Risk Update • November 2018

We have already predicted further regulatory action (Risk Update, September 2018), with the Solicitors Regulation Authority (SRA) under scrutiny from The Office for Professional Body Anti-Money Laundering Supervision (OPBAS) and increasing pressure from HMRC and Parliament.

Firms will face regulatory action for breaching their own policies. This may even be so where they were complying with the general standards of the profession.

We know that the SRA will be continuing to audit firms, as it will be under scrutiny from OPBAS. A surprising number of firms have not done their risk assessments, over a year after The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) came into force.

Expect a particular SRA focus on high end residential property, with a focus on reviewing transactions over £1 million. Firms doing high value West End property work in London are particularly exposed here, but those who think they only do commercial property work should be alert to the occasional residential transaction: as we have seen, it happens.

There will also be particular interest where the firm has acted for Politically Exposed Persons (PEPs). The judgment in National Crime Agency v Mrs A[2018] EWHC 2534 (Admin) will be of particular interest to AML compliance practitioners for its analysis of the definition of “state-owned enterprises” in relation to PEPs.

There is a focus at present on firms which are Trust and Company Service Providers (TCSPs), but we believe there is a large element of mistaken identity here, due to lack of clarity on SRA forms. There will doubtless be some firms which are TCSPs and should have registered with HMRC, but most are only providing services incidental to mainstream legal advice within regulation 12 (1) of MLR.

Some firms are employing accountants to carry out their independent audit under Regulation 21 of the MLR 2017. This is perhaps surprising, as an audit is almost bound to find fault, and if it is conducted by accountants it will not be protected by legal professional privilege, so the SRA can, and doubtless will, ask to see the report. This is one of the reasons why Legal Risk LLP practises as an SRA-regulated law firm.

The SRA’s proposal to allow solicitors to work in unregulated businesses has been approved by the Legal Services Board. A sackful of dire predictions from almost every quarter can be found in the SRA’s collection of Consultation Responses. So it only remains to sit back and wait to see whether the doomsayers –including ourselves –are proved wrong. In two years’ time the abuses we fear may have started to come out of the woodwork: criminals controlling enterprises in the business of law, alternative legal services providers operating out of shell companies without effective insurance and without proper regulation, consumers confused by well-crafted notepaper employing the word ‘solicitor’.

The LSB have also approved the SRA’s revised Code of Conduct, the third rewrite in 11 years. It is less prescriptive, and our prediction is that the sacrifice of certainty will expose the profession to … uncertainty. Guidance is promised, but solicitors risk being at the mercy of the SRA, to whom the new Code delivers a broad latitude in interpretation.

In the meantime, the next seismic event likely to shake the legal world is in incubation: the UCL Faculty of Law’s independent review into the regulatory framework for legal services in the UK, led by Professor Stephen Mayson. It was prompted by theCompetition and Markets Authority’s ‘Legal Services market study’ (December 2016). We anticipate that the ‘reserved legal activities’ will be swept away and replaced by a more rational approach to what legal services need to be regulated. And we expect a recommendation that the multiplicity of regulators should be rationalised.

For now, we are already seeing some impact from the CMA’s report in the shape of the SRA Transparency Rules 2018, which come into force on 6th December 2018. Broadly, a law firm must publish on its website pricing information about certain of the legal services it offers, namely ones that private individuals and small businesses typically buy (even if your clients are wealthy individuals and multi-national corporations). To compare prices properly, you also need to compare the service being provided, but the occasional user cannot test-drive legal services. Branding may rise up the agenda for smaller firms. Consumers’ legal work may go to the biggest brand with the lowest price. That formula has not been an unmitigated success in other service sectors.

It has appeared until recently that the SRA was doggedly determined to press ahead with reductions in the limits and scope of compulsory PII for reasons which we believe were woefully misconceived and based on seriously flawed data, as we have explained previously (Risk Update, March 2018). However, we understand that proposals for change will now take a further two years.

In the meantime, insurers are increasingly focusing their attention on the aggregation clause, under which (broadly) multiple claims arising from similar causes may be subject to one policy limit. We expect there will be further recourse to the courts or arbitration over the impact of this, particularly in the case of investment scheme claims (including hotels and student lets) where we are advising many firms. Bank of Queensland Ltd v AIG Australia Ltd [2018] NSWSC 1689 is of some interest in this context, though not binding and perhaps not likely to be followed here.

Coverage issues are far more common when excess layer insurers are involved. But even where they are not, we are seeing more coverage issues in practice. Where insurers face significant claims, they are prepared to incur legal costs to scrutinise whether a firm failed to supervise (and thereby condoned fraud), misrepresented its systems and controls in its proposal form, or failed to disclose problems prior to renewal. If a firm looks good on paper, a run of claims begs the question whether it is as good as it looks.

We may see further contraction of the market in the UK: we have seen insurers exit both the primary and first excess layer market already, and note that Amtrust are withdrawing from the Irish Solicitors’ market. Some firms have faced steep premium increases on renewal.

SRA reforms allowing solicitors to work in unregulated firms are unlikely to achieve significant insurance savings, as the volume will not be there, but will significantly narrow the scope of cover, opening up more exclusions from cover, and insurers will be free from the shackles of their obligations to the SRA which currently exist under the Minimum Terms and Conditions. There will certainly be no automatic run-off, there will be more coverage issues over non-disclosure, and lower limits (potentially without any one claim cover). Unrated insurers may once again find space in the market.

So we predict that consumers (and lawyers) will lose out with no appreciable benefit.

Inevitably, we anticipate that some law firms will be subject to fines under the General Data Protection Regulation (GDPR). Where may the problems lie? We identify three areas –one for domestic firms, one for international firms, and one for all firms.

Data protection: domestic firms

On the home front, we believe personal injury firms are highly exposed through a combination of handling large volumes of medical records and, in many cases, a degree of complacency. We have already encountered a post-GDPR example of medical records in a file left in a cab, and a case where copies of two clients’ records were mistakenly sent to two other clients jointly instructing the same firm. But this is barely the tip of the iceberg: medical records and reports are routinely copied many times into instructions for counsel and experts, court bundles and file copies, exponentially increasing the risk of data breach. Can you account for what happens to each and every copy when the case is finished? The same principles apply to other areas of work.

Data protection: international firms

Many firms rely on the standard contractual clauses issued by the European Commission for transferring personal data outside the EEA. So far, so good, but when a data breach occurs, can you find a signed, complete copy? We have heard of a scanned copy from a leading law firm’s overseas office which comprised only alternate pages, and the Information Commissioner’s Office (ICO) monetary penalty notice in the Equifax case noted that no signed copy could be found. That case involved a fine on the UK company following a data breach at the US parent company.

Even if you have a signed, complete copy, did your compliance end with the signing of the agreement incorporating the model clauses? In the Equifax case, the ICO found that there were no audits or adequate checks. The data processing agreement failed to provide adequate safeguards and security requirements, and numerous technical breaches were identified.

Data protection: all firms

Many firms trained staff for the introduction of GDPR, but we suspect will fail to ensure that staff are reminded of it on a regular basis and new joiners trained which will be an issue in future regulatory investigations. Inadequate training was a factor in the ICO’s Heathrow Airport fine.

A link to the Equifax and Heathrow monetary penalty notices can be found with a large collection of other resources on data protection and GDPR on www.legalrisk.co.uk/data.

Data subject access requests are increasingly being used as a tactic in litigation, including partnership disputes and employment. It may be possible, in appropriate cases, to resist the request on the basis of legal professional privilege but it is critical to examine the basis on which privilege is claimed, particularly having regard to the Court of Appeal decision in Three Rivers District Council and others v The Governor and Company of the Bank of England (Three Rivers No 5) [2003] EWCA Civ 474). We are frequently instructed to advise on complex privilege issues in relation to data protection and anti-money laundering.

GDPR: Brexit and the EU Withdrawal Agreement (even if it is in fact agreed) give rise to a host of issues on international data transfers. There is (perhaps unintended) doubt about the status of the UK during the transition period, despite the aim of securing an adequacy status in the longer term. The Information Commissioner’s Office will not be a supervisory authority once the UK leaves the EU. Data Transfer Agreements will need to be reviewed once the basis of the UK’s exit is known, but the position is at present unclear. We have advised several US and international firms on GDPR.

Despite GDPR’s aim at consistency, being a Regulation rather than a Directive, compliance issues in other European countries may tax the minds of compliance teams. We have seen a German court fine on a lawyer for an incomplete privacy notice, and the French supervisory authority, CNIL, has taken the point that if you rely on a third party to obtain consent, that does not relieve you of your obligation to verify that the consent is valid; auditing, by definition, cannot suffice, because it is only a spot check.