Email fraud, threats to third-party supply chains and ransomware pose nightmare scenarios for law firms. Joanna Goodman looks at the everyday perils that give compliance officers sleepless nights
Law firms need to manage risk and compliance effectively to meet their legal, financial and professional obligations, to keep their – and their clients’ – money and data secure and protected from fraud. Achieving that will safeguard their reputation and professional status.
Compliance officers for legal practice (COLPs) and finance and administration (COFAs) are officially responsible for ensuring that the firm has systems and controls in place that demonstrate compliance with the profession’s legal obligations and the Solicitors Regulation Authority (SRA)’s rules and guidance. They are also required to report regulatory and data breaches.
As legal processes and resources have moved online, not least with the introduction of government portals, the compliance burden has grown more complex. This was acknowledged at the SRA’s Compliance Officers Conference last month, which recommended firms introduce the role of deputy money laundering reporting officer (MLRO) to share the workload of ensuring compliance with money laundering regulations. This suggestion came at the end of a year when the SRA stepped up enforcement action against firms that failed to satisfy anti-money laundering requirements, checking on an average of seven firms per month.
The key message from the SRA conference, and from compliance officers across the sector, is that compliance is a shared responsibility across the firm and all its stakeholders. Good policies, systems and processes, which are the domain of compliance officers, need to be supported by awareness and action across the legal services supply chain.
The Covid-19 pandemic accelerated tech adoption, forcing law firms of all sizes to move services and operations online. While this made legal services more accessible and facilitated process automation, it also broadened the compliance environment and increased the risk of data breaches, fraud and cybercrime.
Cybercrime is top priority
Cybercrime is the top threat keeping compliance officers, partners and managers awake at night, attendees at the SRA conference heard. Law firms are targeted by cybercriminals because they manage the financial element of transactions and hold valuable corporate and financial data. Conveyancing and high-value probate matters are the primary target of email scams, explains Rachel Clements, regulatory manager at the SRA. In the first six months of 2021, just under £1m in client money was reported to the SRA as having been stolen – and it is likely that more incidents occurred but were not reported.
The three threats that are most reported to the SRA are: email fraud, such as phishing and spoofing, which are a gateway to larger financial fraud; third-party supply chain risks – a hacker exploiting a vulnerability in third-party software, or intercepting communication with a trusted supplier, like an IFA, to divert money to a fake account; and ransomware, which is increasingly part of organised crime, as hackers have moved on from encrypting data and demanding a ransom after stealing confidential data and holding it hostage, with the ability to publish it if the ransom is not paid. The SRA received 12 reports of ransomware attacks in 2021. Again, the regulator believes it is likely that other incidents went unreported.
COLPs are worried about loss of data through hacking, phishing and ransomware, and even the biggest firms are not immune. DLA Piper’s high-profile ransomware attack in 2017 was down to third-party vulnerability, underlining the significance of managing supplier risk.
While the SRA does not take enforcement action against firms which report incidents, it emphasises the need for firms to assess and manage transactional risks and avoid breaches that are distressing to victims and damage the reputation of firms and their clients.
Digital identity crisis
A story reported by the BBC in November 2021, of a forged driving licence being used to fraudulently sell a house while its owner was away, highlighted the importance of effective online identity and AML checks. It is easier to fake digital documents than physical ones, observes Matthew Hoe, director of litigation and dispute resolution and COLP at top five conveyancing firm Taylor Rose. ‘While you can use blacklight technology to scan passports, online ID verification is more challenging,’ he says. ‘I am grappling with the best approach to AML checks. We are increasing looking to online providers rather than meeting clients, but there is fear that the SRA will judge online verification apps to be lacking in some way.’
Taylor Rose is exploring online verification services where a client can scan their passport and driving licence to an app and then record a live video to verify the document. ‘It works for the highly regulated banking sector, so it should work for legal too, but in some circumstances we may still need to see original documents,’ adds Hoe.
The SRA selected Taylor Rose for a random AML compliance check. ‘As the firm’s money laundering compliance officer (MLCO), I attended the meeting together with our money laundering reporting officer (MLRO) and we were asked a long list of questions,’ says Hoe. He believes that it would be helpful, particularly for smaller firms, if the SRA shares the checklist it uses in these meetings as this would enable firms to identify whether they were fulfilling their AML obligations.
Email security is critical
With conveyancing (the most common target of cybercrime) representing more than half of its business, Taylor Rose is sharply focused on cybersecurity. Client emails have been targeted by phishing and spoofing. Hoe highlighted the need for public awareness around email security and passwords, and envisages more providers moving towards multi-factor authentication.
Email security was covered extensively at the SRA conference, where Rachel Clements and cybersecurity and systems penetration specialist Matthew Roberts highlighted the need for vigilance around the source of emails and notifications. This encompasses, for example, reminding clients, lawyers and business professionals to look out for messages purporting to be from senior management, the IT department or well-known suppliers, requesting money to be transferred to different accounts, access to passwords, computers and systems, and reporting potentially suspicious emails or links.
Password awareness helps to combat cybercriminals who use programmes that automatically try thousands of common and leaked passwords to intercept emails and transactions. He recommended regularly changing passwords, avoiding using the same passwords for multiple systems, or easily guessed words and phrases, and potentially using a random password generator. Multi-factor authentication, which requires confirmation on a different device – such as a code texted to your mobile phone – is increasingly used to validate financial transactions and provides another layer of security.
Notification of potential threats, and a no-blame culture when it comes to incident reporting, is another critical element of the fight against cybercrime.
While financial losses due to cybercrime can be recovered, this does not apply to confidential or sensitive data. Therefore, cybercrime needs to be top of mind for all law firms, in the interests of data security and client confidentiality.
Barriers to entry
Chun Wong, partner and COLP at consumer litigation firm Hodge Jones & Allen, deems cybersecurity even more important in today’s hybrid world, as lawyers and clients working from home may be more exposed to risk. As cybercriminals are becoming increasingly sophisticated, it is impossible to eliminate risk entirely. ‘When you get so many emails every day, you need external help: investment in IT and third parties supports seamless hybrid working, systems security and compliance.
‘The SRA has made it compulsory for indemnity insurers to confirm whether their cover includes cybercrime. We have separate cyber insurance and we use Cyber Essentials, [a government-backed certification scheme] which implements controls, and tests and verifies the resilience of your systems. We are looking to implement Cyber Essentials Plus [which includes hands-on technical verification].’ The firm is also contemplating migrating to cloud-based systems with built-in security, backed up separately to protect business continuity in the event of a ransomware attack.
Cultural evolution
Hybrid working has forced lawyers to bring compliance issues home and firms have had to adjust. Challenges include maintaining robust policies and procedures and ensuring all staff keep up with compliance training, remaining vigilant against external threats, and making sure staff are aware of their obligations and responsibilities and are comfortable reporting potential scams or breaches. ‘We have to give people sufficient support and training to spot risks and report back when they are in doubt, and this requires a culture of responsibility rather than blame,’ she adds.
To some extent, anxiety around risk and compliance is holding back digital transformation. While some regulations have been relaxed temporarily to allow for online identity checking and electronic witnessing and signature, firms are evaluating how much to digitise from a risk management perspective. ‘We accept electronic signatures for some legal documents, such as client care letters, but we decided the risk was too high to witness wills over Zoom, because we are not prepared to take the risk when large estates are involved,’ explains Wong.
Common checklist
The SRA Compliance Officers Conference highlighted four key challenges for risk and compliance, and some practical and strategic approaches to common issues. As new challenges are constantly developing around cybersecurity and financial fraud, a strategic approach generally involves combining up-to-date solutions with a culture of awareness, vigilance and action.
- Cybersecurity – the main threats are email phishing and spoofing, third-party supplier risk and ransomware. What can you do about it? Make sure your systems and processes reflect your policies and are easy to use (or built into your case management/practice management system). Make sure systems are up to date and patched for the latest vulnerabilities. Establish effective password management; use external resilience checking and accreditation (which also shows PI insurers that your firm is focused on risk management); assess and monitor the security credentials of third-party suppliers; train everyone to be vigilant; support no-blame reporting of (potential) breaches/incidents.
- Anti-money laundering – challenges around online verification and SRA checks. What can you do about it? Incorporate AML into case management systems and workflows; decide what to digitise; keep up to date with threats and solutions; develop an AML culture so that IT is notified of potential breaches.
- Data security, GDPR, client confidentiality – the conference fielded questions around conflicts, disclosures and transparency. What can you do about it? Maintain awareness across the entire stakeholder network, including clients and third parties.
- Reputation management – incident reporting; incident recovery/business continuity planning; reporting breaches/misconduct; deciding which clients to represent, on the basis of reputational impact.
Governance and process automation
For larger firms, risk and compliance can be integrated into core policies, processes and systems. Weightmans, which handles both volume and bespoke work, has incorporated compliance and risk into the firm’s governance model.
Partner and business services and innovation director Stuart Whittle heads the risk and compliance team. He explains that over the past two years, the audit risk committee chaired by one of the firm’s executive directors has developed a risk register to evaluate the severity and potential impact of different risks. Whittle’s team then decides on a course of action: to accept the risk, to insure against it, or to take mitigating action. The biggest consequence of risk is professional indemnity insurance, where premiums have increased significantly over the past year. ‘In a hardening insurance market, insurers want to understand your policies and processes for managing risks,’ he adds.
Weightmans subscribes to The Law Society’s Lexcel accreditation scheme and incorporates Lexcel policies and processes into workflows within the firm’s case management system. ‘The case management system’s file opening process walks people through everything they have to do in terms of AML compliance, KYC (know your client) and other professional obligations. This makes sure all the required processes are followed and provides the risk team with an auditable record, so that when we get audited by the SRA or our Lexcel auditors, they can pick any matter and see that we have completed all our client care obligations. Unless compliance is incorporated into case management, it can be seen as a barrier to progressing a matter,’ Whittle explains.
Additionally, Weightmans’ quality standards team remotely audits a selection of files across all teams against criteria including statutory and regulatory requirements, AML, KYC and so on, and reports back to each team manager with recommendations for corrective action if this is needed. Whittle’s IT and innovation teams follow a detailed procurement process, which includes a data protection impact assessment (DPIA).
Whittle identifies cybersecurity, regulatory compliance (GDPR, AML and SRA enforcement visits) and professional reputation as top priorities. The firm’s ISO27001 certification is used to audit suppliers and rank them into risk categories. Furthermore, Weightmans is regularly audited against ISO27001 controls by its institutional insurance clients who require assurances that the firm is protecting their valuable data.
Risk and reputation
Reputation risk is becoming a higher priority. ‘Solicitors trade on their professional reputation for honesty, integrity and client confidentiality, and compliance measures that protect client data and funds are critical to that,’ observes Whittle.
High-profile data leaks have focused firms’ attention on reputational risk. Following the Pandora Papers revelations, law firms were criticised for advising on matters that were technically legal, but seen as ethically dubious, to the extent that the SRA became involved.
The fallout of investigations into the Pandora Papers highlighted the need for firms to balance protecting the right of individuals and organisations to legal representation against their own risk of being associated with certain people and industries.
Risks around data loss – cybersecurity, ransomware and other data breaches – are business-critical for private client firms such as Forsters that represent wealthy families and their businesses. ‘Losing our clients’ data, or having our systems locked down by ransomware could shut down our business, so we are sharply focused on data security and regularly run penetration testing,’ says partner and compliance officer Stuart Hatcher. His role balances compliance risk, business risk in terms of ensuring that the firm’s portfolio reflects its values, and risk aggregation – whether current small risks to the firm’s reputation might develop into bigger issues. ‘We need to think about risk more holistically,’ he adds.
Law firm risk management is starting to reflect the flipside of ethical consumerism, in that a firm might have to decide whether to represent particular clients on the grounds of its own reputational consequences, in terms of its ability to attract clients and talent.
‘Everyone is entitled to get legal advice, but there are questions around whether the next generation of lawyers will be comfortable acting for environmental polluters or climate change deniers,’ observes Hatcher. Perhaps the next challenge for the profession is deciding where to draw moral and ethical lines. While accountancy firms’ policy panels may decide whether or not to advise on certain tax structures, Hatcher wondered whether it would be right for law firms to have equivalent panels deciding whether to accept instructions, given that their role is to advise their clients on the legal aspects of transactions and financial decisions.
Alongside data security and regulatory compliance, reputational risk is a growing concern in law firm risk management.
No comments yet