Solicitors are in the line of fire for failing to stop ‘dirty money’ flooding into the UK and their vulnerability to cyber-attacks. But is this criticism fair? Marialuisa Taddia reports
THE LOW DOWN
Solicitors stand charged of enabling money laundering totalling billions, tarnishing the UK’s reputation for upholding the rule of law. Responding to pressure, the Solicitors Regulation Authority audited 50 firms to sample compliance with rules designed to guard against unwitting involvement in illegal activity. It found just over a fifth had a firm-wide risk assessment in place. Is a profession dedicated to upholding the rule of law really such a basket case? Or are lawyers, as some suggest, just better than bankers at avoiding suspicious instructions? Possibly – though a marked increase in permissions from the NCA to proceed with transactions that bear some features of potential concern fosters frustration with a regime that sets a low bar for reporting suspicious activity. No wonder compliance officers complain they ‘don’t have time to breathe’.
The UK has a money laundering problem valued at £90bn annually by the National Crime Agency (NCA). The agency’s director, Donald Toon, says lawyers are partly to blame, and has expressed ‘concerns about the effectiveness of… customer due diligence in parts of the legal profession’ because of the low number of Suspicious Activity Reports (SARs) filed by solicitors. SARs flag possible money laundering and suspicious activity.
In March, the Solicitors Regulation Authority said it would carry out ‘rigorous checks’ on law firms to make sure they are meeting their money laundering obligations. These are set out in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, which came into effect on 26 June that year.
Writing in the Gazette recently, SRA chief executive Paul Philip warned: ‘There is excellent practice out there but, despite lots of information and support, we are seeing that firms are still struggling to get to grips with the 2017 regulations.’ He added: ‘A risk assessment is required in legislation and should be the backbone of a firm’s anti-money laundering approach. Firms which do not have one or are not implementing it properly, may be committing a criminal offence and are leaving the door open for criminals to launder money.’
In July 2017 the SRA visited 50 firms and found that only 11 had a firm-wide risk assessment in place, while six were in the process of implementing one.
There is a very heavy overlap between money laundering compliance and fraud avoidance
Matthew Moore, Infolegal
The regulator has every right to worry when it identifies such gaps. Last May, Neil Richard Bolton, a solicitor, was jailed for nine months and struck off for handling property deals for drug dealers and mortgage fraudsters. Crucially, he had failed to carry out ID checks, and allowed the client to use the client account as a banking facility.
Though the 2017 regulations have been in force for almost two years, anti-money laundering guidance for lawyers issued by the AML supervisors for the legal sector (the Legal Sector Affinity Group) was only published in March last year after the approval of HM Treasury. Concurrently the SRA published the first AML risk assessment for the sector.
Matthew Moore, director at Infolegal, explains that the 2017 regulations set out a ‘hierarchy of risk assessments’ – at EU, national and sectoral level. The ‘final step’, Moore explains, is for law firms and other businesses covered by the rules to do their own risk assessment, taking account of the assessments made at the levels above them.
It is not just suspicious money from abroad, but also cyber-attacks that firms must fend off – all against the backdrop of an increased compliance burden. Last year, for example, saw the implementation of the EU General Data Protection Regulation and the Network and Information Systems Regulations 2018, whose aim is to boost the overall level of cybersecurity and physical resilience of network and information systems.
Peter Wright, chair of the Law Society’s GDPR working group and managing director of Digital Law, says regulators – the SRA or the Information Commissioner’s Office – increasingly want to see documentary evidence of continuing compliance. ‘Failure to do that means that you are leaving yourself open [to threats],’ he says.
The various types of fraud are interlinked, Moore stresses: ‘There is a very heavy overlap between money laundering compliance and fraud avoidance.’ Property and other serious frauds, he points out, ‘are inevitably going to involve somebody who is misrepresenting their identity’.
To maintain cybersecurity ‘there are straightforward, low-cost measures that law firms can take, it doesn’t have to be expensive’, says Digital Law managing director Peter Wright, an expert in data protection, cybersecurity and social media law.
Firms can use privacy screens on phones, tablets and laptops; install appropriate encryption and security on websites and applications; ban the use of USB flash drives and public Wi-Fi networks when working remotely; and reduce reliance on emails – both for internal and external communication.
Wright, author of the Law Society’s Cyber Security Toolkit, says the legal sector more than any other is ‘addicted’ to emails. While this creates a ‘paper trail’, it also means the sector is running ‘a significant risk’ of cybercrime.
Wright highlights good practice by some firms which have banned the use of internal emails in favour of instant messaging, such as BlackBerry Messenger BBM. Some are using portals to communicate with clients. For example Clio Connect, endorsed by the Law Society, is a secure portal for exchanging information with clients, and also hosts applications such as Dropbox, Xero, Quickbooks, Outlook and Google Accounts.
Malware is another common form of cybercrime, says Wright. ‘One of the biggest problems for law firms is that because they don’t want to invest in IT they end up with an old infrastructure, particularly if they have grown by acquiring other firms.’ Such ‘old legacy systems’ are more vulnerable to harmful software.
Email modification fraud is the most common type of cybercrime against solicitors, according to the SRA; criminals intercept and falsify emails between a client and the firm, resulting in bank details being modified and money lost.
Solicitors are also at risk of fraud because they hold client money – around 7,500 of the 10,400 SRA-regulated law firms do so. Around a third of reports to the SRA about the misuse of client cash involve fraud linked to property, insurance, probate, public funding or tax. Concerns about how law firms handle client money led the SRA to issue a revised warning notice last summer. This reminded solicitors that rule 14.5 of the Accounts Rules 2011, which prohibits the use of client account as a banking facility, is ‘an important first line of defence against clients or others who seek to use your client account to launder money’.
Such was the sobering backdrop to the Law Society’s annual risk and compliance annual conference, held in March.
Amasis Saba, head of business acceptance at Bryan Cave Leighton Paisner, told delegates that risk assessments should identify ‘risks that are unique to the firm’. For instance, to consider that only a complex offshore structure is high-risk is an error. In a risk assessment, firms should query their own ‘risk appetite’– that is, identify any ‘red lines’, the proportion of ‘high-risk clients’ they want and which clients have been declined.
‘Chapter 2 of the Legal Sector Affinity Group guidance which the Law Society helped draft is very helpful for firms reviewing or updating their risk assessments,’ Saba tells the Gazette.
Moore notes: ‘If firms are covered by the regulations and have not yet done [a risk assessment] they are in breach of the regulations and are exposed to disciplinary action by the SRA. If they did so a while ago they should update the process.’
The regulations, Moore adds, require firms to hold for inspection a written copy of the risk assessment process. ‘The whole point of doing a risk assessment is then to base the policies, controls and procedures (PCP) as required by r19 [MLR 2017] on that risk assessment. So the greater the risk the firm faces, either as a whole or by department, the stricter the controls should be.’
Michelle Rosen, compliance officer for legal practice and partner at Brightstone Law in London, says her firm carried out a firm-wide money laundering risk assessment in 2017 which is now being reviewed annually. Rosen says: ‘The most difficult part of it is really trying to make sure that you list all of the potential risks, because only when you recognise [them] are you then able to say “this is what our responses are going to be”.’
Joe Payne, a partner and compliance officer for legal practice at Katten Muchin Rosenman, says: ‘While we are up to speed with what we need to do and are familiar with the rules now that we are two years down the line, it doesn’t mean that it is not arduous. Certainly it has changed the way that we, as a practice and as a sector, work.’
The 2017 regulations, which implemented the EU’s 4th Directive on Money Laundering, replaced the Money Laundering Regulations 2007. Payne says of the new rules: ‘It is about making sure that compliance is always front and centre of what we do, but also being able to show that it is front and centre.’ This means ‘a paper trail’ and, where appropriate, independent audits of PCPs.
MLR 2017 requires firms to conduct due diligence on clients and to identify the beneficial owner, and also to have procedures in place to assess whether a client or the beneficial owner of a client is a politically exposed person; this will require enhanced due diligence.
‘The general principle of doing CDD [customer due diligence], no matter how time consuming it is, is not difficult,’ Payne says. However, ‘checking on beneficial ownership is probably the most exacting requirement. We are not investigators. At some point you have got to stop your enquiries and be satisfied of what you are being told’.
What is clear is that law firms are seen as a the first line of defence, not just by the regulator but also by law enforcement agencies.
A report published in December by the Financial Action Task Force, the global anti-money laundering watchdog, following an inspection of the UK’s AML regime, was largely positive. But FATF said: ‘While a significant number of high-quality SARs are received, the SAR regime needs a significant overhaul which would improve the financial intelligence available to the competent authorities… [there] remains an under-reporting of suspicious transactions by higher-risk sectors such as trust and company service providers (TCSPs), lawyers, and accountants.’
The number of SARs made by independent legal professionals (mostly solicitors) was 2,660 in 2017/18, NCA data shows. This was an 11.9% fall on the year before and comprised 0.6% of the 64,000 reports filed. Banks accounted for over 80%.
‘The legal sector will never match the vast number of SARs put out by the banks,’ Saba says. ‘We spend time getting to know one client in great depth; the banks process millions of transactions on an hourly basis.’
Saba, chair of the Law Society’s Money Laundering Task Force, bristles at the suggestion the legal sector does not file enough SARs, because it implies there is ‘a right number of SARs we should be filing. Instead we think it is important to remind everyone to make a SAR when they are suspicious, where privilege allows’.
Legal professional privilege, however, has hampered efforts to deter overseas parties, the NCA’s Toon insists. In March that was the message he took to the joint select committee on the Draft Registration of Overseas Entities bill. ‘Privilege can be a complex area and is often misunderstood by those outside of the legal sector,’ Saba retorts. ‘It is a fundamental protection within the UK’s legal system. We would welcome further discussion with the NCA on any cases they feel show that LPP has prevented proper filing of a SAR.’
To limit their risks, law firms have made greater use of ‘consent’ SARs, which are filed to seek consent to carry out transactions that may involve laundered money. These are known as requests for a defence against money laundering (DAML) and the NCA will investigate the proposed transaction before giving or refusing consent. In 2018, solicitors filed 1,753.
‘WE DON’T HAVE TIME TO BREATH’
The role of compliance officer for legal practice was introduced by the SRA as part of its move to ‘outcomes-focused’ regulation. COLPs and compliance officers for finance and administration (COFAs) became compulsory for all SRA-regulated firms on 1 January 2013.
Joe Payne, a partner and COLP at Katten Muchin Rosenman, says: ‘There are times when everything else has to be dropped and there is always a fear of “what if things go wrong?”. Its biggest impact is that you are constantly fretting “have we missed something?”.’
Since taking on the role six years ago, Payne says it has become ‘more stressful’. That is due to the wider range of issues – including diversity – getting the regulator’s attention: ‘Finally, you have the SRA issuing bigger and bigger fines, so the consequences of getting things wrong are greater and greater.’
Brightstone Law’s Michelle Rosen has been the firm’s COLP since January 2013 and four years ago she dropped fee-earning to address the high demands of the role. She says the past 12 or so months have been particularly arduous.
In addition to updating the firm’s AML policies and procedures, and training staff, she had handled implementation of the GDPR (by 25 May 2018) and the new Core Practice Management Standards taking effect for all Conveyancing Quality Scheme practices on 1 May this year. And as we know, the 2011 SRA Handbook will be reissued with far-reaching revisions on 25 November.
‘We have got an office manual that covers the position of the current handbook and that has now got to change,’ Rosen says. ‘It feels a little bit like we don’t have time to breathe.’
One reason for the increasing volume of defensive reports is ‘the very low bar for suspicion’, Saba explains. Suspicion does not have to be reasonable, but just more than ‘fanciful’.
Moore argues: ‘There is a tremendous compliance cost which is way above the amount of money laundering activity that has been prevented. The cost is disproportionate. Law firms will every day turn away lucrative work for fear of not being able to meet their obligations under the 2017 regulations, which is, of course, unquantifiable and something that the profession does not receive sufficient credit for.’
In its response to the Law Commission consultation on SARs reform (which closed in October), the Law Society said: ‘The large volume of reports with limited or nil intelligence value is the key challenge of the current SARs regime in the UK.’ The commission is reviewing the consent regime, which leads enforcement agencies to struggle with the high volume of poor quality reports, and places a heavy burden on law firms and other businesses under a duty to report.
SARs and requests for a defence (DAML) are made to the agency under either Part 7 of the Proceeds of Crime Act 2002 (POCA) or Part 3 of the Terrorism Act 2000. In January, the government pledged £3.5m in 2019/20 to support work to reform the regime, and launched the Economic Crime Strategic Board to fight corruption and economic crime. The board is co-chaired by home secretary Sajid Javid and chancellor Philip Hammond and includes senior representatives from the NCA, SRA and UK Finance.
Transparency International estimates that £4.4bn worth of property across the UK has been purchased with suspicious wealth, meaning property lawyers feel the weight of heavier compliance requirements more than most.
Wedlake Bell partner Suzanne Gill says there is ‘increased awareness of the risk of commercial property as a vehicle for money launderers’ following the introduction of Unexplained Wealth Orders in January last year through the Criminal Finances Act 2017. UWOs are court orders that compel a person to prove the legitimate provenance of property worth £50,000 or more. So far, three have been sought by the NCA.
New accounts rules coming in this November will allow greater use of third-party managed accounts (TPMAs), giving all firms the option to avoid the exposure that client accounts bring. ‘It would be impossible to eliminate all risk related to cybercrime, but TPMAs could be a more secure way of handling client money,’ notes recent SRA guidance. ‘Using a TPMA may also help address your firm’s money laundering risk.’
However, there was scant interest in TPMAs among delegates at the Law Society’s summit. ‘There are not many commercial providers of these TPMAs at present, so they are not that popular,’ says Jayne Willetts, a solicitor-advocate and professional regulation specialist. A TPMA ‘is only as good as the information you put into it’, Wright argues. ‘If a firm has been compromised [through fraudulent instructions] it is not really going to make a massive difference whether the account is provided by a third party-managed service or not.’
Also coming into effect in November are separate codes of conduct for firms and solicitors. These will permit solicitors to offer reserved services to the public as freelancers, and non-reserved legal services to the public in a business the SRA does not regulate. In addition, a legal business will henceforth not have to be an ABS to employ a solicitor and offer non-reserved legal services. But could these changes increase the risks to firms associated with fraud and other misconduct?
‘The risks will arise from the introduction of new models of practice such as solicitors working in unregulated entities and freelance solicitors,’ Willetts says. ‘In the case of the former there is likely to be commercial pressure to cut corners from non-lawyer owners, and in the case of the latter the risks will arise from client pressure, inexperience and isolation from other professional colleagues.’
Marialuisa Taddia is a freelance journalist