Legal Compliance January 2020 – Reaching for the STARs
New Year resolutions for compliance officers for legal practice (COLPs) doubtless included many reflecting on the need to pick up the SRA Standards and Regulations and the two new Codes of Conduct with renewed vigour. They have been in force since 25 November 2019, but compliance is a journey not a destination, so here are some suggestions for inclusion in your action plan. They include some points which, in the writer’s experience, are often overlooked.
Duties of the COLP
The duties prescribed in paragraph 9.1 of the Code for Firms are not radically different from the previous regime in rule 8.5 of the SRA Authorisation Rules 2011. However, they now include a requirement to ‘ensure that your firm’s managers and interest holders and those they employ or contract with do not cause or substantially contribute to a breach of the SRA’s regulatory arrangements’. This is potentially far-reaching and requires positive action.
Paragraph 2.2 of the Code for Firms requires that ‘[you] keep and maintain records to demonstrate compliance with your obligations under the SRA’s regulatory arrangements’. In practice, much of this burden will fall on the COLP. So keep an audit trail to show what you have done to comply.
Paragraph 4.4 of the Code for Firms requires that ‘[you] have an effective system for supervising clients’ matters’. Paragraph 3.5 of the Code for Solicitors, Registered European Lawyers and Registered Foreign Lawyers, provides that ‘where you supervise or manage others providing legal services: (a) you remain accountable for the work carried out through them; and (b) you effectively supervise work being done for clients’.
Gone is the old ‘qualified to supervise’ provision, but instead the Authorisation of Firms Rules requires the firm to have a lawyer of England and Wales who has practised as such for a minimum of three years and supervises the work undertaken by the practice. So this is not just about being entitled to supervise, but in fact supervising the work.
So a review of the firm’s supervision arrangements should be on the COLP’s agenda.
Many may think that in reality the changes from the SRA Code of Conduct 2011 are subtle and do not warrant training. However, the introduction to the new SRA Principles says: ‘The SRA Principles comprise the fundamental tenets of ethical behaviour that we expect all those that we regulate to uphold.’
The legal profession in England & Wales has paid little attention to ethics training in the past, in marked contrast to the United States where it is mandatory – a by-product of the fallout from Watergate.
From a purely self-interested point of view, if a wheel comes off and there is non-compliance by a member of the firm, the COLP may be in a far better place if they can demonstrate that the breach took pace notwithstanding the training provided. In one case where the writer is advising a firm on multiple data breaches, the SRA has asked for details of the training provided to staff and whether it was training being tailored to specific roles as advised by the Information Commissioner’s Office (ICO).
The duty of confidentiality goes to the very heart of the solicitor-client relationship. Much press coverage has been devoted to the General Data Protection Regulation over the past two years, which may have diverted attention from the concurrent duty now in paragraph 6.3 of each of the Code for Solicitors etc, and the Code for Firms.
Although cyber-attacks and ransomware attract much press, barely a week passes without the writer being asked to advise in relation to far more mundane events – medical records left in taxis, letters sent to the wrong address, attachments sent with the wrong letter, and, of course, emails sent to the wrong address. The duty of confidentiality is all but absolute, and the few permissible exceptions do not include careless error.
The ICO’s published statistics for data breaches for Q4 2018-19 show the top identified breaches in the legal profession are emailing to the wrong recipient, posting letters to the wrong recipient, ‘other non cyber incident’, loss/theft of paperwork or data left in insecure location, and loss/theft of device containing personal data.
COLPs would do well therefore to satisfy themselves that the firm has reviewed its information security and trained staff.
The threshold for reporting compliance breaches has been lowered. Even under the previous regime, we have seen firms being investigated for delay in reporting matters which the SRA may have picked up in the press or through reporting by third parties.
While in the past a COLP may have wanted to investigate a report of a concern to decide whether a breach was proven, the obligations in paragraphs 7. 7 and 7.8 of the SRA Code for Solicitors etc will require reporting at an earlier stage, so that the SRA ‘may investigate whether a serious breach of its regulatory arrangements has occurred’.
This is therefore another area for training staff.
The SRA has published extensive new guidance on client care letters. This includes a lengthy checklist covering matters such as next steps, costs, timescales, action required of the client, contact details, structure, layout and clarity, use of plain English, and highlighting key points. At the same time, it says the letter should be concise, which is perhaps a challenge given the extensive ground to be covered.
One important area to note in particular is the issue of vulnerable clients, one which has caused problems for firms in the past and may be expected to increase with the aging population, though age is far from being the only example of vulnerability.
Another point to note in client care documents and terms of business relates to limitation of liability. Two partners in a firm were recently fined by the Solicitors Disciplinary Tribunal for breaches which included limiting liability below the minimum limit for professional indemnity insurance under the SRA Minimum Terms and Conditions. The prohibition on limiting liability in this way was previously apparent in the SRA Code of Conduct, but is now rather well hidden in the SRA Indemnity Insurance Rules which are unlikely to be read by many individual solicitors.
Marketing and referrals
Under paragraph 5.1 of the Code for Solicitors etc and 7. 1 of the Code for Firms you can only accept introductions from an introducer complying with the publicity rules which apply to solicitors, and these have been tightened under the new code. Paragraphs 8.3 of the Code for Solicitors etc and 8.9 of the Code for Firms prohibit unsolicited approaches; the words ‘in person or by telephone’ have been removed, so the ban is now wide enough to extend not only to door-knocking but also email and social media.
COLPs in firms that receive referrals from introducers should review the marketing practices of those on whom they rely and the terms of their referral agreements.
Nearly all firms need to be authorised to carry on insurance distribution, though the writer has encountered a number which are not, and almost certainly have overlooked it. It applies, for example, to the arrangement of after the event policies, title defect insurance and missing beneficiary policies.
For most firms, this requires them to be authorised as exempt professional firms by the SRA. They must have an insurance distribution officer. That does not need to be the COLP, though it often is, but the COLP needs to ensure the firm has taken the necessary steps on compliance.
Check that the firm does not retain insurance commissions. Exempt professional firms which are authorised to do insurance distribution work have never been permitted to retain commissions but it is a common area of misunderstanding in the writer’s experience. The prohibition on retaining commission (or any ‘pecuniary advantage’) was clear for all to see in the 2011 version of the SRA Financial Services (Scope) Rules, but is rather obscure in the 2019 version; nonetheless, it is still there.
There is no substitute for comparing the new provisions line by line with the old, but it is a time-consuming task. However, key areas for attention are record keeping, breach reporting and training.