Anti-money laundering (AML) (Jul18)

The first anniversary of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 passed on 26 June 2018.  Larger firms are addressing the requirement in Regulation 21 for an independent audit function (‘where appropriate with regard to the size and nature of its business’).  While this does not have to be external, the AML Guidance for the Legal Sector says at 3.4.2 that it must be independent of those responsible for the AML policies, controls and procedures, and we are auditing a number of City firms and others.

The Law Commission has published ‘Anti-Money Laundering: the SARS Regime consultation paper’.  The consultation is open until 5 October 2018.  The paper examines the Defence Against Money Laundering (DAML) or consent regime and parallel provisions relating to counter terrorism financing.

The Fifth Anti-Money Laundering Directive, which amends the 4th Anti-Money Laundering Directive was published in the Official Journal of the European Union on 19 June 2018.  Member States must transpose this Directive by 10 January 2020.  This will introduce a number of changes to the Fourth Directive, and is aimed at tackling terrorist financing, following the Paris attacks, and increasing the transparency of financial transactions and legal entities.

Key amendments address requirements for enhanced due diligence (EDD) relating to high risk third countries, establishing central mechanisms to identify holders and controllers of bank and payment accounts, requiring member states to maintain a list of exact functions they consider to be prominent public functions, and expanding the beneficial ownership regime to a wider range of trusts and trust-like arrangements. The government has confirmed that the provisions will be implemented notwithstanding Brexit.

A draft Registration of Overseas Entities Bill makes provision for foreign companies owning UK properties to reveal their ultimate owners on the world’s first public register.  Proposed sanctions include up to 5 years imprisonment.

Even smaller firms are experiencing an increase in exposure to Politically Exposed Persons (PEPs) and sanctions.  The Solicitors Disciplinary Tribunal recently found a solicitor found guilty of failure to carry out EDD on a PEP.

The Law Society has published updated guidance on the European Commission list of High Risk Third Countries.

The AML Guidance for the Legal Sector and other resources can be found here www.legalrisk.co.uk/AML.  Links to the other documents mentioned are on our News page www.legalrisk.co.uk/news.

General Data Protection Regulation (GDPR) (Jul18)

There have been three reported decisions under the Directive 95/46/EC which are of relevance to GDPR.

Secretary of State for the Home Department v TLU [2018] EWCA Civ 2217 established liability for damages for distress suffered by claimants who were not identified directly through a data breach.  The case also discussed the definition of ‘personal data’.

B v The General Medical Council [2018] EWCA Civ 1497 was a successful appeal by a patient for disclosure of a medical report containing mixed personal data of both the patient and the doctor.  The decision involved a balancing exercise.

Tietosuojavaltuutettu v Jehovan todistajat — uskonnollinen yhdyskunta (Case C-25/17) – The Court of Justice of the European Union applied a broad interpretation to what constitutes a filing system.  It also considered the issue of joint controllers.  (For those experiencing difficulty committing the name of this case to memory, it may conveniently be referred to as ‘the Jehovah’s Witness case’.)

The Information Commissioner’s Office (ICO) imposed a £200,000 fine on the Independent Inquiry into Child Sexual Abuse.  It is not beyond possibility that similar breaches could happen in a law firm – sending emails to multiple addressees without blind copying, and failing to train staff on the risk.  The monetary penalty notice contains details:  https://ico.org.uk/media/action-weve-taken/mpns/2259427/mpn-iicsa-20180705.pdf.

ICO statistics for legal sector breaches in 2017/18 show that people sending emails to the wrong person are a greater confidentiality and GDPR breach risk in practice (22.64%) than malware, ransomware, phishing, unauthorised access (cyber) and other cyber incident combined (11.95%).

Links to the cases can be found on www.legalrisk.co.uk/GDPR.  We have advised many firms on GDPR risk assessments and compliance.  These include a large number of major US firms, and we also have a webpage for those firms: www.legalrisk.co.uk/GDPRUSA.

Professional indemnity insurance (Jul18)

The majority of solicitors in England & Wales still renew their insurance on 1 October.  With possible changes in the Minimum Terms and Conditions on the horizon, this could be the last October renewal offering the current levels and breadth of cover.  Firms should therefore consider buying cover for longer than 12 months if they can.   The proposed changes also need to be factored into strategies on law firm mergers and acquisitions and retirement planning.

When considering levels of cover, firms should pay particular regard to the risk of claims being aggregated and subject to one policy limit.  We are advising many firms on coverage issues and claims and on block notifications where this is a significant problem, with claims far exceeding their policy limits.

We have commented in previous issues of Risk Update and in articles on why we believe the proposals for change from the Solicitors Regulation Authority are misconceived.  The assumptions on which the proposals are based appear to be more flawed than many have realised.  The statement in the consultation that ‘[some] 98 percent of historic claims in our data set would have fallen within this limit’ appears to be incorrect, as the SRA’s data covered the period 2004 to 2014 but excluded reserves on outstanding claims.  These must have resulted in millions of pounds in claims payments since 2014.   For the final policy year, it is likely that over 90 per cent of claims payments and reserves will have been omitted, with lesser amounts for earlier years.

Artificial Intelligence (AI): Supervision, regulation and ethics (Jul18)

Law firms are increasingly adopting AI.  This may create significant benefits in terms of efficiency  but also carries potential risks.  These may include lack of transparency in the process for providing advice, difficulty in satisfying requirements for supervision, and compliance with the GDPR.

A paper published by Bafin, the German financial services regulator, addresses some of the regulatory and ethical challenges posed by AI.  Although this is aimed at the financial services sector, much of it is equally relevant to the legal sector.  A link is on our news page www.legalrisk.co.uk/news.

Cyber (Jul18)

The National Cyber Security Centre, part of GCHQ, and the Law Society have published a report highlighting the threats to law firms and offering guidance on combating the threats.   The report is concise and contains numerous links to useful resources.

A link to the report is on our News page www.legalrisk.co.uk/news.

Referral fees (Jul18)

The SRA has fined a firm £2,000 plus costs of £1,825 for breaching the referral fee ban in section 56 of the Legal Aid Sentencing and Punishment of Offenders Act 2012.  We have advised many firms on referral arrangements and compliance with the ban.

Back To Top Download PDF Publication