The start of the year is an ideal time to look ahead, and plan priorities for the year – both personal and professional. For those of us engaged in risk and compliance, this can mean planning ahead for incoming regulatory changes, training priorities, and ‘trending’ risk issues. We compared notes with our specialist risk consultancy partners to learn what hot topics and priorities they would highlight for the coming year. Here are our combined thoughts.
The efforts of the SRA and Law Society ensure that those working in risk and compliance will continue to be fully occupied over the course of 2019!
Calum MacLean, Senior Risk Manager in QBE’s Risk Solutions team spoke to three of our specialist risk providers: Richard Robinson of Legal Compliance Services, Helen Barge of Risk Evolves, and Pip Johnson of VinciWorks, for their view of the top regulatory and risk priorities for law firms in the coming months. And while it may be a new year, there are some old (but nonetheless very relevant) chestnuts amongst their common themes.
Money Laundering Compliance
Richard at Legal Compliance Services put AML firmly at the top of his priority list for 2019 – a view that seems to coincide well with the SRA ongoing focus on the issue. Under pressure from the Office for Professional Body Anti Money Laundering Supervision (OPBAS), and the government, to ensure that law firms step up to the plate in the fight against money laundering and terrorist financing, the SRA is expected to increase its monitoring and auditing of firms, and also to increase its regulatory intervention in firms that are found wanting. Richard explained that it is vital for firms to ensure that they have carried out and documented an internal risk assessment, and this is kept up to date, and reflected in the firm’s policies and procedures. He also highlighted the importance of independent auditing, as well as regular training for staff.
QBE has made AML one of its risk focusses for 2019 also. Look out for our upcoming article on AML, being published in February, and also our AML seminar and workshop.
AML was also highlighted by Pip Johnson at VinciWorks. Pip flagged the fifth money laundering directive, which must be implemented into national regulations by this time next year. So, while you may feel you have only just adapted your processes to the last raft of changes, you will need to be ready to take on board these further changes – including the regulation of cryptocurrencies (some firms are already being asked to accept transactions in cryptocurrencies), stricter enhanced due diligence requirements, and extension of AML to all forms of tax advisory, and letting services, amongst others. Read VinciWorks' guidance note on the Fifth Money Laundering Directive to help you get up to speed in good time. Notwithstanding Brexit, the government will have to find some time to implement this Directive soon! And, on the topic of Brexit, don’t forget that the UK is due to implement its own sanctions regime, so (as VinciWorks have identified) firms would be advised to review and update their sanctions policies in 2019 as well.
On a related topic, following the first use of the new Unexplained Wealth Orders, VinciWorks also raised the issue of new EU Directive (known as DAC6) requiring law firms, amongst others to disclose cross-border tax arrangements with the relevant national tax authorities. While the data does not have to be reported until next year, you will at that point be required to disclose all such arrangements that have occurred since 25th June 2018. You need to be sure that there is a process in place for identifying and recording such information, where relevant to your firm’s work profile. VinciWorks’ DAC6 Omnitrack register and other tax evasion compliance resources may make that job a lot simpler!
AML Action Points
- Carry-out/Review and update your existing AML risk assessment
- Carry out an [independent] audit of AML (including Sanctions) policies, controls and procedures, and update as required
- Review your AML training, and ensure all relevant staff receive practically-focused update training
Another perennial favourite-data protection, was top of Helen Barge’s (of Risk Evolves) priorities. Despite the new regulations having been in place for 9 months or so now, many firms have still not taken sufficient steps to implement the new data protection requirements, and 2018 saw an increase in the number of complaints to the Information Commissioner’s Office (ICO). With the topic firmly in the public consciousness, and a catalogue of high profile breaches, this is a trend only set to continue. This month we saw the first major fine issued by the French data regulator against Google, a massive £44m. The French regulator stated that users were ‘not sufficiently informed’. Helen is of the view that, as cases, particularly class actions, come to court, we are likely to see an increase in Subject Access Requests, and a resultant rise in claims.
Helen advises firms to keep an eye out on the ICO rulings due in 2019 (by signing up to the ICO newsletter) on a number of significant cases, including the Butlin’s, Dixons, Carphone Warehouse and British Airways breaches, as these are likely to give a strong steer as to how cases will be treated in future, and provide hopefully preventative lessons for us all.
Another timely piece of advice from Helen is to double check that you are registered with the ICO, and fully paid up, as there appears to be a zero tolerance approach from them on this issue. Fines up to £4,000 have been issued to organisations.
Legal Compliance Services and VinciWorks both highlight the need to review your privacy notices to ensure they are fit for purpose, and, thereafter, ensure that they are provided not only to all clients, but also any non-clients whose data you collect. Given that the legislation has been in place for some considerable time now, we anticipate the SRA and ICO to both increase their scrutiny of firms, and take a harsher approach to censuring those that have not properly engaged with their regulatory requirements – and Richard, at Legal Compliance Services, remains of the opinion that there is a significant minority of firms who are ‘dangerously lax’ in their approach. For those for whom this is a wake-up call, or if you simply wish to benchmark your policies and procedures, both Legal Compliance Services and Risk Evolves offer a range of valuable GDPR compliance services, and VinciWorks offer a variety of online training tools and resources. Information Security of course extends well beyond your regulatory obligations, and Risk Evolves flagging of the ongoing risk of cybercrime is very much in line with QBE’s own experience of professional claims. The SRA reported that, in 2017 alone, more than £11million of client funds were stolen as a consequence of cybercrime events. Helen emphasises the value of implementing Cyber Essentials/Cyber Essentials Plus certifications (currently a strong recommendation under Lexcel, and a recommendation from both the ICO and the National Cyber Security Centre) as a minimum. Such a certification also helps raise awareness across the business of risk issues and gaps in your systems and procedures. At QBE, we are great advocates of ‘little and often’ practically focussed training and awareness campaigns. Amongst the most effective at addressing one specific risk is signing the firm up to simulated phishing exercises at regular intervals. If you are interested in this sort of service, get in touch and we can direct you to QBE partner providers (including Risk Evolves) who offer such services.
Data Protection Action Points
- Ensure you are registered with the ICO as a Data Controller
- Review your Data Protection/Privacy policies
- Ensure that well drafted Privacy Notices are provided to all clients
- Check whether you are recording your data processing activities effectively
- Implement a Cyber Security certification
- Sign up for a Simulated Phishing exercise & other cyber security training
2019 promises to be a busy year for solicitors in terms of addressing various upcoming regulatory changes.
• Code of Conduct & Accounts Rules
After a period of relative stability, we are expecting an all new Code of Conduct and Accounts Rules – due out late Spring. The draft Code certainly seems shorter, and less prescriptive (the opposite of what some small firms looking for clarity had sought!) Richard observes that this is a double-edged sword as it also provides the SRA with greater leeway when it comes to interpretation and regulatory action.
Legal Compliance Services are advising firms to ensure that they are compliant with the new transparency rules that came into force in December, and also to act now to assess the impact of the new code on your firm. Your Accounts staff, COFA and fee earners will also need update training on the new Accounts Rules, which include changes to the treatment of costs and the handling of residual balances. It is worth noting, too, that QBE have seen a number of recent claims where poor compliance with the Accounts Rules has facilitated fraud – another good reason to double-down on your accounts controls.
• Changes for Conveyancers
The new Law Society Code for Completion is due imminently, which should impact on how firms address post Dreamvar risks (see also QBE’s upcoming AML article). There is also a new fraud practice note (of particular, albeit not exclusive, relevance to conveyancers) anticipated. And the Law Society is finally responding to criticisms of CQS and reviewing the standard, and significantly enhanced monitoring underpinning the standard.
Regulatory Action Points
- Review the upcoming changes to the Code of Conduct & Accounts Rules, and plan for any changes that require to be implemented
- Ensure that Accounts Staff, COFA and fee earners are trained on the new Accounts Rules
- If your firm undertakes conveyancing work, ensure that fee earners are trained on the changes to the Code for Completion and that processes are updated as required
- Update file review/file audit processes to take account of relevant regulatory changes
Review your Policies & Procedures
The combination of new regulations and a renewed focus by regulators on auditing compliance with key risk indicators means that there is no better time than now to audit your own policies and procedures to ensure that they are up-to-scratch and ‘future-proofed’ ready for the upcoming changes.
We understand that, in an already time-pressed work environment, undertaking this internally is not always realistic. QBE’s Risk Solutions team may be able to assist, and can also recommend trusted external consultants, with whom QBE has negotiated discounted rates for QBE policyholders.
Policy & Procedure Review Action Points
- Ensure that you have a comprehensive suite of policies and procedures and implement a regular review process to ensure that they remain up-to-date and compliant
Richard Robinson is Managing Director of Legal Compliance Services, a team of former SRA compliance experts providing bespoke regulatory compliance & risk management advice to law firms. A qualified solicitor, Richard worked in private practice as well as gaining over ten years’ experience as a senior advisor within the SRA’s Practice Standards Unit, implementing practical compliance and risk management systems and procedures for law firms.
Helen Barge is Managing Director of Risk Evolves, specialising in risk management and providing data privacy consultancy for businesses of all sizes. Helen is a member of the BS31111 Risk Management Standards committee at the British Standards Institute and of the Institute of Leadership and Management. Her breadth of experience enables her to apply her knowledge of IT systems, processes and procedures to the complexities of the business environment.
Pip Johnson is the Director for Legal Services at VinciWorks, a leading provider of online compliance training and risk management software. She is a certified e-learning professional with a Diploma in e-learning consultancy skills and has been instrumental in the design and development of bespoke online courseware.
QBE’s own risk management advice, tools and resources are available to all QBE policyholders online via the Risk Solutions pages of our Website, and our dedicated client Knowledge Centre, or for adhoc risk advice, you can get in touch via your broker, or by emailing firstname.lastname@example.org