Law Society spotlight: Risk and compliance

Amid all the talk of ‘unprecedented change’ and ‘the new normal’, one central facet of solicitors’ professional lives remains resolutely unchanged: the compulsory requirement to demonstrate compliance with the Solicitors Regulation Authority (SRA) codes of conduct for solicitors and firms. As Law Society head of risk and compliance Pearl Moses cautions: ‘The SRA expects solicitors and firms to continue to meet the high standards the public expects.’

But how do firms meet compliance rules when they have some fee-earners working remotely, others furloughed, and others taken suddenly ill with Covid-19? How do you supervise at arm’s length or securely carry out file audits? And then there is client confidentiality. Who is listening when you are on the telephone at home? How do you protect data security or carry out client due diligence? And, assuming you get on top of all this, how are you expected to find time to provide a service to clients?

Keep calm and carry on. That is the message from various solicitors whose practices focus on risk and compliance. Professional regulation partner Paul Bennett of national firm Bennett Briegal says confidentiality should be a ‘key focus’ for law firms adapting to the Covid-19 era: ‘Working from home, as most of us are, the challenges around legal professional privilege and confidentiality are different from those in the office. For example, you should ensure that housemates or family members do not take photographs or make social media posts which would compromise client confidentiality by including, for instance, file names containing clients’ personal data or documents.’

Bennett proposes four ‘basic steps’ solicitors working remotely should take to protect confidentiality. The first is end-to end-encryption when sharing confidential or privileged material. ‘This is not foolproof,’ he warns. ‘Screen shots can still be taken and misused or the wrong person, through human error, can receive the message. But it does show that your firm’s approach to confidentiality is focused in a risk management way.’

He references the case of a lawyer in England whose laptop, containing unencrypted data, was stolen. The lawyer, the victim of a crime by a third party, was nonetheless fined for failing to comply with the regulations around client confidentiality.

The second and third steps involve equipment. ‘If colleagues are talking on the phone or via video platforms in a shared house,’ says Bennett, ‘have you given them headsets to make sure calls cannot be overheard? Equally crucially, are your teams using them? And then what technology are they using? Are their laptops, for example, fit for purpose or are they using their own devices which are perhaps outdated?’

Bennett’s fourth step is perhaps the most important: ‘Because of Covid-19, staff will be working from home for the very first time. Have they been trained for the changed nature of the job in hand?’

Jennifer O’Donnell, head of risk at national firm Clarke Willmott, observes: ‘Any change as significant as (Covid-19) comes with associated risks because compliance is based around processes. Lawyers are collegiate in their approach. If their usual means of communication are disrupted, problems might arise. We need to bridge the gap caused by remote working so that the collegiate approach can continue to function.’

Does O’Donnell think that the profession has coped well with the pandemic? ‘Going into the present lockdown was comparatively straightforward in that we had a single objective – go home, stay there, work. But if there’s a second spike in infections, it could be more difficult. We – that is the profession and the government – need to look back at the decisions that were made and see what lessons we can learn from them. The spike must not come as a surprise; we need to be prepared for the next time.

‘What we must not do is breathe a sigh of relief and try and forget about the trauma that was the global pandemic.’

Does she have any tips for colleagues in the profession? ‘It’s not a jaundiced view of the world, but a sad reality to acknowledge that there are some dishonest people working in law firms,’ she says. ‘This is why we have compliance processes in place requiring more than one signatory when sending out money, for example, thereby reducing the risk of fraud.

‘Moreover, Covid-19 means there has been a sudden increase in the number of disgruntled former employees who might have a grudge against your firm, such as those made redundant. You should be aware of this and coordinate with the IT and HR teams to take rapid action to protect the firm’s interests.’

Hilary Palmer is a commercial property solicitor at Kent firm Keene Marsland, one of the Parfitt Cresswell group of law firms. ‘Property practices are popular targets for money launderers and fraudsters because we are always handling large sums of money on behalf of clients,’ she says. ‘Before Covid, we were very mindful of the risks, but now the usual way of ensuring client due diligence has had to be adapted to reflect the changed circumstances of working from home.’

Parfitt Cresswell has nine offices across south-east England. ‘Before Covid, I might have been handling a matter from the Tunbridge Wells office, but my clients could have said they would prefer to go to the Fulham office to have their IDs verified. It was more convenient. No problem. Tried and tested procedures were in place. Contrast that with the present situation, where each of those nine offices has fragmented into dozens of individual fee-earners working remotely from home.’

The firm’s solution to verifying ID documentation without running the risk of spreading the virus is surprisingly low-tech. ‘Tell clients to take a selfie while holding their passport or other photographic ID,’ suggests Palmer. ‘Or they could ask someone else to take the picture. Then they should take two further photos: one a close up of the passport; the other of paperwork confirming their address – a bank statement, perhaps, or council tax bill. Send them to the fee-earner and they’ll be forwarded to a specialist agency that verifies ID by checking information against a range of databases.’

Rebecca Atkinson, director of risk at City firm Howard Kennedy, highlights the problem of cybercrime and how to reduce one’s exposure to it. One method is penetration testing, where you pay a skilled hacker to try and ‘penetrate’ your network and website, in the process identifying any security vulnerabilities that urgently need addressing.

The other method she describes as ‘fun’ and requires you to ‘phish’ your own staff. (Phishing is sending an email that appears to come from a trusted source, but is in fact fake and intended to persuade you to divulge sensitive information, such as bank details or passwords.) ‘Again, by phishing staff, you are effectively stress-testing your own IT set-up and spotting weaknesses,’ says Atkinson.

Law Society head of risk and compliance Pearl Moses summarises some of the challenges posed by the Covid-19 lockdown and the measures that should be taken to mitigate risks.

‘Employers have been urged to allow employees to work from home,’ Moses begins, ‘but with the important proviso that employees who do not ordinarily work from home have the technical and other support necessary. Many challenges will have to be dealt with in the virtual space, but being away from the office does not diminish the importance of your regulatory obligations.’

She moves on to a firm’s obligations to clients. ‘Inform clients of any changes you are making, such as moving your team to remote working or discontinuing certain types of work. If a service cannot be provided, then give the client contact details of another solicitor who can still provide that service. All contact details should be updated and face-to-face meetings replaced with telephone, video and Skype calls.’

What if your compliance officer for legal practice (COLP) becomes ill when the firm needs them the most? Moses says that it would be ‘useful’ to have an informal deputy COLP in place to assume the responsibilities of the absent COLP; the role is person-specific, she explains, and the SRA does not register formal deputies. Sole practitioners, she adds, ‘should consider an arrangement with another solicitor who can be available in situations such as this. Clients should not be left in limbo expecting a response’.

The supervision of others in the provision of legal services must continue uninterrupted because practitioners remain accountable for work done on their behalf. Moses recommends ‘daily telephone or Skype calls; regular email check-ins; review of work by more than one person (if possible); and being readily approachable both virtually and by telephone to answer questions’.

Moses ends: ‘The SRA codes for firms and individuals still apply during this difficult period and the SRA will expect that standards are maintained. Solicitors are still subject to code compliance and should record the same issues that they would in the office so that they can justify their decisions in the future if required.’

 

Jonathan Rayner is contributing writer at the Gazette