A Review of 2017 and Predictions for 2018
This article identifies some of the key developments which law firm general counsel and risk managers, primarily in the UK, have had to address during 2017 and some which are in the pipeline for the coming year.
Anti-money laundering (AML), counter terrorist finance (CTF) and sanctions
2017 has been one of the busiest years for those involved in AML, CTF and financial and trade sanctions. First and foremost, we have The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and 118 pages of fine detail, with a particular focus on policies, controls and procedures, documented risk assessments, independent audit, screening of relevant employees and appointment of a senior management officer responsible for compliance.
The profession still awaits the SRA’s risk assessment on which firms need to draw to prepare their own risk assessments. The SRA’s work on updating its May 2016 Thematic Review (which was based on work carried out much earlier) is ongoing.
The requirement for independent audit may prove a challenge for many firms: the PwC Law Firms Survey 2016 noted that there were still 44% of top 200 firms without any internal audit and even for those which had it, internal audit remained an under-resourced function in law firms, with the annual budget on internal audit processes being well below the UK general benchmark of 0.05% of revenues’. (No comparable figures were published in the 2017 Survey.) Many firms are looking to outsource this.
We have yet to hear of any practical issues, despite the obvious threat, arising from the changes in relation to pooled client accounts, but it can only be a matter of time, and firms need to review their terms in order to enable them to comply if asked.
The National Risk Assessment highlighted two areas of particular significant concern. First, the misuse of client account as a banking facility contrary to rule 14.5. Secondly the National Risk Assessment identified the risk in innovation in practice: we can but hope that the SRA will take heed when considering its proposal to permit employed solicitors outside private practice to offer services to the public. (See SRA consultation, which closed on 20 December 2017, ‘Looking to the future: phase two of our Handbook reforms’.)
Both these issues should be a concern as the UK awaits the Financial Action Task Force Mutual Evaluation in 2018. We expect the effect of this will filter down and influence the SRA’s appetite for enforcement; we have already seen a major City firm fined £50,000 and three of its partners £10,000 each for a range of breaches, including AML compliance.
Meanwhile, Europol published a report, ‘From Suspicion To Action – Converting Financial Intelligence Into Greater Operational Impact’. This noted that just 10% of suspicious transaction reports (STRs) are further investigated after collection, a figure that is unchanged since 2006. Over 65% of reports are received by just two Member States – the UK and the Netherlands. Reporting on terrorist financing accounted for less than 1% of reports received by FIUs in 2013-14 (the most recent figures available).
In 2016 the International Consortium of Investigative Journalists published the Panama Papers; 2017 brought the Paradise Papers. The latter raised less evidence of criminal tax evasion, and caused significant concern as the data was obtained by a criminal hacking of Appleby, a well-known offshore law firm, which is now reported to be taking legal action against the BBC and Guardian Newspaper for breach of confidence through using the documents. The publication of the data has undoubtedly kept lawful tax avoidance and illegal evasion firmly in the spotlight and will increase pressure by legislators for reform.
Tax issues are high on the agenda for many firms as they need to introduce ‘reasonable procedures’ to prevent the facilitation of tax evasion under the Criminal Finances Act 2017. This is probably a greater risk for those firms who do not advise on tax, but could be unwittingly ensnared by the provisions, rather than the firms who specialise in tax and who are more likely to be alert to the issues. So, for example, advice to a small business where the client asks for a bill to be made out in the company name, rather than the individual director who gave the (personal) instruction, could create criminal liability, as it may lead to tax and VAT savings for the director.
For the year ahead, we shall have to see what impact the new Office for Professional Body Anti-Money Laundering Supervision (OPBAS) will have on regulation by the SRA. However, as it is led by the Financial Conduct Authority (FCA), it is worth taking note that the FCA are perceived as becoming more aggressive in the pursuit of criminal proceedings against both firms and individuals, so we may see a tougher enforcement regime – all the more reason to ensure that you evidence everything you do in the area of AML compliance. Some may question whether OPBAS represents further erosion of the independence of the legal profession.
“we may see a tougher enforcement regime – all the more reason to ensure that you
evidence everything you do in the area of AML compliance.”
Regulation 9 of The Oversight of Professional Body Anti-Money Laundering and Counter Terrorist Financing Supervision Regulations 2017, which provide for the establishment of OPBAS, contains provisions which on their face protect legal professional privilege, but this may at some point be tested in the courts: we can foresee issues potentially arising from the SRA’s powers to obtain privileged documents, as privilege questions tend to be challenged in extreme circumstances.
In December 2017, the European Parliament and the Council reached a political agreement on the Commission’s proposal to further strengthen EU rules on anti-money laundering and counter terrorist financing, which is the start of the process which will lead to the so-called Fifth Directive.
There have been significant changes in relation to financial sanctions, with the creation of the Office of Financial Sanctions Implementation (OFSI) and a new reporting regime applying to independent legal professionals (among others) where a person has knowledge or reasonable cause to suspect that a person is a designated person and is in breach of EU financial sanctions.
It remains to be seen if the government will try again to create a wider offence covering failure to prevent economic crime generally.
Cyber risk and fraud
2017 will go down as the year when the identities – not just the personal data – of half the population of the United States and hundreds of thousands of UK citizens were compromised by the loss of data by Experian, and Uber paid criminals to conceal the fact that they had had a massive data breach. Some law firms paid ransoms to retrieve data encrypted by ransomware, others managed to restore their data from backups. The issue is ever higher on the agenda with the General Data Protection Regulation (GDPR) around the corner. Cybercrime is now 53% of all reported crime.
One firm has been subject to disciplinary action for allowing itself to be subject to a scam; the firm paid away over £330,000 to a fraudster’s bank account without verifying the account details contained in a hacked email.
Of particular concern, cybercrime may be used to further terrorism. Terrorism does not require large sums: recent high profile incidents have cost as little as £30 to implement.
Cyber risk is not confined to criminal action, however. US and other border searches of mobile devices and laptops are a concern. Firms should review their guidance to staff on this, and will find the New York City Bar Association guidance helpful. Perhaps the biggest cyber risk of all is people sending emails to the wrong person; many firms, the writer’s included, are deploying software using artificial intelligence to help control the risk, perhaps as much to demonstrate that they are treating the risk seriously, even if there can never be a total solution to the problem.
So far as other fraud is concerned, particularly identity fraud, the decision in Dreamvar (UK) Limited v Mischon De Reya and Mary Monson Solicitors Limited, which caused widespread concern among conveyancing practitioners, is due to proceed to the Court of Appeal with the case of P & P Property Limited v Owen White & Catlin LLP.
Brexit continues to be a concern with the combination of uncertainty, the threat to practice rights and the fear of economic impact. Like the Hotel California, even when the UK checks out, it may never leave entirely, as certain benefits currently enjoyed through membership, particularly for the financial sector, may continue to be seen (if not by all) as attractive enough to merit paying a price.
Other concerns include the risk that the UK will not achieve equivalence under GDPR, which may impede the workflows of multinational practice as well as the use of cloud systems across borders.
A key factor in achieving equivalence will be the proposed reform of the Investigatory Powers Act 2016, following the decision of the Court of Justice of the European Union on 21 December 2016, specifying a number of requirements that need to be in place for a data retention regime to be compliant with EU law. On 30 November 2017, the Government announced a consultation on proposals to amend the Act.
Brexit may also impact on the provision of insurance cover in multiple jurisdictions, though probably more of a practical concern for our insurance providers.
“Compliance will be a journey, not an event to be achieved by 25 May”
Firms may have been preoccupied by the need to revise their AML systems, but on 25 May 2018 the GDPR will be fully in force. Guidance continues to flow from the Information Commissioner’s Office and the Article 29 Working Party. Meanwhile a non-binding opinion by the EU advocate general advised that Viennese lawyer Max Schrems, who previously succeeded in achieving the demise of the Safe Harbor arrangement for exporting data to the USA, is entitled to sue Facebook’s Dublin-based subsidiary through the Austrian courts, but not by leading a class action lawsuit.
Compliance will be a journey, not an event to be achieved by 25 May: what constitutes good practice and ‘appropriate technical and organisational measures’ will continually evolve. Key to compliance are the principles of accountability and transparency which achieve elevated significance under GDPR. As with AML, this will require a comprehensive risk assessment and thorough review of documentation, including policies, terms of business, and privacy notices.
Professional liability and indemnity Insurance
The Supreme Court decision in AIG v Woodman shed some light on the meaning of the aggregation clause in professional indemnity policies, under which (in outline) multiple ‘claims arising from “similar acts or omissions in a series of related matters or transactions’ are subject to one policy limit with one excess. However, the practical application to particular facts may still pose challenges in our experience of advising on coverage issues, and as the Supreme Court decision demonstrated, final application will turn on the findings of fact, so even the result in AIG v Woodman is as yet not fully determined.
In more extreme cases, and this is not purely hypothetical, the application of the decision may result in a shortfall, which must either be borne by the partners in the firm, if they have the means, or claimants, who may often in these circumstances be individual consumers. When we say this is not purely hypothetical, we do so because there are cases going through the courts now where this will have significant impact.
All firms should be considering how the decision impacts them. It may impact firms using standard precedents and computer systems (including those using artificial intelligence) for high value commercial work as much as those doing volumes of relatively low value consumer work.
Limitation of liability was considered, albeit obiter, in Halsall v Champion Consulting Limited, where a time limit on claims of six years effectively excluded section 14A of the Limitation Act 1980; however, the claimants were themselves litigation solicitors and there are still practical difficulties in limiting liability to lay clients, given the burden of establishing reasonableness imposed by the provisions of the Unfair Contract Terms Act 1977, as previously expressed (again, obiter) in Lyons v Fox Williams LLP. All that said, it is still prudent in our view for firms to seek to limit liability where they can, if only to secure a negotiating position where all else fails. There may in any event be more which can be done in the event of a claim to establish the reasonableness of the position: judges may be prone to deciding the matter principally on the basis that solicitors are insured, without having sufficient understanding of the difficulty which firms, particularly smaller ones, may have in obtaining affordable insurance in future, similar to the issue which may arise in applications for relief from breach of trust under section 61 of the Trustee Act 1925, as in the Dreamvar case mentioned above.
Employees who are in dispute with their firms should be cautious about the terms of confidentiality clauses in settlement agreements: if they seek employment in another firm, either the firm or its insurers may want some basic information, and if the lateral hire cannot provide it, the job offer may be revoked.
Regulatory fines and penalties
The past year has seen substantial fines imposed on City firms for a variety of breaches, with fines of £50,000 on two firms, £250,000 on a US firm, a record £500,000 fine on a US firm, £10,000 fines on three partners in one of those firms, and £50,000 fines on partners in two of the others. The previous record was £305,000 for an own interest conflict where the fine equated to the benefit derived from the breach.
These raise two issues, first, whether the SRA is becoming more willing to take on City firms than in the past, and secondly whether higher fines should be imposed on larger firms to reflect their greater financial strength. While the Solicitors Disciplinary Tribunal may reduce fines on account of a respondent’s limited means, there is a dearth of authority on imposing higher fines where the respondents are of substantial means, and particularly where the breach may have resulted in substantial profits: the £250,000 fine was imposed under an agreed outcome in a conflict case where the two teams comprised a total of 238 staff in the firm’s nine offices.
This was the year the SRA Board stopped allowing the public into meetings and stopped publishing board papers. Given the statutory obligations of transparency and accountability in section 28 of the Legal Services Act 2007 this was regrettable. The SRA observed that few members of the public attended meetings, but the presence of the press who published reports was all that most interested people required in practice.
SRA Accounts Rules issues have continued to affect even some of the finest firms, particularly breach of the ban on providing banking facilities mentioned earlier; we have also seen more investigations over conflicts, both client and own-interest. Lack of self-reporting is resulting in sanctions.
Reform of the SRA Handbook is in the pipeline as mentioned earlier, with the second consultation recently closed. In practice however, much of this is unlikely to have a significant effect on established practice; the significant issue is around the potential opportunity for unregulated firms – ‘alternative legal service providers – to employ solicitors offering services to the public without many of the protections, such as insurance and the compensation fund, offered by private practice.
More challenging is the increase in regulation by clients, through client-imposed terms, or Outside Counsel Guidelines. The similarity in demands by apparently unrelated clients may not be coincidental. These may seriously undermine firms’ independence, though little, it seems will be done to follow up on the excellent work which led to the SRA-commissioned report by Dr Steven Vaughan, University of Birmingham and Claire Coe Smith on this.
Firms are also challenged by clients’ increasing demands in relation to information security – understandable in principle, against the background of cyber-attacks, but they may conflict with other clients’ requirements, seek disclosure of sensitive information on the firm’s systems and include audit requirements which put other clients’ confidential information at risk.
The Government’s Green paper on Corporate Governance Reform was published in 2016. In November 2017, the Government announced that it intends to invite the FRC, together with the Institute of Directors, the CBI, the Institute for Family Business, the BVCA and others to develop a voluntary set of corporate governance principles for large private companies under the chairmanship of a business figure with relevant experience.
Law firms continue to become an ever more regulated profession. It is no longer sufficient to carry on doing things the way they have always done them as firms are subject to the increasing demands for senior management engagement, policies, controls and procedures, audit, records, and training and screening of staff, coupled with ever more onerous client requirements. Regulation is becoming stricter and the consequences of non-compliance are, perhaps, beginning to have a chilling effect.
Frank Maher is a partner in Legal Risk LLP, solicitors specialising in advice to law firms, their insurers and regulators, on professional regulation and professional indemnity insurance. www.legalrisk.co.uk