Risk Update • January 2019

As the risk of a no deal hard exit from the European Union on 29 March 2019 looms, there are many areas for attention by risk and compliance professionals.   While this does not seek to be a Brexit newsletter, we address some of these further below.  The impact on most areas of life means that supply chains and business continuity may be affected, as well as international firm structures, practice rights of foreign lawyers in the UK and UK lawyers practising in Europe, data transfers.

Guidance has been issued by The Law Society on Providing legal services in the EU and the Solicitors Regulation Authority (SRA) issued updated guidance on 28 December 2018 on the Government’s Technical Notice on the impact of a ‘no deal’ EU exit scenario on EU lawyers practising in the UK.  Links can be found on www.legalrisk.co.uk/news.

While the widely-reported Mutual Evaluation Report of the UK by the Financial Action Task Force (FATF) was complimentary about the UK’s efforts in the fight against financial crime, giving the highest rating yet for any of the 60-plus countries evaluated so far, that may be where the good news ends.  Although the UK legislation derives from European Directives, it is the Government’s intention that there will be no material change due to Brexit.

The new National Economic Crime Centre, housed within the National Crime Agency (NCA), is tasked with coordinating the national response to economic crime.  However, we still await an outcome to the Government’s 2017 consultation on a proposed corporate offence of failure to prevent economic crime, which would have a significant impact on law firms’ own compliance obligations, as well as the rest of the business community.  That may come: Sir Brian Leveson, President of the Queen’s Bench Division, and the new Director of the Serious Fraud Office, Lisa Osofsky, indicated their support for such a provision when giving evidence to a Parliamentary Select Committee on 20 November 2018.

Proposed improvements to the UK Suspicious Activity Reporting regime include improved IT systems and a greater than 30 per cent increase in NCA staffing.  The government plans to legislate in 2019 to introduce a register of beneficial ownership for overseas entities which own or purchase UK property.  The government also plans to take further action to mitigate the risks presented by the misuse of limited partnerships.

The recent Solicitors Disciplinary Tribunal (SDT) fine of £45,000 plus £40,000 costs (Sharif 11805-2018) for anti-money laundering breaches, particularly in relation to the controls applied to Politically Exposed Persons (PEPs) is but one instance of fallout from the Panama Papers; we expect more.  It is also a reminder of the wider need to ensure that the systems and controls required by The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) are in place.

We have commented previously on the failure by many firms to carry out, where applicable, risk assessments and independent audits: it is now over a year and a half since the MLR 2017 came into force.  System failures can be identified by the randomness (or otherwise) of press attention or SRA audit.

The Law Society’s Practice Note on the Criminal Finances Act 2017 has been revised and approved by the Chancellor.

See www.legalrisk.co.uk/news for links to the documents mentioned.  We are advising many leading international and smaller firms on their policies, controls and procedures, risk assessments and audits.

The topic continues to attract parliamentary and press interest, both generally and in relation to non-disclosure agreements (NDAs).  The Times reported on 19 January 2019 that “[a] flood of claims alleging sexual harassment within law firms is due to swamp the Solicitors Disciplinary Tribunal this year, absorbing nearly a third of its calendar…  In all, 81 hearing days have been set aside for 25 cases, with the first tranche coming from a record total of 43 allegations made in recent  months to the profession’s watchdog, the [SRA].”

We are advising firms on some difficult issues over allegations of sexual harassment and misconduct, particularly where the alleged victim may not wish to pursue a complaint, perhaps for reasons connected with religion or concerns over promotion prospects.  This can impact on the handling of the firm’s reporting obligations to the SRA: the complainant’s right to privacy also needs to be addressed.

Brexit necessitates a review of data mapping and cross-border transfers.  In the event of a no deal Brexit, the government intends that transfers from the UK to the European Economic Area will be unaffected, but the reverse will not be true as it is unlikely that the EU will have made an adequacy finding in relation to the UK, even though equivalent legislation to the General Data Protection Regulation (GDPR) will be in force going forwards.  Guidance has been published by the Information Commissioner’s Office and the Law Society.  See www.legalrisk.co.uk/news for links.

The European Commission has reported that there have been more than 95,000 complaints of data breaches across Europe under GDPR.

A €400,000 fine imposed on a hospital under GDPR by the Portuguese supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), may raise issues for law firms.  This arose from allowing indiscriminate and excessive numbers of users to have access to patient records.  Law firms commonly allow firmwide access to client data, which may include special category data, for example, in health and employment records.  The time is ripe to review that approach.

The European Commission has published its second review of the EU-US Privacy Shield. The Commission concludes that the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the United States, though some steps have only recently been implemented and developments need to be monitored.  The US Department of Commerce has published guidance on its Frequently Asked Questions page on the application of the Privacy Shield to data transfers from the UK post-Brexit.

See also the next item for GDPR issues.

The Law Society has published a Practice Note, replacing previous guidance on file ownership.  This also covers GDPR aspects.  However it does not address the position following insolvency where a trustee in bankruptcy or liquidator requests a file.  In that situation guidance in the Law Society’s 1974 Guide to Professional Conduct remains relevant.  See www.legalrisk.co.uk/news.

We are beginning to see signs of a hardening of the market, with some firms finding it difficult or impossible to secure renewal.  While we are practising solicitors, not insurance brokers, we have identified some innovative solutions for some, and for others, a thorough review of their risk management and claims from eyes experienced in handling professional indemnity claims with a deep understanding of the market may make a difference.

The SDT case of Howell Jones LLP (11846-2018 – see www.legalrisk.co.uk/conflicts for a link) has caused some consternation.  The firm was fined £5,000 with £26,850 costs.  This was an agreed outcome, but the SDT satisfied themselves that the admissions were properly made.  The firm had made a mistake, explained to the client what had happened and informed him that he could seek separate advice, but had not ensured that he did so.  With the client’s agreement, and on advice from counsel that it may be possible to remedy the mistake, the firm carried on acting in an attempt to remedy the problem but this was unsuccessful.  There are cases where it may be in the client’s interests for the same firm to continue acting (see for example Hartley v Birmingham City Council [1992] 1 WLR 968), and there may be cases where a minor slip can readily be fixed.  Space does not permit a more detailed discussion, but it is interesting to note that the forthcoming SRA Code of Conduct contains the following requirement: ‘7.9 You are honest and open with clients if things go wrong, and if a client suffers loss or harm as a result you put matters right (if possible) [our emphasis] and explain fully and promptly what has happened and the likely impact…’