.svg)
This article was originally published on the Step Journal, Issue 4 2025.
There is a general public perception – magnified and incited by special interest groups - that advisors operating in the Crown Dependencies and other offshore territories are working to assist their clients in an unethical and secretive manner. Indeed, the 2018 documentary on the Panama Papers alleges that: ‘The offshore world is a complex maze designed to hide wealth and avoid taxes.’ As a result of this perception, those operating – and advising – in these jurisdictions are under increased scrutiny. If caught up in a data leak, they may face investigations, media coverage, commercial and reputational damage. So, how can advisors in the Crown Dependencies and other overseas territories protect their own business and reputation when their client, and possibly they themselves, are caught up in leaked documents – and how can any risk be mitigated?
Sources of a leak
Data breaches and cyber-attacks have hit the headlines over recent weeks, with major retailers being severely impacted. By extension, so have their customer’s data. Unfortunately, our necessary reliance on digital systems means breaches in data security are becoming more and more common. Major data leaks in recent years have shone a light on the Crown Dependencies in particular.
From insider threats to cyber hackers, there are several avenues by which client information can find its way into the wrong hands. This is all against a backdrop of increased interest in these types of clients, and a willingness for publishers and others to rely on and publish information and documents that are illegally obtained. In many cases, insufficient compliance and data protection practices are often the root cause, and as such, these areas fall under more scrutiny.
When a client is caught up in a leak, it brings (often unwelcome) public attention to successful individuals, many of whom prefer to live and work privately. In recent years, prominent figures such as politicians have been cancelled publicly due to being included in leaked documents. Simply by being named, they may be unfairly perceived to be involved in unethical activity.
But in the wake of major breaches such as the Paradise Papers or Pandora Papers the fallout hasn’t been limited to the clients named in the leaks. Just by association, advisors may find themselves in the spotlight too, dealing with fallout that extends beyond their client’s crisis.
Databases, investigations and John Doe orders
It’s become increasingly easy to connect advisors operating in the Crown Dependencies or offshore, to their clients, thanks to the development of a substantial online database - in which the hundreds of thousands of leaked documents from major breaches over last decade can be found. Somewhere in the region of a trillion searchable documents can be accessed.
Despite the fact that the most, if not all of these documents, were obtained illegally, we are aware that governments, banks, intelligence firms, NGOs, and the media use this database as a crucial source. Indeed, it’s become clear that in recent months, a number of different parties are reviewing these hacked and leaked confidential documents to identify potential targets for investigations by government justice departments, tax authorities, NGOs, media organisations, private investigators and other special interest groups.
Within the leaked documents, numerous advisors are mentioned, including many from Jersey, Guernsey and the Isle of Man - and have found themselves caught in the crosshairs of investigations as a result. We’ve seen this play out in the aftermath of the various ‘papers’ leaks, when advisors from law firms, trust companies, wealth management firms and banks were targeted in legal actions - with some firms shutting down completely due to regulatory pressures.
NGOs have extensively investigated the financial practices of the Crown Dependencies and other overseas territories in the aftermath of major data leaks. Indeed, there’s been a substantial recent increase in the IRS’s use of John Doe orders; deployed to target advisors and trust companies in order to access information on their clients with the aim of instigating enforcement proceedings. In these cases, the relationship between the advisor and client had been made public through a leak. John or Jane Doe orders (used to seek information about individuals whose identities are unknown) have also been used against law firms, trusts and tax advisors to disclose further client names and information about their offshore holdings.
Being involved in such investigations will undoubtedly have an impact on both the client and their advisor – as well as the advisor's wider practice. And in the world of law, wealth management and finance, reputation is everything. It also creates a tension between regulatory obligations to keep client names and information confidential and pressure and court orders to disclose such information. The advisor is then caught between a rock and a hard place.
A bigger target?
When an advisor is named in a leak, they are immediately linked to their wealthy clients and as such, a target is drawn on their back. If they’re tied to high-net-worth clients in the public eye, their profile is raised even further. Hackers and bad actors may see them as a valuable access point, looking for ways to exploit their position to access even more sensitive information. As custodian of multiple clients’ sensitive data, advisors can often be the weak link and a good target in the chain.
Advisors themselves are often financially successful, making them an attractive target in their own right. For advisors acting in a fiduciary or trustee capacity, being linked—even tangentially—to leaked information can raise their public profile in unwanted ways. Trustees, who are responsible for managing their clients’ assets, can be especially vulnerable, as custodians of wealth and by nature of their close relationships with clients and their families.
Certain jurisdictions, for example those with political instability, have higher risk factors for advisors whose information could be available to the authorities - given the capricious nature of their governments. If you’re a trust company or law firm or advisor in regions such as Latin America, and your information is exposed, there are serious physical security considerations.
Trust and Reputation
A leak can have a lasting impact, not just on the current client roster, but on the ability to attract new business. Even clients whose names weren’t included in the leak may start to question the security and integrity of their advisor’s services, affecting client retention and deterring new clients from instructing the advisor. In jurisdictions like Jersey, Guernsey, and the Isle of Man, where client confidentiality is paramount and reputations are built on discretion, this kind of exposure can be particularly damaging.
If it is the advisor’s systems which are hacked, there opens up a tension between the client and advisor, who, entrusted with sensitive personal and financial information, is expected to safeguard clients’ data with the highest level of confidentiality. A data leak not only jeopardises the client’s security but can also undermine the trust that is essential for effective advisory work.
Aside from the reputational consequences, the business impact of being named or referenced in a leak can also be serious. Financial institutions may blacklist advisors suspected of facilitating offshore schemes, despite all being above board. On top of that, a leak can make it harder to onboard potential new clients, who may hesitate to trust a firm that has been exposed in such a high-profile manner. Dealing with the effects of a leak can also be costly and time consuming: the legal battles, cyber and IT costs, reputation management efforts, and time spent managing the fallout all take a toll on a firm’s resources.
How to mitigate risk
Clear and concise communication:
Expect that any document – or any email - could become public. Keep communications clear and ensure your words can’t be misconstrued or misinterpreted.
Information management and hygiene:
Only hold the documents and information that you need currently. If there is a need to store others for regulatory reasons, use a separate system. Don’t allow all staff to access all parts of the system, but only the matters or parts that they need to do their jobs. This will limit exposure if an individual employee is hacked. Ay documents that are no longer needed should be deleted promptly.
Legal and compliance readiness:
Ensure all processes are completed as necessary, including sufficient due diligence on clients.
Crisis management plan:
Readiness is key. Prepare a plan for a leak, including clear responsibilities of key people, and communications to be sent to stakeholders if a crisis does occur.
Proactive cybersecurity measures:
Regularly evaluate and test your infrastructure, scoping out vulnerabilities and training staff on best practice.
