Despite numerous alerts, extensive guidance and wide publicity, Solicitors continue to needlessly fall victim to fraud and lose their clients’ money to fraudsters on a regular basis. Despite so much being at stake, some firms are still unwilling to change processes or attitudes about fraud. There are many conscientious law firms that have already upgraded their anti-fraud risk controls, but recent notifications highlight that some are still not taking this issue seriously enough...
The Solicitor community needs to manage fraud risk more effectively and responsibly and stop taking email and verbal instructions for funds transfer on blind faith.
Principle 10 of the SRA’s Code of Conduct mandates that you must protect your client money and assets.
Email is not (and never has been) on its own a reliable or secure communications method. Transferring funds to a bank account that is notified by email, especially if altered or advised at the last-minute, without making any checks, is not protecting your clients money and would therefore be a clear breach of Principle 10. Acting on instructions from so-called bank staff or even fraudsters impersonating Police Officers and revealing online banking user credentials and account information is also not protecting your clients information.
To help ensure you have the right working processes in place, check out QBE's Fraud Prevention Toolkit.
False email correspondence is often at the heart of fraudulent activity so here follows some simple rules to abide by:
- Explain the risk of fraud openly at the outset when relevant to the transaction / matter and obtain a commitment to cooperate
- Obtain / exchange bank details (to include sort code, bank account number and name of the account) at the outset of the transaction, and preferably face-to-face, except in unusual circumstances.
- Verify the bank details provided against a cheque book, paying in book, or statement (this might be tied in with client identity checks to streamline the process).
- If there is a likelihood that changes may be needed, and attendance in person will be impractical, agree a code word for discussing financial transactions.
- Explain that changes will not be made to your firm’s bank details and changes to clients’ instructions for funds transfer will be treated suspiciously such that:
- Any changes should be made in person, whereby identity will be re-checked against original ‘know your client’ documents
- Remote instructions, (by mail, phone, email, text etc.) must be validated by talking to the client to authenticate the instructions (using any code word agreed). The phone call must be instigated by your firm using contact details originally provided for contact on the matter. Unique and common knowledge, for instance about the matter or subjects involved can be used to further authenticate the client.
- Update your client care letter/s, T&Cs, email footer and other relevant documents to reflect your revised fraud prevention processes
- Explain the above revised policies to existing clients (via a mass mailer (not email) or as and when correspondence is sent).
- Request that clients attend your offices to provide bank details or obtain them over the phone when you can be certain it is your client you are dealing with in the normal course of events.
- Obtain evidence in support where time permits (if you already have a bank statement obtained for client identity checks at the outset then this would serve to verify bank details).
- On any transactions nearing completion where there is insufficient time to obtain bank details in the above ways, receipt of bank details for funds transfer must be validated with the client by phone. The call must be instigated by the firm using the details provided by the client at the outset. Unique and common knowledge, for instance about the matter or subjects involved can be used to further authenticate the client.
Relevant staff must be trained on revised procedures and mandated to follow them without exception.
Further information on fraud prevention and professional services risk management.