One day, your bank writes to you saying that you have fallen outside its risk appetite and your accounts are being closed. You ring the bank manager to ask why and he says there is nothing he can tell you. You try to open a bank account elsewhere and are told you can’t be accepted as a customer.
The same with your credit card providers. You seek advice from your solicitor who tells you she can’t advise as she cannot accept payment in cash. Then your accountant writes to you saying that her firm has also pulled the plug. Again, no explanation can be given. Direct debits are not paid and your mobile phone and internet accounts are closed. You are suddenly exiled from your own world.
This is not some reality-TV survival exercise. It can be the real experience of those who are listed as being ’heightened risk individuals’ on Thomson Reuters’ due diligence service “World Check”. Recent estimates are that about 2.7 million people and organisations are on the list, including around 93,000 listed as being linked to terrorism.
The World Check Data Protection registration entry describes the service as:
“a database of heightened risk individuals and companies and politically exposed persons which our clients screen their own customers against before entering into transactions with such customers in order to prevent and detect financial crime”;
The threshold for inclusion as a heightened risk individual is not high – politically exposed people are treated as being heightened risk and that includes, under the UN definition of the term [pdf], people entrusted with prominent public functions, their family members and close associates. So a Supreme Court Judge’s clerk, an MP’s son, or barristers in chambers with people who have acted for those accused of terrorist offences are all potentially high risk individuals who could end up on the list.
World Check claims that its list is used by 10,000 companies, including a large majority of the world’s major banks and financial institutions. It is divided into categories which include sanctioned entities, money launderers, terrorists, and fraudsters. Plainly these are people or organisations to be avoided by risk-averse banks, lawyers, and financial institutions, but on what evidence is their inclusion based? World Check claims that the underlying information is collated from authoritative open source material and government and regulatory information. However, researchers and complainants have found otherwise – information can be out of date, sourced from islamophobic or politically motivated blogs or other outer reaches of the online community.
Nor can the information easily be verified by customers. The World Check terms and conditions [pdf] require the many thousands of subscribers who pay large sums for its service to keep secret the fact that the individual is on a list. It stresses that decisions to end business relationships should not be made solely on the basis of inclusion in the list – but it also claims to be authoritative and to have skilled analytic researchers working to collate open source information across 130 countries.
The implication is that checks should not be needed. In any event, they would be nearly impossible to carry out. The reports provided to subscribers state that legal action will be taken against any subscriber that informs any subject about the report – so how are subscribers to check the veracity of the information when they are not permitted to inform the person in question that there is a problem?
Despite that, one or two subscriber clients have spoken out. In 2014, Peter Oborne was told that a number of prominent Muslims had had their bank accounts closed abruptly and without explanation. His investigations led him to HSBC and the Telegraph’s reluctance to publish his story was one reason for his resignation. He continued to pursue the story which led eventually to World Check and the revelation that a secret database was effectively operating as a blacklist.
The online magazine Vice News published an in depth examination of the database in February 2016, having seen extracts from the reports relating to the terrorism category. According to Vice News,
“An American Muslim civil rights leader praised by George W. Bush, an economist honored by the British Queen, and a prominent anti-extremism campaigner have all been secretly given a “terrorism” designation” and “The highly influential World-Check database has also listed major charities, activists, and mainstream religious institutions under its category of ‘terrorism’.”
Then in June 2016 it was reported that the whole data base had become publicly available online. This appeared to be a technical error rather than a leak, and the company moved quickly to ensure that the publication was stopped. However, the information has been disclosed and it is now impossible to know how far it has spread.
The privatisation and outsourcing of due diligence to an unregulated industry plainly comes with legal risk. World Check states that it takes robust measures to ensure that data is protected and that the Data Protection Act is not breached.
It is difficult to see how this can be correct. Indeed, there is an argument that inclusion is in itself a breach of the DPA, particularly where sensitive personal data is being processed, and the individual may be able to claim damages for any distress or damage and have a right to prevent further processing and/or rectify the records.
World Check suggests that the list is compliant with the DPA because of the limited purpose for which the data is processed and because the information is sourced from publicly available sources. Neither of those factors constitute exemptions or provide defences. Where sensitive personal data is being processed without consent and without one of the conditions in the schedules being met, or the processing being exempt, there is a breach. An unregulated private company which is processing data with neither consent nor statutory authority, even if it is intended to prevent fraud, faces serious difficulties in satisfying the conditions in the DPA.
An individual who is concerned about his or her own position can at least make a Data Subject Access Request (or use the World Check website to check if he or she is on the list) and see what, if anything, is being said about them to World Check’s influential subscribers. There may also be a libel claim. Inclusion in the list is arguably defamatory in itself – there is an interesting issue about a potential public interest defence, but where information is unchecked, unverified and sourced from out of date or biased on line information, that argument is weak.
The position is worse for campaign organisations or NGO’s or even charities – they have no data protection rights and there is no obvious way for them to find out that they have been accused of connection with terrorism or fraud unless they are told by a World Check customer, or happen to be the subject of a leak. If they do find out, there could be a libel claim – the threshold of serious financial harm in section 1 of the Defamation Act 2013 is likely to be met given that the whole purpose of the list is to warn service providers against doing business with those on the list. If the entry itself includes confidential or personal information about individuals associated with the entity, there could be misuse of private information or breach of confidence claims against World Check.
World Check is currently defending a libel claim brought by the Finsbury Park Mosque – which was accused in a World Check report of having a close connection with terrorism, arms training and being associated with known terrorists. This was of course wholly false. Since 2005 the Mosque has been run in a completely law-abiding way with an emphasis on inter-faith connections. More claims are in the pipeline for others in a similar position.
Many commentators have suggested that World Check is being used as a secret system of blacklisting. A system which has terrifying consequences. Those who may have been listed need to find out precisely what has been said about them and, if necessary, take action to challenge their inclusion before they find themselves cut adrift by the influential World Check subscriber community.
Tamsin Allen is a partner and head of media and information law at Bindmans LLP