Risk Update • January 2020

We have advised many firms who were concerned about the adequacy of their risk assessments required by regulation 18 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).  Their concerns follow the Solicitors Regulation Authority (SRA) request for confirmation by 31 January 2020 that firms who fall within the scope of the MLR declare they have a compliant firm-wide risk assessment in place.

The request is directed to Compliance Officers for Legal Practice (COLPs) rather than Money Laundering Compliance Officers appointed under regulation 21 (1) (a) or Money Laundering Reporting Officers.  It also requires COLPs to notify the SRA if anything changes in respect of the information provided in the future.  Increased personal obligations on COLPs were imposed by rule 9 of the SRA Code for Firms and this request serves to reinforce that burden.

It is important to remember that AML compliance is a journey, not a destination: compliance does not end with the risk assessment.  Policies, controls and procedures need to mitigate the risks identified, and they need to be kept up to date with changes in regulation and best practice as well as changes in the firm’s business as a whole.  The interaction between AML and data protection requirements should also be addressed, with particular reference to file destruction policies.

Firms which have until now relied upon generic templates with a tick-box approach for their risk assessments should bear in mind the SRA’s criticisms of these.  They may be requested by the SRA at any time and they may therefore wish to consider reviewing them sooner rather than later.

The Money Laundering and Terrorist Financing (Amendment) Regulations 2019 implementing the Fifth Money Laundering Directive came into force on 10 January 2020.  The Legal Sector Affinity Group has produced a summary of changes.

However, this did not include changes required to the registration of the beneficial ownership information of trusts. The government is now holding a detailed technical consultation on extending the Trust Registration Service to include the draft legislation and proposals on the types of express trusts that will be required to register, data collection and sharing, and penalties.

Links to these documents are on www.legalrisk.co.uk/news.

The SRA published 54 Guidance notes and 13 Warning Notices on 25 November 2019.  Unfortunately, although many were largely repeats of previous publications, there were no tracked changes and no notes to identify what was new.  See https://www.sra.org.uk/solicitors/guidance/

The decision in SRA v Howell Jones LLP Case No. 11846-2018 has caused some consternation in the profession.  Readers of our January 2019 issue will recall that a firm which attempted to put things right for a client following a mistake was fined £5,000 for an own-interest conflict, despite having (a) exercised professional judgment and (b) secured independent legal advice for the client by instructing counsel.

The SRA published guidance on 25 November 2019, Putting matters right when things go wrong, and own interest conflicts, in an attempt to resolve the tension created by the decision with the provisions of rule 7.11 of the SRA Code for Solicitors etc./rule 3.5 of the Code for Firms, which require that ‘if a client suffers loss or harm as a result you put matters right’.

The guidance is problematic however.  While it appears to suggest that the issue involves the exercise of professional judgment, and that where one of the options for the client is to bring a claim against the firm, ‘you should advise the client to take independent legal advice’.  This fails to address  the fact that Howell Jones LLP did both.  It also omits to state the need to ensure that where a client does need independent legal advice, it is not enough simply to advise the client on this, but the client actually has to take such advice: see SRA v Evans and Whiteley 11907-2018.

Further difficulties arise when one considers the examples.  The guidance suggests that ‘the consequences of a defect in title may be put right through purchasing a title indemnity policy’, but does not consider the need to address adequacy of policy limits, defining the insured risk, and the solvency of the insurer.

Nor does the guidance address the situation where it may be positively in the client’s interests for the same firm to continue acting  – as in the case of Hartley v Birmingham City Council [1992] 1 WLR 968 which we cited in our January 2019 issue.

For our US readers, this is a prime illustration that waivers do not resolve conflicts under the SRA Codes of Conduct.

Finally on this topic, we mentioned the case of Glencairn IP Holdings Ltd v Product Specialities Inc (t/a Final Touch) [2019] EWHC 1733 (IPEC), dealing with information barriers, in our September 2019 issue.  We understand that an appeal is due to be heard in March 2020.

Links to the guidance and cases referred to above can be found on www.legalrisk.co.uk/conflicts.

We were pleased by the SRA’s announcement (see www.legalrisk.co.uk/News) that it has dropped its plans to reduce the level and scope of cover under the SRA Minimum Terms and Conditions (MTC), which we have opposed.  Our opposition has been founded on decades of experience defending and advising solicitors who have found themselves either underinsured or uninsured.

Despite the unrivalled breadth of cover provided by the MTC, there are still some traps for the unwary.  Perhaps the most significant is aggregation, under which multiple claims from broadly similar or related causes may be subject to one policy limit – a particular issue for firms doing volume work who may derive false comfort from the fact they only handle low value matters.

Successor practice provisions contain a number of traps.  Examples are the differences in the Legal Ombudsman scheme provisions, and unexpected problems which may arise if a firm’s successor switches regulator.  We advise many firms on the insurance aspects of mergers and disposal of practices as well as coverage issues and disputes.

The £500,000 fine imposed by the Information Commissioner’s Office on retailer DSG has attracted much publicity as it represented the limit under the pre-GDPR regime. It has attracted less attention for the helpful information to be found in the monetary penalty notice.  This shows that the data breach was possible due to inadequate security, specifically inadequate software patching, absence of a local firewall, inadequate control of permissions and network segregation, and logging and incident response failures.

The Opinion of the Advocate General to the Court of Justice of the European Union states that the use of standard contractual clauses by Facebook and other firms to transfer information abroad is valid.  The decision of the CJEU is expected in 2020 with some optimism, as approximately 80 per cent of its judgments follow such opinions.

This has particular significance in the context of Brexit, as it may be one of the principal mechanisms for transferring data to the UK going forwards, assuming there will be no adequacy decision in the short term.  The UK ceases to be a member of the EU at 23:00 hours GMT on 31 January 2020, though current data protection (and most other) arrangements will continue to apply during the transition period, which will expire on 31 December 2020 unless an extension is sought by 30 June 2020.

Links to both the above documents can be found on www.legalrisk.co.uk/news, and we also have links to an extensive collection of resources on www.legalrisk.co.uk/data.