject to the foregoing legislation and regulations must submit financial account and other information to the Cayman Islands tax authority, which may then be shared with the United States, United Kingdom and, in the case of the Common Reporting Standard, certain partner jurisdictions. Therefore, full cooperation by the Cayman Islands is currently in place.

Collaboration (through understandings and undertakings) also exists between the Cayman Islands regulator and international regulators. Where the Cayman Islands regulator is satisfied that a request for assistance from an overseas regulatory authority should be granted, the Cayman Islands regulator may disclose information necessary to enable the overseas regulatory authority to exercise regulatory functions, including the conduct of civil and administrative proceedings to enforce laws, regulations and rules administered by the overseas regulatory authority. In some cases, the Cayman Islands regulator may permit the overseas regulatory authority to carry out, in relation to an entity in the Cayman Islands that is subject to its supervision or regulation, an on-site inspection or visit in a manner agreed in writing by the Cayman Islands regulator and the overseas regulatory authority.

In this sense, the Cayman Islands is fully transparent and cooperative.

Full Compliance with Financial Action Task Force (“FATF”) Guidance

The FATF established standards on transparency, so as to deter and prevent the misuse of corporate vehicles. The FATF recommendations require countries to ensure that adequate, accurate and timely information on the beneficial ownership of corporate vehicles is available and can be accessed by the competent authorities in a timely fashion.

According to the FATF paper, the FATF recommendations recognise that there are various sources of beneficial information and that the relevant countries require flexibility in order to properly implement the FATF requirements “in a manner that corresponds with their legal, regulatory, economic and cultural characteristics”.

The FATF paper also acknowledges that the relevant countries would need to apply a combination of mechanisms recommended by the FATF in order to achieve FATF objectives of transparency of, and access to, beneficial information.

In a nutshell, the relevant countries must ensure that:

**Information on the beneficial ownership of a company is obtained by that company and available at a specified location in their country or

**There are mechanisms in place so that the beneficial ownership of a company can be determined in a timely manner by a competent authority

The Cayman Islands adheres to the FATF’s guidance paper. This achieved by a combination of the following:

**Requiring the Cayman Islands company registry to maintain information on each company, including company name, proof of incorporation, legal form and status, address of the registered office and memorandum and articles of association regulating powers and list of directors (all such information is also kept up-to-date and accessible by the Cayman Islands service provider responsible for the relevant client)

**Requiring companies to obtain and hold up-to-date information on beneficial ownership both at the time of the establishment of the entity and on an ongoing basis and to maintain a beneficial ownership register and file that information with the relevant Cayman authority

**Requiring companies to maintain a list of their shareholders or members

**Implementing mechanisms to ensure that companies co-operate with competent authorities to the fullest extent possible in determining the beneficial owner

**Making service providers accountable to the competent authorities in the Cayman Islands for providing such information and assistance

**Additionally, companies and all the persons, authorities and entities mentioned above (or if the company is being dissolved, its administrators, liquidators or other persons involved in the dissolution), are required to maintain the information and records referred to for a minimum statutory period after the date on which the company is dissolved or otherwise ceases to exist


When used properly, the media should be praised when the media disseminates thought-provoking and valuable information. Unfortunately, the media may also be used for “fake news”. In the same way that we should not celebrate fake news, we should not celebrate data breaches. Imagine if all of your medical records were released in this way- you would not be happy.

The truth is that some offshore jurisdictions like the Cayman Islands have stronger anti-money laundering and ant-terrorist financing legislation and regulations than onshore. Investing or raising capital offshore may prove to be more transparent and efficient (and with less red tape) than doing the same onshore. For example, an onshore stock exchange listing may involve more time, complexity and expense or the private placement rules required to be met prior to marketing to an investor located in a particular onshore jurisdiction may be voluminous and difficult to comprehend. Doing business offshore sometimes simplifies some of these matters. However, any streamlining does not mean that due diligence and compliance matters are left unattended or that legal requirements are not being met. It merely means that, in some cases, it is better to conduct business offshore rather than onshore.

About the Author

Alric Lindsay is a Cayman Islands corporate/funds lawyer and an independent fund director approved by the Cayman Islands Monetary Authority and licensed under The Directors’ Registration and Licensing Law. Alric also acts as voluntary liquidator to Cayman Islands entities. Alric can be contacted at