Risk Update • November 2019

These were the concluding words of Paul Philip, Chief Executive of the Solicitors Regulation Authority (SRA) in his opening speech at the SRA’s Compliance Officers Conference on 30 October 2019. A chill wind may be blowing in the area of anti-money laundering (AML) compliance. Our past three issues identified various aspects of the SRA’s enforcement activity, but this is set to be ramped up.

The SRA is going to be far more proactive in visiting firms to assess compliance, and will be seeking written assurance from senior partners of all firms which do regulated sector work under The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR). This may expose senior partners to personal risk of disciplinary process beyond that which applies as a principal in the business.

Having previously found 21 per cent of firms’ risk assessments from a sample of 400 to be non-compliant, the SRA is now going to embark on checking risk assessments for 7,000 firms.

The SRA has published its latest Risk Outlook, which focuses on anti-money laundering and the need for firmwide risk assessments, and an updated warning notice, Compliance with the money laundering regulations – firm risk assessment, which can be found on www.legalrisk.co.uk/news. The SRA’s template, checklist and guidance can be found on our Anti-Money Laundering Resources page via www.legalrisk.co.uk/aml; however the SRA cautions against over-reliance on templates and a ‘copy and paste’ approach.

While carrying out independent audit of many larger firms for compliance with Regulation 21 of the MLR, we have observed weaknesses in the documentation of risk assessments at the client and matter level, and in the inception and ongoing monitoring of Politically Exposed Persons (PEPs) and higher risk matters generally. Firms’ policies, controls and procedures do not always reflect what happens in practice.

As the SRA guidance on firm risk assessments observes, it is not enough to say that the firm does not act for PEPs, as the definition of PEP is very wide, may apply to UK citizens (and there are approximately 39,000 in the UK), and might for example include the business partner of a member of the board of Network Rail, Channel 4 or the BBC, the children of certain Church of England bishops or senior office holders of international bodies such as the Red Cross or Amnesty International.

The MLR do not require all firms to have an independent audit of their MLR compliance, but may still benefit from one in the face of the almost inevitable SRA visit. As practising solicitors, our advice is subject to legal professional privilege.

The importance of sanctions checks cannot be overstated: HM Treasury has imposed a monetary penalty of £146,341 on Telia Carrier UK Limited for a breach of financial sanctions regulations, demonstrating that ‘economic resources’ may be provided directly or indirectly.

Firms should now be well advanced in preparations for the new provisions which come into force on 25 November 2019. There are still further minor amendments in the pipeline. Meanwhile, the SRA has published guidance on Conflicts of Interest. However this does not address own interest conflict issues arising from the decision in SRA v Howell Jones LLP Case No. 11846-2018 which will be addressed in further guidance on Putting Things Right. See www.legalrisk.co.uk/Conflicts.

We noted previously that the prohibition on limiting liability below the compulsory minimum (£2 million for sole practitioners and partnerships, and £3 million for incorporated practices and licensed bodies/ABSs), had been removed from the Code of Conduct, while urging caution that all may not be as it appeared. The prohibition has resurfaced in rule 3.2 of the SRA Indemnity Insurance Rules 2019. A breach of the current provision was the subject of a recent decision of the Solicitors Disciplinary Tribunal.

The requirement to effect ‘adequate and appropriate cover’ continues in rule 3.1 of the same rules. The difficulties with this provi-sion remain the same. How much is ‘adequate and appropriate’? It is almost impossible to put a figure on this. We advise many leading firms on limitation of liability and act in substantial coverage disputes, and in our experience there are many cases where the firm’s exposure may be far in excess of anything they might have imagined when taking the work on.

The value of a transaction may not be a fair indication of the potential exposure from any claims, particularly where aggregation issues arise under the policy, a point overlooked by many firms. Even if this is taken into account, it may not be practicable to obtain cover for anything like the full amount.

Frank Maher, Sue Mawdsley and Francis Dingwall will be speaking at the New Standards and Regulations Seminar presented by Howden UK Group Limited. For more information, please see here.

These are a hot topic on the claims front where we are advising many firms on insurance coverage and professional conduct issues.

The SRA has published guidance on investment schemes. A link can be found on www.legalrisk.co.uk/news.

The further extension allows firms more time to put their houses in order. The Law Society has published a leaflet on preparation for a no deal Brexit, including links to the ICO’s latest guidance – see www.legalrisk.co.uk/news.

We have advised on a variety of issues relating to practice rights, data protection and legal professional privilege.

As solicitors, we have duties, enshrined in law and in our Code of Conduct, to preserve confidentiality. Yet this appears to be breached by many in the profession on a daily basis.

We have advised several firms which have experienced multiple breaches of client data – not from hackers, or complex IT failures, but simple error by staff at all levels – partners, fee earners, ac-counts staff, and support staff. Medical records are left in taxis, letters or enclosures clipped to letters to other clients, addresses mistyped on client inception, and more besides. The Information Commissioner’s Office (ICO) statistics for data breaches in the legal sector for Q4, 2018-19, show the main causes were data emailed to the wrong recipient (26%), and data posted or faxed to the wrong recipient (24%).

Mistakes happen in the best regulated offices, and it is important not to discourage breach reporting, but firms are bound by the accountability principle in Regulation 5 of the General Data Protection Regulation (GDPR) and we are seeing the SRA investigating further even where the ICO has decided to take no further action.

Solicitors and their staff may be tempted to talk about cases in public areas, thinking that they are preserving confidentiality simply by withholding the names of individuals. The fallacy of this was exposed in the recent case of Curless v Shell International Ltd [2019] EWCA Civ 1710, a successful appeal against application of the iniquity exception to legal advice privilege, but of note for the problems caused by idle chat which was overheard by the claimant in a public house.

The European Council has published a revised draft of the e-Privacy Regulation, which includes clarification on consent, in line with GDPR and the Planet 49 judgment – see www.legalrisk.co.uk/data.