When the International Consortium of Investigative Journalists (ICIJ) dropped the Pandora Papers in October 2021, the world reacted with predictable outrage. World leaders, billionaires, and convicted fraudsters — all tangled up in offshore shell companies and secrecy jurisdictions. But buried inside that 2.94-terabyte mountain of leaked documents was a story that received far less attention: the systematic failure of due diligence inside the citizenship by investment industry.
This article is not about what the Pandora Papers revealed in headlines. It's about the gaps — what the leaks exposed structurally, what the industry quietly swept under the rug, and why the verification systems that are supposed to protect the integrity of second passport programs are, in many cases, built on sand.
The leaked files included passports, bank statements, tax declarations, company incorporation records, real estate contracts, and due diligence questionnaires International Consortium of Investigative Journalists — the very paperwork that underpins every serious citizenship application. The irony is sharp: documents meant to verify the legitimacy of wealthy clients had themselves been leaked, exposing the inner workings of an industry that markets itself on discretion and rigorous vetting.
The Pandora Papers exposed the secret offshore accounts of 35 world leaders, including current and former presidents, prime ministers, and heads of state, as well as more than 100 business leaders, billionaires, and celebrities. Wikipedia But beyond the famous names, the leak exposed something more structural: the fact that due diligence in the citizenship by investment world is often performative rather than substantive.
Here's what mainstream coverage missed. The leaked files didn't just show bad actors buying passports — they showed that the firms processing those applications were often going through the motions of compliance rather than genuinely screening their clients.
The data contained a large number of due diligence reports, including lists of sanctioned companies from the US Office of Foreign Assets Control (OFAC), "know your customer" forms, and searches on World-Check, a commercial due diligence database. Computer Weekly On the surface, this looks thorough. In practice, running a name through World-Check and attaching the result to a file is not the same as conducting genuine enhanced due diligence on a high-risk applicant.
The citizenship by investment industry has long operated in a regulatory gray zone. Critics note that the industry is unregulated, and that firms operating these programs should be obliged to follow anti-corruption and anti-money laundering laws — they should be required to adhere to the same rules that apply to banks, real estate agents, lawyers, and accountants in most countries, which is currently not the case. OCCRP
This is the first and most damning structural gap: passport brokers — unlike banks or law firms in most jurisdictions — have historically faced no mandatory anti-money laundering obligations when acting specifically as citizenship advisors, even while processing hundreds of thousands of dollars per application.
The most detailed picture of due diligence failures in the citizenship by investment sector came not directly from the Pandora Papers, but from related OCCRP investigations that used leaked internal documents from Henley & Partners, the world's largest investment migration firm.
OCCRP's investigation into Henley's operations in the Caribbean found clients with backgrounds that should have raised red flags. Critics say poor regulation of these programs risks allowing figures such as criminals and sanctions-evaders to dodge justice. OCCRP
Specific cases were striking. An Iranian banker who was later arrested in 2018 for sanctions evasion and a $115 million money laundering scheme had obtained a St. Kitts and Nevis passport years earlier through Henley's facilitation. An Indian businessman accused of a $250 million investment scam applied in 2011 and received citizenship in 2012 despite ongoing allegations against him — he was eventually arrested in 2018. A Russian financier linked to a $4.6 billion money laundering probe had his 2012 application flagged but pursued by Henley before ultimately not finalizing. Grokipedia
These were not obscure edge cases. They were clients whose risk profiles were visible in open-source media at the time of application. And yet, in a citizenship by investment framework where governments outsource vetting to private firms, and private firms deflect responsibility back to governments, no one was truly accountable.
Henley & Partners argued that "full due diligence and governance responsibility" lay with St. Kitts and Nevis — not with the firm — while simultaneously marketing itself as the industry's quality standard-setter. OCCRP This circular logic — broker blames government, government blames broker — is the central accountability gap that the Pandora Papers era exposed, yet few commentators named it clearly.
The Pandora Papers arrived in the context of an industry already shaken by the Cyprus Golden Passport scandal of 2020, when an Al Jazeera undercover investigation caught Cypriot politicians agreeing to help a fictitious criminal obtain a passport. That program was subsequently shut down. An investigative committee found that more than half of the passports issued under the scheme had been granted illegally.
Documents uncovered by OCCRP show that Henley & Partners pocketed a total of €710,000 for services related to or indirectly connected to Jho Low's passport application — the disgraced Malaysian financier accused of embezzling billions from the sovereign wealth fund 1MDB. Despite identifying their client as a high-risk person with political exposure, Henley & Partners decided to go ahead with the transaction.
The deeper implication here is not merely that one broker made a bad call. It's that the financial incentive structure of the citizenship by investment industry actively works against genuine risk rejection. Every declined applicant is lost revenue — sometimes hundreds of thousands of euros. In an unregulated environment, the commercial pressure to find creative justifications for borderline cases is enormous.
The Pandora Papers coverage focused almost entirely on the names of individuals exposed. What received almost no attention were the systemic enablers:
The data security problem. The fact that 2.94 terabytes of client files — including passport scans, bank statements, and due diligence questionnaires — leaked from 14 separate service providers tells us something important about the data security standards inside this industry. These are firms holding the most sensitive personal and financial information of the world's wealthiest people, often stored with inadequate cybersecurity infrastructure. The Pandora Papers were not a single breach from one rogue provider — they were a leak from across the entire industry ecosystem.
The verification circle problem. Companies should develop an approach to investigate whether they interact with any entities or individuals named in the Pandora Papers — but inclusion in the papers does not, on its own, establish that misconduct occurred. Pinsent Masons This caveat, while legally correct, allowed the industry to largely absorb the scandal without meaningful reform. Firms could say their clients weren't proven criminals, even when those clients had glaring red flags that should have triggered rejection under any serious compliance framework.
The intermediary gap. Much of the citizenship by investment pipeline runs through sub-agents — local fixers, regional brokers, referral partners — who are several steps removed from the headline firms. When a high-risk client slips through, the primary firm can point to the sub-agent. The sub-agent points back. Meanwhile the passport is already issued.
After the Pandora Papers and the Cyprus scandal, there was genuine momentum toward reform. The EU took legal action against Cyprus and Malta for undermining the integrity of EU citizenship. The European Parliament called for a complete ban on citizenship-for-sale programs within EU member states. Several Caribbean nations tightened their stated due diligence requirements.
But the citizenship by investment industry adapted rather than reformed. Programs in Dominica, Grenada, St. Kitts and Nevis, and St. Lucia continued operating. New programs launched in Jordan, Egypt, and Turkey. The fundamental business model — government revenue from passport sales, private firms taking commissions, minimal regulatory oversight — remained intact.
Corporate service providers should be better regulated, including being subject to anti-money laundering obligations and stricter due diligence requirements. In key financial centres like the US, Switzerland, and Australia, many of these professionals have no anti-money laundering obligations whatsoever, and in countries where such obligations are in place, implementation and enforcement have been very weak.
This remains the industry's open wound in 2025. The Pandora Papers showed the world what was inside the machine. But without mandatory AML obligations for citizenship brokers, without centralized international registries of applicants, and without genuine liability for firms that approve high-risk clients, the machine keeps running.
None of this means that citizenship by investment programs are inherently corrupt or that every applicant is a criminal. The vast majority of people pursuing a second passport have entirely legitimate motivations — mobility, security, tax planning, business access. The programs themselves, when properly managed, can generate real economic benefits for small island nations with few other revenue sources.
But anyone considering a citizenship by investment program should understand the environment they are entering. The due diligence process that is supposed to protect program integrity is the same process that the Pandora Papers showed to be porous, commercially compromised, and largely unaccountable. The data security of firms holding your passport scans and financial records is, as the leaks demonstrated, not guaranteed.
The questions a serious applicant should be asking their citizenship advisor are uncomfortable ones: How do you handle conflicts between commercial incentives and due diligence outcomes? Who holds my data and under what security standards? What happens to my application file if your firm is subject to a data breach or legal investigation?
The Pandora Papers gave us 2.94 terabytes of evidence that these are not hypothetical concerns.