For this interview, Compliance Matters tracked down Lisa Osofsky, one of the most seasoned financial investigators in the UK and a former US prosecutor and deputy general counsel and ethics officer at the FBI, and asked her opinion on the Panama Papers, regulatory investigations and the UK's plan to reform its money-laundering laws.

Lisa Osofsky runs the European arm of Exiger, the global financial crime, risk and compliance firm. This interview is set out in the form of a question and answer session.

Q: What lessons do you think are to be drawn from the saga of the Panama Papers?

A: Let's start from the beginning. Some commentators on tax and offshore companies assume that if you're structuring something it's going to be illegitimate and wrong. Actually it can be tax-efficient and legal. I was asked on Radio 4 if I could name any legitimate reason to set up a company in the British Virgin Islands. I answered that if I'm managing a hedge fund, for instance, I have a duty to my shareholders and I'd rather have less money going to the taxman, so I go to a tax-favourable jurisdiction. Incidentally, I actually went to Panama for a conference on Libor – the Panamanians refer to the leaks as the Mossack Fonseca Papers and don't like them being called the Panama Papers.

I question whether there is political will sufficient to change some of this; it is a story that has come up more than once. One part of it is the drive to force firms to disclose ultimate beneficial owners. Some issues also came up at the recent [anti-corruption] summit in London. When viewed in tandem with the new money-laundering directive (with which EU countries must comply by 2017), these two initiatives create almost a 'perfect storm' in terms of timing. One last thing, on the lessons learnt – we see that the Financial Conduct Authority does not shy away from asking those firms it regulates what they have been doing to manage their client base from a risk and controls perspective. Whether it’s the Mossack Fonseca Papers or the FIFA indictees, regulators want to make sure that financial institutions know who they are banking and what measures they have taken to mitigate any financial crime risk posed by these clients. All of this leads in one direction — more transparency to achieve effective systems and controls to manage risk.

The Panama Papers are just one of many reported security breaches. Remember when a Nationwide employee left his computer on a train in 2007? This was one of the first reported data breaches and the building society was fined just under £1 million because it failed to guard is customer information appropriately. We don't know how the information was obtained from Mossack Fonseca or who did it. Was it a leak or a hack? Was it a disgruntled employee? Or was it an ex-girlfriend? Ex-girfriends were the best people to 'hit up' in my FBI days.

Compliance officers should learn from this and look for the most secure systems to keep data safe and secure. Part of this is KYE – know your employee. Also, you can generate loyalty if you evolve the right culture in which employees feel bound to the firm and don't want to bring it into disrepute.

Q: What do you think about the theory that the CIA or another state organisation hacked into the law firm's database?

A: Having spent so much time in the government, any time people report a conspiracy, I think "where's the ineptitude here?" It's partly because I'm even more cynical.

Q: Do the FCA and other European regulators use good old-fashioned investigators for their projects or maybe as expert witnesses?

A: I don't know for sure but I can tell you a few things. For people like me who come from an 'intel' or law enforcement background, it's a matter of putting things together by experience and careful sifting through information. People with backgrounds like mine can act as investigators for governments. If you are operating under a government-imposed order, you may end up developing your findings and recommendations for agencies like the Department of Justice, the Federal Reserve Board and other regulators. For these jobs, an excellent government background and intelligence mixture is considered quite valuable. I look at the advent of the dawn raid as evidence of the skills one might develop within the government that could be put to good use in the private sector, especially when the government comes knocking.

[Editor's note: Law firms now offer 'dawn raid services' to financial firms and advertise them as such. They arrange 'dawn raid cover' for them, they draw up plans and procedures and train employees to cope, even running mock dawn raids. The aim is to stop regulators from getting hold of documents illegally, deal with them when they threaten the firm with proceedings for obstruction, and stand up to, and object to, improper conduct which might include the infringement of legal professional privilege.]

That leaves me to conclude that the regulators have to have people with a bit of an investigative background. In the US, it's quite common to have the revolving door between the government and private sector and back again and in finance that includes investigators. Also, a lot of ex-cops and intelligence officers serve in banks, whether in their security departments, in financial intelligence units or in other compliance jobs.

Q: Your firm was originally set up to monitor HSBC's progress in fulfilling its promises to US regulators after it was fined $1.9 billion in 2012. Are 'monitorships' such as this one common?

A: This one is uncommon in its size and scope – it’s the biggest and most far reaching. The US Government has a lot of monitorships. Outside finance, it's mostly in the area of corruption. They need not be done at the direction of a court, either. My firm, Exiger, offers clients the option of a self-imposed monitorship when they need to get ahead of the curve or make a good showing with a regulator. For instance, if a state prosecutor makes noises about limiting the ability of a company to conduct business, that firm can take part in a voluntary monitorship to show that it is operating in a way that does not break laws and advances the interests of its customers. We often help our clients establish the fact that they have appropriate systems and controls.

Q: HM Government is thinking of going from a suspicion-based anti-money-laundering reporting regime to an intelligence-based one. What does that mean?

A: I think it's a good thing to stop knee-jerk filing and to make people think about what they're filing. There's been an effort to be more intelligent about what you report, rather than simply filing defensively.

I think revisiting all the rules just when people are getting their heads around the present system is a bad idea. There are uncertainties even with a system that's been around a long time and it might be unwise to make wholesale changes in an area that's already complicated.

I'd hesitate to say that it's a perfect regime and the Government and the regulated sector loves it but I'd like to know a lot more before I'd go as far as instituting wholesale change. The Government is also proposing to replicate s7 Bribery Act's offence of failure to prevent bribery by creating an offence of failure to prevent money-laundering and tax evasion. There haven’t been a lot of prosecutions under the Bribery Act, so it is hard to determine how effective the “failure to prevent” rules are at preventing crime. The criminal bar is also arguing that you're taking away the government’s burden to establish the requisite mens rea and this seems to be a fair point.

Q: What do firms keep getting wrong with anti-bribery-and-corruption (ABC) controls?

A: Not taking some account of the business environment and where you're operating. I think a 'zero tolerance' policy is not always helpful. If you're working across dangerous borders and you're asked for a bribe with a gun held to your head, you pay the bribe! The wrong answer would be to ignore the reality of the situation. You have to have a cultural understanding about where you're operating. Any policy that makes blanket assumptions about any people will be a very short-sighted one. Firms also make mistakes with their internal culture. You can have a good ABC policy, but if you have a "sell, sell, sell at all costs" culture, it won't be effective; good policy should take account of the cultural setting.

* Lisa Osofsky can be reached at losofsky@exiger.com