We previously wrote about legal action taken in 2017 by the Finsbury Park Mosque after it was placed in the “terrorism” category on the due diligence database, World-Check (see here). In that case, Thomson Reuters, the then-owner of World-Check, apologised to the company behind the Mosque by way of a statement in open court, and agreed to pay damages. While it is undeniable that databases like World-Check (and others operated by the likes of Dow Jones) serve an important purpose in client due diligence carried out by financial and professional services firms, five years later individuals and companies continue to encounter difficulties due to inaccurate or outdated information finding its way onto the databases.
The information sourcing problem
Databases such as World-Check employ technology and analysts to collate information from open sources (such as sanctions lists, government and court records, and media coverage). They use such information to create profiles for individuals or organisations that are identified as presenting a potential money-laundering or other risk. The problem is that the details included on the database are only as good as the source information from which they derive. Significant concerns remain about quality control in relation to the information that finds its way onto the databases, and we have seen many examples where individuals and companies are categorised in an adverse way on the database because of outdated, inaccurate or distorted information. Examples of problems encountered include individuals/companies included on the database because of:
- Involvement in litigation or investigations that were later abandoned by the other side, but where online media coverage only includes the commencement of the case,
- Inclusion on a data leak (such as the Panama Papers) where the alleged activities have subsequently been disproved,
- Negative outcomes in bogus criminal proceedings in jurisdictions without free and independent legal systems, or
- Wrongful categorisation as a politically exposed person (PEP) or PEP associate.
Naturally, the appearance of an individual on World-Check serves as a red flag to banks and other service providers who utilise such databases. Often this leads to the refusal or closure of accounts or advisory services. This is an understandable reaction when the literature of the databases states that “reliable and reputable sources” are used to deliver “accurate and reliable information”. While this may well be so in the majority (if not vast majority) of cases, it can have very serious repercussions for individuals and companies wrongly included on the database.
What if I’m wrongly included?
Thankfully for those finding themselves in this situation, strengthened data protection and defamation laws in the UK provide a solution in circumstances where the information on World-Check derives from inaccurate or outdated sources. Like all organisations processing personal data, due diligence databases are required to ensure that personal information distributed to their customers complies with the data protection principles in the General Data Protection Regulation (GDPR). These include the obligation to ensure that personal data are accurate and up to date and kept for no longer than is necessary. Alongside these obligations are rights afforded to individuals, including the so-called “right to be forgotten”. This is a qualified right enabling individuals to request the erasure of their personal data by an organisation, where at least one of a number of criteria is met and there is no overriding right of freedom of expression and information.
Where content on World-Check or other databases is defamatory and there is no available defence (such as truth or publication on a matter of public interest), defamation law can provide an alternative line of attack. This was relied upon in the Finsbury Mosque case and is integral in cases where (as in that instance) the subject is a company (and therefore it cannot rely on data protection laws that only afford rights to individuals).
We are not aware of any public judgments in the UK courts where the substance of an entry on World-Check or another database has been tested. This is perhaps unsurprising due to the inevitable desire of such databases not to create damaging legal precedents on the one hand, and the reluctance of those appearing on them to enter into the public process of litigation on the other (and thereby reveal their presence on such a database). However, pre-action legal correspondence setting out the deficiencies in an entry (relying on the legal principles mentioned above) can be highly effective where an individual/company has a coherent, substantiated and persuasive argument. The majority of the due diligence providers are reputable organisations that will approach legal correspondence rationally and give it proper consideration. Evidence in support of a client’s position will be vital, and official documents confirming matters are, of course, very helpful.
So, while the “bad dudes” we referred to five years ago remain on World-Check, there remains a significant minority of individuals and organisations wrongly included because of the quality of available source information. Evolution in data protection laws in particular has helped those who find themselves in this situation, and enables those who are adversely affected without justification to achieve redress (generally without having to resort to litigation).
If you require further information about anything covered in this blog, please contact Thomas Rudkin or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2022