The Pandora Papers arrived in October 2021, all 11.9 million of them. The reaction was instantaneous: presidents, pop stars, and a slew of discreet lawyers found themselves on front pages around the world. Four years on, the files continue to change the way that regulators, banks, and compliance teams evaluate risk.
In just a few minutes, you’ll see how the leak fits into a decade-long wave of revelations, what’s in the files, and most usefully, how due diligence teams can turn the news cycle scandal into concrete red-flag checks and more reliable onboarding processes.
From Panama to Pandora: How the leaks evolved
The table above shows the scale of data dumps that have rattled the offshore world since the Panama Papers in 2016. Each leak grew not only in size but in complexity, moving from the server of one law firm to a patchwork of trust companies spread across continents. The lesson: secrecy is no longer the preserve of a handful of Caribbean shell company addresses; it is a scalable industry with a global support infrastructure.
Offshore 101: What shell companies, trusts and nominees actually do
Featured snippet candidate: An offshore company is a legal entity registered outside the owner’s home jurisdiction, usually in a low-tax or no-tax centre. Used legitimately for cross-border trade or asset protection, it can also be a tool to obscure the real owner when paired with nominee directors and layered trusts.
Shell company: a paper entity holding assets but performing no active business.
Trust: a legal arrangement that hands control to a trustee; popular for dynastic wealth planning.
Nominee director/shareholder: a paid stand-in whose name appears on filings, masking control.
Legitimate uses exist—currency hedging, shipping registries, joint-venture neutrality. Abuse begins when ownership is divided across multiple layers, filings fail to disclose the “controlling mind” or bearer shares frequently change hands.
Well-designed onboarding flows—think OCR-powered document capture to reduce manual entry errors—let compliance teams spot inconsistencies before they snowball.
Who showed up in the Pandora Files?
Politicians
The documents reached into cabinet rooms and presidential palaces alike, naming sitting and former heads of state alongside hundreds of other public officials. The playbook was familiar: special-purpose vehicles in London to hold property, and discreet companies in Switzerland to warehouse art. The structures were legal on paper, but they kept ownership at arm’s length from the people making decisions.
Billionaires
Tech founders and retail magnates appeared for a different reason: convenience and tax planning. Delaware LLCs quietly fronted yacht purchases and other movable assets. A common pattern ran through the paperwork—intellectual property shifted to low- or no-tax jurisdictions and then licensed back to operating companies, turning royalties into a steady, deductible stream.
Celebrities
Actors and athletes tended to route image-rights income through Bahamian trusts. The aim was predictable: simplify cross-border royalties and protect privacy. Many relied on the same “concierge” law firms that surfaced across multiple leaks, suggesting a small circle of advisers serving a very large client list.
Middlemen
Behind almost every arrangement stood intermediaries. Fourteen offshore service providers supplied the files, offering shelf companies, nominee officers and introductions to banks. Their templates were reused so often that hundreds of entities shared identical directors and addresses—an administrative shortcut that, to any compliance team, reads like a flashing red light.
Tax havens that continue to be secrecy hotspots
The Pandora Papers revealed not only the extent to which the wealthy have relied on shell companies to conceal their fortunes, but also how and where they did so. Public and regulatory pressure have increased, and in many cases, new restrictions were put in place to deter the use of shell companies for illicit purposes. But those jurisdictions didn’t go away overnight. In many cases, they adapted.
British Virgin Islands (BVI)
The BVI continues to be a leading jurisdiction for the establishment of international business companies (IBCs). In 2025, new regulations were put in place that require disclosure of basic ownership information. But nominee shareholders, the middlemen used to conceal ownership, do not have to be disclosed under the new rules. On paper, a step towards transparency. In practice, the true owner is likely to remain off the record.
Seychelles
A couple of hundred dollars and an internet connection are all that’s required to establish a company in Seychelles. The jurisdiction is a frequent presence on and off the EU’s grey list of tax havens but low costs and quick online registration continue to be a draw for clients looking for ready-and-waiting structures. The barriers to entry remain low for small operators or one-off transactions.
South Dakota, USA
Secrecy doesn’t just happen offshore. South Dakota has quietly established itself as a leading asset protection jurisdiction under trust laws that allow wealth to remain untouched for generations. A 2024 legislative review of the state’s trust laws retained most of the privacy features. Today, a foreign national can bring money into a South Dakota trust with more confidentiality than in many traditional tax havens.
Dubai, UAE
Dubai has one of the world’s best competitive advantages: no taxes and a highly curated global image. Free zones allow company owners to remain anonymous and while the UAE has introduced transparency regulations, the carve-outs are wide enough to provide cover for most private investors. For those looking for both legitimacy and discretion, Dubai still has it both ways.
Compliance takeaway: red flags detected by investigators
🚩 Ownership structures with three or more tiers across jurisdictions.
🚩 Directors changing frequently in a period of one year.
🚩 Mailbox addresses used by more than 100 different companies.
🚩 Entities categorized as “dormant” conducting high-value transactions.
🚩 Payments are facilitated through professional intermediaries who show up in other leaks.
🚩 Trusts with discretionary beneficiaries that are unnamed.
🚩 High-risk counterparties with no single PEP scan alert.
🚩 Recurrent use of back-dated powers of attorney.
Running every trigger through a sanctions & PEP database screening engine reduces false positives and produces an audit trail of justification for escalation.
Case study: “The three-layer trust” deconstructed
Layer 1 – Operating company
A Seychelles IBC holds a Cyprus bank account and issues invoices to an EU distributor.
Layer 2 – Discretionary trust
The shares in the IBC are owned by a New Zealand discretionary trust with no fixed beneficiaries but only a “protector”.
Layer 3 – Private foundation
The trust, in turn, is owned by a Nevis foundation whose council is composed of two individuals and meets once a year by video conference.
At each layer, the filing lists different nominee officers. The economic reality—invoices paid into a Monaco account ultimately owned by the same family—only emerges when investigators correlate leaked emails, shipping records and property deeds.
Map every entity, date-stamp control changes, and request notarised statements of source of wealth early.
Regulatory response, 2021-2025: what changed and what didn’t
FATF Recommendation 24 was revised in 2022: countries must “take appropriate legal and administrative measures to ensure that the competent authorities can obtain accurate and up-to-date beneficial-ownership information in a timely manner.” (FATF)
EU registers: A 2023 Court of Justice ruling partially reversed a directive for full public access, but most member states kept a “legitimate-interest” portal open to journalists and obliged entities. (Jones Day)
US Corporate Transparency Act: Reporting started in 2024; critics note the database is closed to journalists and that many trusts fall outside the scope. (FinCEN.gov)
For multinational companies, the result is patchwork visibility: you can access corporate data in Latvia in minutes, but wait weeks—and pay fees—in the BVI.
Action plan for due diligence teams
Start simple, and make it hard to game. Insist on a government passport and a secondary ID, and match fields (names, ID numbers, dates) and metadata (file format, scan resolution) between both IDs and the application form. Shorten the selfie/liveness capture flow if you see evidence of drop-offs.
Refresh your screening. Use sanctions and PEP lists that update at least once per day, and log which version of each list you used. Add simple adverse-media alerts for terms like “Pandora Papers” and “ICIJ Offshore Leaks”, including common spelling variants and transliterations.
Investigate the source of wealth. Rather than a checkbox, request a one-page narrative plus relevant documents (tax returns, sale agreements, dividend statements) and use them to compare the stated source of wealth to public filings or reliable reporting. Document the rationale when accepting or rejecting the explanation.
Don’t skip the proof-of-address check. Validate residency with a recent utility bill, bank statement, or government letter, and confirm names, dates, and metadata are consistent. Require a second document if the image is edited or appears to have been tightly cropped.
Reverify on a defendable clock. Refresh high-risk applicants every 90 days, standard risk every 12 months, and add event-based triggers to force an immediate rescreen if something important changes—a new director, a move into a higher-risk country, or a sanctions hit on an associated party.
Dig into the company, not just the applicant. Map the ownership chart, capture control rights, and probe who the true decision-maker is behind each entity. KYB each new company, and store the registry extract so an auditor can retrace your process.
Finally, write your process so it can be read. Store your KYC policy in smaller sections, add pull-quotes for critical rules, and cross-link related steps so analysts can jump from “how to screen” to “how to escalate” without page-hopping. Clear writing won’t stop fraudsters, but it will help your team spot them sooner.
How KYCAID tools plug the gaps
KYCAID is built to integrate into your existing onboarding flow. Start with ID document verification in seconds. The SDK captures the ID, reads the MRZ/barcode with OCR, and checks for tampering or doctoring. Active/ passive liveness runs in the background if you enable it, and compares the face to the document photograph. Results return over API and webhook so your app can approve, step-up, or decline an application without manual back-and-forth.
Next comes real-time sanctions & PEP screening. KYCAID does the lookup at sign-up, and can rescreen on a schedule or when something changes (sanctions added, removal, etc.) with an ongoing monitoring feature. Add adverse-media keywords to keep up with major leaks and investigations, and route only meaningful matches to review to keep your queues manageable.
For higher-risk cases, Video Quiz adds a quick human layer. The applicant opens the camera, answers a set of randomized prompts (for example: “read the last four digits of your ID” or “turn the document and show the hologram”), and confirms on camera that they control the presented ID. Everything is recorded and your manager or KYCAID’s manager will verify the applicant. It’s a simple step that can stop deepfakes and borrowed IDs without turning onboarding into an interrogation.
If you onboard businesses, KYB performed by an experienced compliance manager will match presented data against the registries, run checks for directors, shareholders, and batch-screen the entire ownership chain. That’s critical when the real game is an entity in the middle of a structure rather than the one sitting at the surface.
Admin tools cover the day-to-day operational tasks: role-based access control, statistics and verification reports, and configurable data retention so you keep only what you need. Pricing is transparent and straightforward, and the platform supports both API integration and a dashboard for teams that prefer no-code setup.
Transparency is a journey, not a headline
The Pandora Papers made it easy to see how secret things stay when no one is watching between sign-up and payout. The fix isn’t a louder announcement or a new checkbox—it’s routine, quiet work: rescreening, refreshing documents, and justifying why a case passed today when it might fail tomorrow. Treat the onboarding process as the first frame of a long-running film, and make a point to reshoot that scene as facts change—ownership reshuffles, new sanctions, a sudden news story—and make sure your system catches those edits. The organizations that get this right tend not to make headlines. They just stay in business.
Book a call with KYCAID’s team to discuss how our tools can adapt to your specific risk challenges.