Recent legal action taken by the Finsbury Park Mosque against Thomson Reuters has highlighted the reputational harm that can be caused if you are wrongly added to World-Check's database.
Registered in London, World-Check was originally founded in 1999 to meet the KYC requirements of the Swiss banking community. The company, acquired by Thomson Reuters in 2011, has grown since that date and it now reportedly has in excess of 10,000 subscribers including the majority of the world's banks and financial institutions, as well as major law and accountancy firms. It is also worth knowing that this it is not the only such provider of this service.
The World-Check Data Protection registration entry (on the ICO's website) describes the service as "a database of heightened risk individuals and companies and politically exposed persons which our clients screen their own customers against before entering into transactions with such customers in order to prevent and detect financial crime".
In turn the World-Check website boasts that its research team monitors emerging risks in more than 60 languages, covering hundreds of countries and territories worldwide. As a result an estimated 2.7 million people and organisations are reportedly listed on the database. They are divided into categories which include sanctioned entities, money launderers, terrorists and fraudsters. Plainly these are individuals or organisations to be avoided by those who subscribe to the service. However, the question is how much evidence does World-Check need to include you in its database, and what happens if you are added in error?
Finsbury Park Mosque v World-Check
Last month Thomson Reuters apologised to Finsbury Park Mosque, the once notorious London mosque, for publishing a profile report on the database which alleged that there were grounds to suspect that the mosque had continued connections to terrorism. In fact, since 2005 the Mosque has been run in an entirely law abiding way. In a statement in open court read before HHJ Parkes QC, World-Check's owner admitted that it was wrong to place the Mosque in the category "Terrorism" on the database. This had resulted in serious consequences for the Mosque, whose bank had terminated its banking relationship and closed its account. In the statement World-Check apologised for the error and confirmed that it had agreed to pay damages and legal costs as compensation.
The Finsbury Park Mosque case has highlighted the difficulties many clients encounter with World-Check and other such databases. To be added as a heightened risk individual is not necessarily a difficult threshold - for example a politically exposed person (PEP) is treated as falling into that category. That can include individuals entrusted with prominent public functions as well as their family and close associates. Accordingly, the family member of a politician could be included even where they themselves are not involved in politics. At the end of last year reports emerged that Maud Windsor, the daughter of Lord Freddie Windsor and the actress Sophie Winkleman, was listed on a 2014 version of the database despite being only nine months old at the relevant time! The apparent justification was that she was a family member of a PEP, a reference to her father, who is the son of Prince Michael of Kent and 43rd in line to the throne.
World-Check states on its website that the information on the database is collated from authoritative open source material and government and regulatory information. It also claims to have skilled analytic researchers filtering out inaccurate information. However, that seemingly does not always rule out information being published that is either out of date, such as in the Finsbury Mosque case, or sourced from a less than trustworthy source – for example a politically motivated blog. Information published in newspapers is typically included with few, if any, checks being as made to its veracity and there is seemingly no process in place to update the database even when the original source information becomes out of date or shown to be wrong.
What action can you take?
For those individuals and organisations affected, the first they may hear about a negative profile report is when their bank writes and informs them that their accounts are being closed, or when a business transaction stalls. In the case of a bank, it is not required to tell them the reason why their account has been closed. When they try to open a bank account elsewhere, they are told they cannot be accepted as customer. Other instances include credit card providers and major law and accountancy firms.
This can be a real problem. The situation is made worse by the difficulty most individuals and organisations will have in finding out what a profile report actually says about them. Under World-Check's terms and conditions, subscribers are required to keep secret the fact that an individual or organisation is on a list. In turn World-Check seeks to disclaim liability by stating that decisions to end business relationships should not be made solely on the basis of inclusion in the list. However, by claiming to be authoritative World-Check is suggesting checks are not needed and in any event they would be very difficult to carry out given that the reports provided to subscribers state that legal action will be taken against any subscriber that informs a subject about a report. In other words, how are companies supposed to check the veracity of the information when they are not permitted to inform the person in question there is a problem?
So what action can those affected take to protect their reputation?
World-Check states that it takes robust measures to ensure that data held on the database is protected and the Data Protection Act (DPA) is not breached. However there are obvious difficulties with this analysis. Indeed, inclusion on the database is in itself arguably a breach of the DPA, particularly where sensitive personal data is being processed.
World-Check claims that the database complies with the DPA because of the limited purpose for which the data is processed and because the information is taken from publicly available sources. However, neither of those factors are exemptions, nor do they provide defences under the DPA. Where sensitive personal data is being processed without consent and without satisfying one of the exemptions in the DPA then there is a real risk that data is being processed unlawfully. The point remains to be tested in the courts but if World-Check is wrong, the individual may be able claim damages for any distress or loss. There would also be a requirement for World-Check to rectify its records and/or cease further processing of the individual's data.
Where individuals or organisations are on the database incorrectly they may also have claim in libel, as in the Finsbury Park Mosque case. The new serious harm test introduced under the Defamation Act 2013 would almost inevitably be met in circumstances where the entire purpose of the database is to warn businesses from engaging with those on the list. If the entry includes confidential or personal information there is also the potential for bringing a claim either for misuse of private information contrary to the individual's Article 8 rights or for breach of confidence.
Plainly there are "bad dudes" on the World-Check database. When a previous version of the database was leaked last year it was reported that it contained the names and details of 93,000 individuals suspected of having ties to terrorism. However, the system is far from faultless and finding yourself in their company has the potential to cause you and your organisation significant reputational harm as well as real practical difficulties.
In any event, decisive and effective legal action is required to mitigate the damage caused and protect your reputation in the global world we live in. This should properly include looking at not just World-Check, but also its competitors, who will also likely source the same or similar information. Consideration should also be given to looking at such providers by way of those jurisdictions which are important to the client. In this regard it is important to make sure that all the main database providers in the relevant jurisdictions are made aware that information is false and/or out of date.
If you require further information on anything covered in this briefing please contact Michael Patrick(email@example.com) or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, March 2017