10 law firm compliance lessons you could learn from 2019

Thought 2019 was over? Think again. We aren’t asking you to repeat your new year celebrations, but reflecting on the things you should have done in 2019, could hold the key to success in your law firm for 2020.

LexisNexis has rounded up the top ten things you should have done in 2019 to help you build the foundations for a fresh start in 2020.

Top 10 things you should have done in 2019

1. Updated your breach reporting policy and procedures

The SRA Handbook 2011 introduced the concept of material and non-material compliance failures—the former being reportable to the SRA as soon as reasonably practicable. This caused so much consternation across the profession that the SRA had to operate road shows up and down the country. Hardly surprising then that, in the early days of the 2011 regime, we fielded lots of questions from firms about what constituted a material compliance failure and what was reportable. These dried up very gradually as the new regime bedded in and the profession became more comfortable with the SRA’s expectations.

2. (Re)assessed your firmwide AML risks

While this is not a new requirement, earlier in 2019 the SRA conducted a review of how firms were approaching compliance with the Money Laundering Regulations 2017 (MLR 2017), particularly in respect of firm-wide risk assessments.

It asked a sample of 400 firms to send in their risk assessment documents and the results were not good. Reviewing the responses, the SRA found that many were poor quality and in some cases firms did not have an assessment in place at all, despite it being a legal requirement. In all, the SRA found over a fifth of the firms surveyed did not have a compliant risk assessment.

3. Updated your accounts procedures

Specificity is so last decade. Who wants 86 pages of detailed Accounts Rules and guidance when you can have six pages of join-the-dots? What kind of person wants to operate under prescriptive but clear requirements and timescales when they could grapple with the meaning of subjective terms such as ‘promptly’, ‘fair’ and ‘appropriate’?

The SRA does acknowledge that operating under the new regime will require an ‘exercise of judgment and this will be an adjustment for many firms compared to the 2011 Accounts Rules’. But this is not sufficient justification for sticking with the tried-and-tested way of doing things.

And it’s not just this conceptual shift you’ll have to get to grips with. All that woolly terminology camouflages some substantive changes.

4. Planned for Brexit

A fraught year of will-we, won’t-we questions over whether the UK would leave the EU at all and, if so with what sort of deal and when, finally ended with some form of resolution.

Following the general election in December, it now appears overwhelmingly likely that the UK will leave the EU on 31 January 2020, but with a transitional agreement to take us through to the end of 2020. This means, in the short term at least, your no-deal Brexit planning can be put to one side and you can concentrate on the implications for your firm of leaving under the transitional terms of the Withdrawal Agreement.

Whether the UK has a long-term deal in place by the end of the year is another question and it would be a brave firm that doesn’t continue, for now, to monitor and assess its position in the event of a no-deal scenario on expiry of the Withdrawal Agreement.

By now, you will of course have a good idea of the implications of Brexit for your firm and have made appropriate plans and taken the necessary actions to manage the process. Deal or no deal, you will need to consider the impact of Brexit on the whole of your business, including:

• your lawyers, eg visa and practising requirements if they are qualified in the EU, or EU nationals or UK nationals working in the EU, and
• your firm, eg your ability to continue to provide services from offices in the EU or on a fly-in/fly-out basis, your supply chains, data processing, intellectual property rights

For a recap of some of the key areas to consider and a host of Brexit trackers and Practice Notes, see subtopic: Brexit—compliance and risk management. For an overview of the latest Withdrawal Agreement Bill, see News Analysis: The new EU (Withdrawal Agreement) Bill—what’s changed?

5. Reviewed your process for accepting undertakings

The SRA has tinkered with the definition of ‘undertaking’, but to no real effect and this isn’t the reason why undertakings makes our top ten. If you want to know what the SRA has changed, see Practice Note: Under-takings and the SRA 2019—What is an undertaking?

The thing you should worry about is not what is an undertaking, but rather who might be giving an undertaking to your firm.

The 2019 SRA regime permits solicitors to practice in new and different ways. In-house solicitors can pro-vide a wide variety of legal services to external clients. Non-SRA regulated businesses can now employ practising solicitors to provide certain legal services. And then there is the brave new world of the freelance solicitor.

Generally, when receiving an undertaking from a practising solicitor before November 2019, you could assume they were insured. However, this is certainly not the case with freelance solicitors. To be clear, an undertaking given by a freelance solicitor is entirely valid, but the real issue is whether that solicitor is adequately insured if they fail to discharge the undertaking. The level of risk depends on the category of free-lance solicitor. For more guidance, see Practice Note: Dealing with freelance solicitors.

There are also practical questions about how monies paid to a third party represented by a freelance solicitor will be held. Freelance solicitors cannot hold client money, nor can solicitors working in-house or for an unregulated entity.

We’ve therefore updated Precedents: General undertakings policy and Undertakings policy for property transactions to contain specific requirements about accepting undertakings from freelance solicitors, in-house solicitors and other professionals.

6. Amended COLP/COFA job descriptions (and indemnities)

It’s probably a good time to refresh the job descriptions you issued to your COLP and COFA back in 2011. The core duties of your compliance officers remain unchanged—take reasonable steps to ensure compliance and report breaches to the SRA. Granted, the formal requirement to keep a record of compliance failures has disappeared from the Standards & Regulations, but it’s resurfaced in SRA guidance on the responsibilities of COLPs and COFAs.

Nevertheless, you should probably update any specific requirements in the job descriptions around breach reporting—see item 1 above, plus Precedents: Compliance officer for legal practice—COLP—job description and role profile—2019 and Compliance officer for finance and administration—COFA—job description and role profile—2019.

If you’re going to review the job descriptions, you may as well also review any indemnity agreement you entered into with your compliance officers—see Precedents: Deed of indemnity—compliance officer for legal practice (COLP) and Deed of indemnity—compliance officer for finance and administration (COFA).

7. Kept your eye on cybercrime and information security risks

With everything else that’s being going on in the last year, it can be difficult to keep up with some of the business-as-usual areas of risk management, such as cybercrime and information security. Just because other areas have come to the fore, does not, however, mean that these can take a back seat. Information and cyber security remain a priority risk in the SRA’s latest Risk Outlook and a major risk to firms.

Dealing with an incident is invariably costly and time consuming. It can be detrimental to your staff, your clients, your business and your reputation. Regular (and repeated) training is therefore a must, to maintain high levels of awareness and vigilance within the firm and to help build a culture of reporting so you can quickly identify and remedy issues that arise. Fitting in training can be a real challenge but this is one of those areas where you simply cannot afford to ‘wait until things are a bit quieter’.

Subtopics: Information security and Cybersecurity and cybercrime include a wealth of materials to assist you.

8. Reviewed your privacy notice (grounds for processing special cate-gory personal data)

It’s taken 18 months for the ICO to fill the black hole created by the GDPR for law firms that process special category personal data of clients and third parties on the ground of establishing, exercising or defending a legal claim, ie under Article 9(2)(f) of the GDPR.

Article 9(2)(f) of the GDPR is drawn very narrowly and the government missed the opportunity to widen its operation via the Data Protection Act 2018 (DPA 2018). This left law firms in a cleft stick when processing special category personal data in circumstances in which explicit consent was not appropriate.

9. Added the digital badge to your website

Following partial implementation of the SRA Transparency Rules in December 2018, the next phase has now come into force—the addition to your website of the digital badge (aka the ‘clickable logo’).

The digital badge became mandatory along with the rest of the SRA regime changes on 25 November 2019 and the SRA has already indicated it will be doing a further sweep of firms’ websites to review compliance with the transparency requirements in general, including application of the badge.

The digital badge is available in three colourways (don’t get too excited—one is black and white and another is shades of grey). Full instructions on how to apply the digital badge are available from the SRA’s ‘partner’, Yoshki here. For more information on the SRA’s transparency rules, see Practice Note: Price and service transparency—law firms.

10. Made people aware of the new SRA regime

Last, but certainly not least, everyone in the firm will be affected by the SRA changes, and needs to know about them. Including you. You should have trained or briefed all of the following:

• the firm’s staff generally—everyone needs to be aware of the new SRA regime, and their responsibilities under it, including the SRA Principles and when they apply, your breach reporting policy and procedures, and a general understanding of the key changes and their practical implications for the firm
• solicitors, RELs and RFLs—the SRA Code for Solicitors applies directly to all individual solicitors, RELs and RFLs in your firm and SRA-regulated individuals need to understand their obligations and the SRA’s expectations of them
• the firm’s management/partners—while all solicitors, RELs and RFLs have personal obligations under the SRA Code for Solicitors, the firm’s managers, ie the partners, are also jointly and severally responsible for compliance by the firm with the SRA Code for Firms and should therefore understand what the Code for Firms covers
• the compliance team—for obvious reasons, the compliance team will need to have an in-depth knowledge of the SRA Standards and Regulations, including the SRA’s enforcement strategy, and ensure the changes are translated (as necessary) into the firm’s policies and procedures across the board

Read more from our research and reports here.