Risk Update • July 2019

We commented in our May 2019 Risk Update on the thematic review by the Solicitors Regulation Authority (SRA), 26 of the 59 firms reviewed having already been referred for disciplinary action. We have advised many firms on disciplinary action arising from AML breaches, as well as on compliance, including policies, controls and procedures, risk assessments and audits.

Money laundering is a priority risk for the SRA which has now launched its #staySHARP campaign. Not every firm has to have an inde-pendent audit under Regulation 21 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. However, with another 400 firms now under SRA review, even firms which are not required by law to have this may want peace of mind and assurance which an independent audit can provide, rather than rely on an internal review which may be tan-tamount to ‘marking their own homework’. As we are practising solicitors, our advice will generally attract legal professional privilege, in contrast to non-practising solicitors, accountants and consultants.

There have been two important publications since our May Risk Update –

• Anti-money laundering: the SARs regime –Law Commission report;
• Financial Action Task Force (FATF) Guidance for a Risk-Based Approach for Legal Professionals.

Links are on www.legalrisk.co.uk/News.

The Law Commission report recommended retaining the SARs regime, creation of an advisory board and provision of advice to theprofessions, a prescribed reporting form using technology, and limiting the scope of the reporting obligation to exclude reportson ‘technical’ breaches. Legal Risk partner Sue Mawdsley participated in the symposium held by the Law Commission in July 2018.

The FATF guidance contained little in the way of surprises following the consultation paper of February 2019. It should however be one of the documents to be considered when preparing the firm’s risk assessment.

We recently defended successfully a complaint against a law firm to the SRA made by an opponent in litigation alleging that our clients had a conflict of interests.

A recent case on this point, FBME Bank Ltd v Dangate Consulting Ltd, involved an unsuccessful application by the defendant for an order that the Second and Third Claimants’ solicitors cease acting due to an alleged conflict with the First Claimant. Unless the Court is given cogent evidence of a conflict, it should and does trust solicitors to police their own professional obligations. In any event, the Court does not have the means to look into privileged communications as the SRA would do if, after a full trial, the trial judge thought that there was something meriting the regulator’s attention. If any conflict did arise, though one was not found, on the facts it would have been historic, because the solicitors were no longer acting for the First Claimant.

Note that the Court of Appeal decision in Hood Sailmakers Ltd v The Berthon Boat Company Ltd was not cited. Both decisions can be found on www.legalrisk.co.uk/Conflicts.

As people move on, many firms are having to appoint people to roles in anti-money laundering (AML) and compliance who may feel that they are walking on a tightrope, not having been involved since the start of the compliance regimes which apply to Money Laundering Reporting Officers (MLROs), Money Laundering Compliance Officers, Compliance Officers for Legal Practice and Compliance Officers for Finance and Administration.

We provide mentoring and support to many in this position (and many experienced compliance officers and MLROs too) across a wide spectrum of firms, with legally privileged advice from practising solicitors who have all been involved in advising law firms over many years, even before the compliance regimes commenced. When a difficult decision is called for, the chances are that we have seen it before and can help cut through the process to answer questions such as ‘Do we have to report?’, ‘Can we carry on acting?’ or ‘Do we need to appoint a separate Money Laundering Compliance Officer?’

The Information Commissioner’s Office (ICO) published GDPR: One year on. Regulatory priorities going forwards include a number which may impact on law firms to varying degrees -cyber security, artificial intelligence and machine learning, and (depending on their client base) freedom of information.

The ICO has also published its Audit Report on the Legal Ombudsman (LeO). This contains some potentially useful pointers for law firms. The issues identified included –

• physical security in LeO’s main office and their third party document storage,
• failure to dispose of records in accordance with their document retention schedule,
• lack of a data flow map recording all processing activities,
• deficiencies in information asset registers,
• lack of assurance from their IT provider in relation to network management, including anti-virus and anti-malware protection, and
• training deficiencies.

We advise many firms on data protection issues, including data breach reporting. Causes of data breaches remain unchanged –letters in the wrong envelope (including two letters stuck together), files left in taxis and emails sent to the wrong person. An illustration of the dangers of email autofill addressing appears in the case of Advertising Standards Authority Ltd v Mitchell[2019] EWHC 1469 (QB).

Links to the above documents here www.legalrisk.co.uk/news.

Those involved in trusts, probate and estates, whether as role-holders or advisers to executors, administrators, attorneys, Court of Protection deputies, trustees in bankruptcy or supervisors of individual voluntary arrangements, should be concerned about the imminent deadline of 29 August 2019 imposed by the Financial Conduct Authority (FCA) for making Payment Protection Insurance (PPI) claims.

The Society of Trust and Estate Practitioners (STEP) has issued a briefing note and the Official Receiver has announced a review of bankruptcies which may go back to 2000. The FCA says that more than £33bn has already been paid back to people who complained about the sale of PPI, but billions of pounds are as yet unclaimed.

A concern is that firms may be unable to identify or review matters in time, and where they acted for an estate they may have no instructions to pursue any claim. This could in turn lead to claims management companies stirring up claims, an unwelcome development as brokers are reporting a hardening market for renewing professional indemnity insurance (PII).

Firms will need to consider their duty of fair presentation on renewal and may need to consider block notifications to insurers. We have advised many firms on this over the years.

Compounding the problem are the new SRA Standards and Regulations which come into force on 25 November 2019. Rule 7.9 of the Code of Conduct for Solicitors, RELs and RFLs and rule 3.5 of the Code of Conduct for Firms each provide ‘…If requested to do so by the SRA you investigate whether anyone may have a claim against you, provide the SRA with a report on the outcome of your investigation, and notify relevant persons that they may have such a claim, accordingly’. (We commented on other parts of this rule in our May 2019 issue.)

This goes further than Outcome 1.16 of the SRA Code of Conduct 2011, which only mandates notification to current clients. (The original version in force from 6 October 2011 applied also toformer clients, but was amended on 23 December 2011 to limit it to current clients, reflecting the position at common law.)

Exercise of the new power could have a catastrophic effect on a firm’s insurability. Reducing the level or scope of PII, which we understand is still a live issue on the SRA’s agenda, is not the solution! The purpose of insurance is to distribute losses among the many; cutting its level or scope would leave the burden falling on individuals selected largely at random.