Alarm among corporate investigators highlights the danger posed by sweeping privacy rules
Imagine you are a dodgy tycoon called Boris Ripzemov. You crave respectability and a safe home for your enormous fortune. But the banks that once wooed you are asking tiresome questions about how you made your money. The truth is inconvenient: it involves your ties to corrupt regimes and to organised crime. The source of the problem is the corporate investigation outfits that banks hire to do the legwork. The answer is to intimidate them.
The springboard for this is the EU’s General Data Protection Regulation (GDPR), which still applies in Britain post-Brexit. Its aims are noble. The uses to which it is put, less so. It gives sweeping rights: anyone, anywhere in the world, can demand to know what information is held on them.
A fishing expedition under GDPR costs almost nothing: Mr Ripzemov’s lawyers fire off identical requests to lots of sleuthing outfits, asking if they have information on him. Then they launch a salvo of complaints. What data do they hold and why? They must desist, delete it, retract any conclusions drawn and promise never to mention Mr Ripzemov again. The financial damage or emotional distress caused may also merit damages.
This onslaught is daunting. The reports are necessarily confidential. They might include a candid assessment of Mr Ripzemov’s business model by an ex-employee, for example, or eyewitness evidence of him hobnobbing with gangsters. Even with names redacted, Mr Ripzemov can easily guess the sources’ identity. In the corrupt countries concerned, says a sleuth, “it’s easy for people to disappear or something to happen to them”.
But fighting off the attacks is tricky too. The law and the facts may be on the side of the investigators, but Nick Watson of Keystone Law, who defends against such cases, speaks of the “disparity of firepower”. For the likes of Mr Ripzemov, a million-pound legal bill, and the prospect of a bigger one, is nothing. At least when it comes to libel law, media organisations benefit from some free-speech protections, and may have specialist libel insurance (which picked up four-fifths of the £500,000 bill in a case I fought some years ago). Corporate investigation firms — mostly run by ex-journalists, accountants and former spooks — lack these defences. For most of them, the risk of tangling with a billionaire is crippling.
Many note the fate of a British company, S-RM Intelligence and Risk Consulting, which was asked by Morgan Stanley, an American bank, to investigate a Singaporean property magnate, Arvind Tiku. He has been dogged by controversy surrounding his alleged association with a Kazakh princeling, Timur Kulibayev, who is the son-in-law of the country’s former president, Nursultan Nazarbayev.
After experiencing persistent difficulties in doing business with big western financial institutions, Tiku says his lawyers issued “15 to 20” requests under GDPR. They identified five companies holding data on him — all erroneous, he says. Four backed down without a fight. S-RM eventually published a grovelling retraction, citing the fact that Swiss and Kazakh authorities had investigated Tiku’s business dealings but brought no charges. It promised to delete the data collected, accepted the allegations were false and informed its clients of this finding. There is no suggestion of wrongdoing on Tiku’s part, or that of his lawyers, Carter-Ruck. He did not pursue his attempt to bank with Morgan Stanley: “Life moves on,” he says.
But the encounter has certainly left S-RM gun-shy. When I sought comment, the company’s compliance department vetoed even a background discussion of the issue. Nobody in the industry wanted to talk publicly about these difficulties either. Fear of retribution by deep-pocketed foes runs deep.
The effects of all this are dire. Our efforts to counter money laundering are only as strong as the weakest links in the chain. These tactics make them still weaker. Sophisticated financial institutions may ignore arm-twisted retractions. But those that simply need a box ticked will not.
The underlying problem is that the law imposes strict duties on financial institutions to check out new customers, while shielding the personal data that would provide the answers. Some suggest the solution is to regulate the private intelligence industry, offering legal protection in return for higher standards. In some American states, licensed private investigators enjoy privileges such as exemption from loitering laws. This world certainly has its share of sharks and phonies. But as with journalism, sleuthing is a trade that resists statutory definition.
Another option is to shift the responsibility for compliance with data-privacy rules on to the financial institutions. The banks have deeper pockets, and can argue more strongly their legally mandated investigations are necessary and proportionate. The law could state specifically that anyone conducting an investigation on behalf of a regulated financial institution is shielded from GDPR fishing expeditions: the economic crime bill before parliament could do that neatly. The same effect could come from someone fighting a case all the way to the Supreme Court and gaining a definitive ruling on the relative importance of protecting privacy and checking probity.
The best and toughest solution would be to make lawyers check out their clients properly. The provision of legal advice is not covered by the same anti-money laundering checks that (supposedly) apply for transactions. If the Ripzemovs of this world cannot get lawyers in the first place, they will find it far harder to use the law to cudgel their critics.
Full original story: Legal cudgels help the rich dodge scrutiny