Unauthorised disclosure:

To criminalise or not to criminalise?

Read the article in the Cayman Financial Review Magazine 

In the early days, the criminalisation of the duty of confidentiality was not seen as a giant leap but only an incremental addition to traditional rules.  

The professional’s duty of confidentiality had already been recognised in private law long before the confidentiality crimes were created by the Banks and Trust Companies Law of 1966 and the Confidential Relationships (Preservation) Law [CRPL] of 1976.  

Superimposing a criminal penalty in similar circumstances merely added to the deterrent. The main controversy was the extent of the gateways for permitted disclosure in cases of international cooperation. 

With only a few hiccups, the CRPL initially achieved what it was meant to. The drafting of the sections was to a good standard and met what the legislative assembly wanted (at least after the problem of court witnesses was ironed out in the 1979 amendment). The underlying policy of deterring an illicit trade in clients’ financial information seems to have been more or less fulfilled at first.

But the international nature of Cayman business meant that foreign countries could put the professional in a dilemma: If a Cayman professional was trapped overseas they could be forced to choose between two crimes – defying the overseas court or divulging the information outside of Cayman’s listed gateways. There was no obvious internationally-accepted rule to break this stalemate.

The law of the jungle prevailed and the country wielding the bigger stick would win. At this critical point the interaction of the CRPL offence and the gateways had to be readjusted.

Although there are regular calls to repeal the CRPL criminal offence, I think that the modern dissatisfaction with the CRPL is substantially a problem with the gateways. They were fixed in the 1970s and imposed some fairly high thresholds for divulging. They need regular updating to respond to changing international standards.

The occasions when cooperation is needed – we see that in the relentless addition of new disclosure gateways. They also need regular updating to make sure the thresholds are set at the right level: must there be a trigger of reasonable belief that an offence has been committed or just a suspicion, or even automatic disclosure of particular events whether suspicious or not.

The list of disclosure gateways is long. Apart from those contained in the CRPL itself, it is no easy task to track down the dozens of legislative exceptions that override it. These have had a cumulative impact on the importance of the duty of confidentiality, which now resembles a Swiss cheese with as many holes.

There has been no prosecution under it (although it has been enforced by the state through an injunction application in the 1980s case of Attorney General v. Bank of Nova Scotia). But the duty of confidentiality still retains relevance in regulating professional activity and safeguarding clients. If I may mix my metaphors, it has not yet suffered the death by a thousand cuts. It still performs a useful residual role. The question is: what is that role, and does it require the criminal law?

Contemporary reappraisal?

Without the CRPL, the divulging of confidential information would continue as the basis for a civil action. A client should be able to sue for unauthorised disclosure, but should it also be a crime?

There are no clear and widely-accepted standards which can be applied to make that judgment. Whether to elevate a civil prohibition to a criminal prohibition should depend on the broad principle of whether there is a public wrongdoing for which the state has a legitimate interest in calling the suspect to account. That is never an easy issue but there are some pointers that can be used to help focus our thoughts on the attributes of the prohibition:

(a)  Does criminalisation help advance a national interest?
Certainly the confidentiality rule helps promote Cayman’s economy by
assuring overseas clients of the commitment to safeguarding financial
information from competitors and predators.
(b)Does criminalisation give significant help to victims who are unable
to look after their own interests or seek adequate redress?
confidentiality duty does achieve this but perhaps only to a small
degree. Financial clients are dependent on their professionals and must
be in a position to trust them – but they are not particularly
vulnerable, they exercise choice in a competitive market, and their
remedy in civil law might easily be seen as quite enough protection.
(c) Does it protect the victim from harm that is particularly serious?
respect of financial services clients, any harm arising from
unauthorised disclosure would be likely to be restricted to financial
harm although potentially significant.
(d) Does criminalisation help protect against harm to third parties beyond the immediate victim?
the direct victim has a civil action, there may be third parties who
could suffer indirectly by a disclosure. Ultimately the confidentiality
duty helps to preserve Cayman’s reputation and goodwillc for the
international financial providers.
(e) Does criminalisation provide a good deterrent where the fear of a civil action would be an inadequate deterrent?
a criminal law, the professional might make a swift calculation: Is it
worth my while to breach and pay damages? That thought process is ruled
out by the criminalising the duty of confidentiality.
(f) Does criminalisation help prevent behaviour that is seriously wrongful?
answer this question, it helps to think about what is being
criminalised – is it only a wrongful act, or is it a wrongful motive for
acting. That is interesting under CRPL because there are lots of things
that it criminalises. It covers abusive profiteering by professionals
selling a client’s information; but it also includes the professional
who allows his or her decision-making to be swayed by the prospect of
personal gain; it includes leading a professional astray by breaching
his or her duty; and even if the professional is not motivated by
reward, the disclosure would be penalised because it causes harm or the
possibility of harm.

Each of those factors can help bring some clarity to the discussion over criminalisation, but at the end of the day there may be something missing from the criminalisation philosophy but which is altogether more important – the symbolic meaning of any decision on the CRPL.

The confidentiality message

What course of action could be taken? The CRPL could be dismantled. But that is not to say that bankers could then auction their clients’ data to the highest bidder. The civil action would be available and there are plenty of other criminal offences which would have been committed.

It is important to recognise that the CRPL criminal offence has a great deal of overlap with other criminal offences that do not attract international censure. Cases where a person divulges confidential information for personal gain could simply be unbundled from the CRPL and allocated to the traditional classes of crimes in the penal code. Existing crimes, or possible new variants, could comfortably handle the most unacceptable behaviour: corruption and bribery, fraud, embezzlement, misfeasance in public office and data protection.

But the CRPL is unique in one residual area where it does not overlap with other common offences – it criminalises a disclosure even where it was not motivated by personal gain but by the best of intentions. Criminalisation of this residual area is quite capable of being justified by the factors outlined above.

The harm that a well-meaning disclosure might cause to individual clients, and the financial industry as a whole, could justify its criminalisation according to the factors mentioned earlier.

And there is no need to fear that this would mean prosecution where there was a genuine mistake, such as a whistleblowing disclosure made to the wrong institution – because the criminal law, unlike the civil law, starts from the assumption that that there will be no liability unless the individual knew that disclosure would be improper or he saw that there was a serious risk that the disclosure was improper.

Repealing the CRPL entirely and parcelling out some of its overlapping criminal content amongst other crimes would no doubt help reduce the perception of Cayman as uncooperative. Even though that alone would not accomplish the proactive and automatic disclosure demanded in certain quarters, its repeal would be profoundly symbolic of a commitment to international cooperation.

That, however, is not the only message that Cayman ought to be broadcasting. Confidentiality serves a useful purpose. The original policy behind the CRPL of preventing international cooperation in tax matters has been retracted, but it other functions still hold valid. Reaffirming the basic confidentiality offence, instead of repealing it, would send an important message to a separate group of stakeholders and interested parties.

The decision to retain the confidentiality offence would be a powerful symbolic commitment to upholding professional standards and fiduciary loyalty. It would function superbly well as a clear message to instil confidence in clients and prospective clients that Cayman law takes professional responsibilities seriously wherever there is no countervailing need for disclosure.

Keeping the confidentiality offence would prevent that message from being fragmented and lost if the CRPL were to be dispersed amongst other categories of crimes, and it would keep a distinct, convenient title for its inclusion in compliance training. That message is important for financial services providers tasked with its implementation. It is partly due to the stark and memorable quality of the CRPL offence that it has firmly lodged in the psyche and inspired a culture of observance.

Of course, when the bare offence is read in isolation from its exceptions, it may appear to be grossly over-inclusive. But that does not matter if its function is to give an effective message to people handling information.

Only rarely does criminal law transmit such a precise and focused warning signal as the headline message to the confidentiality offence: Warning! Confidentiality ahead! Verify your gateway!