In the wake of the headline-grabbing leak of the Panama Papers, banks should prepare themselves for renewed scrutiny of their efforts to thwart money laundering and illegal tax shelters. Additional personal liability risk may also fall into the laps of bank executives and compliance officers as regulators try to get to the bottom of why accounts for corrupt politicians were set up without much or any transparency.

Already, the initial news reports on the cache of 11.5 million documents from the Panamanian law firm Mossack Fonseca have prompted investigations by several foreign governments and may lead to more aggressive regulation.

There are likely more revelations to come. The news reports focus on secretive offshore accounts held by high-profile government leaders that prompted questions over the source of funds. The International Consortium of Investigative Journalists, which has analyzed the documents, says it will release a full list of companies and individual affiliated with them in early May.

While the focus now is on Mossack Fonseca, the source of the documents, there are other Panamanian law firms in the business of setting up offshore accounts with the same structures, and firms in other jurisdictions that do so as well. In fact, as the Financial Action Task Force emphasized in its 2006 assessment of the United States, a number of U.S. states have laws and regulations allowing citizens and foreigners to establish accounts whose beneficial owners aren't fully transparent.

It's likely we're in for another round of government action on the unregulated "gatekeepers" that have helped create secret accounts and shell companies since the 1940s. Offshore account issues gained attention more recently in 1998 with the case of Citibank's dealings with the brother of a former Mexican president, as well as provisions in the Patriot Act dealing with certain high-risk accounts, and numerous reports issued by the Senate's Permanent Subcommittee on Investigations.

Yet there is some good news from all this. The types of structures Mossack Fonseca sets up aren't necessarily illegal or unethical — as long as they have the appropriate transparency and are used for legitimate purposes. There are a limitless number of such uses. Someone who maintains a yacht in the British Virgin Islands, for example, may need or want an account there to pay the crew. People may want to hold assets overseas to avoid illegal seizure by a repressive home-country government or even devaluation of local currency. There are even well-intentioned reasons for shrouding the identity of account holders, such as reducing the risk of kidnapping for ransom.

But weeding out the illegitimate structures from the ethical ones can be tricky. Where does all this leave financial institutions? Regulatory and law enforcement agencies have a history of taking action after revelations like this. Even the best institutions that believe everything they have done is legal may need to reevaluate their clients, transactions and compliance programs. Institutions that take a proactive stance should be in a much better positon than those that take a wait-and-see attitude, even if they already have adequate programs.

First, do an inventory of accounts and use it to quantify exposure and risk. Banks should know which Panamanian companies they're doing business with. They should review the relevant accounts to ensure information on beneficial owners is on file, using enhanced due diligence if necessary, and that there's proper documentation of sources and use of funds and actions taken regarding noncompliance.

This may take them beyond checking lists to analyzing transactions to see that they're consistent with the purpose of the account and the client's financial capacity. There's also a need to ensure compliance with tax reporting requirements. For U.S. citizens, this includes filing of annual reports required by the Foreign Account Tax Compliance Act, as well as the Report of Foreign Bank and Financial Accounts required by the Financial Crimes Enforcement Network.

Technology can accelerate this process. As compliance professionals saw with sanctions imposed as a result of the Arab Spring, there is likely to be a narrow window for proactive engagement.

Second, banks should assess their management and governance regarding these issues, reviewing policies and procedures, including the length of time they've been in place.

Given the focus on personal liability, institutions may want to get independent reviews, including testing and remediation of due diligence and evaluation of transactions, to better document their compliance programs. All of these steps will help them manage their exposure and reputational risk.

Third, institutions should document these efforts and share the findings with appropriate regulators and law enforcement agencies, such as the Office of the Comptroller of the Currency, the Federal Reserve and state banking authorities. Some examiners are already making inquiries with banks about these issues.

In other words, banks should redouble efforts to do what they should have been doing all along — aiming to ensure full transparency and documentation of their account holders.

Harold A. "Hal" Crawford is a managing director at K2 Intelligence, an investigative, compliance and cyber defense services firm. He can be reached at