At the risk of being a New Year party pooper, here are some old year resolutions to cast your eye over. Before you march confidently into the exciting new decade of prosperity we’ve been promised, it’s time to clear your conscience about the things you should have done in 2019.
Here’s our top ten list:
- Updated your breach reporting policy and procedures
- (Re)assessed your firmwide AML risks
- Updated your accounts procedures
- Planned for Brexit
- Reviewed your process for accepting undertakings
- Amended COLP/COFA job descriptions (and indemnities)
- Kept your eye on cybercrime and information security risks
- Reviewed your privacy notice (grounds for processing special category per-sonal data)
- Added the digital badge to your website
- Made people aware of the new SRA regime
1. Updated your breach reporting policy and procedures
The SRA Handbook 2011 introduced the concept of material and non-material compliance failures—the former being reportable to the SRA as soon as reasonably practicable. This caused so much consternation across the profession that the SRA had to operate road shows up and down the country. Hardly surprising then that, in the early days of the 2011 regime, we fielded lots of questions from firms about what consti-tuted a material compliance failure and what was reportable. These dried up very gradually as the new re-gime bedded in and the profession became more comfortable with the SRA’s expectations.
So, obviously it’s time for a change...
Material compliance failures are out. Serious breaches are in. Don’t expect the SRA to tell you what consti-tutes a serious breach—this would ‘be inflexible and become outdated’, but if you have time on your hands, some clues can be found in the SRA’s 20-page enforcement strategy. Or you could read Practice Note: Breach reporting 2019—What is a serious breach?
And it’s not just actual serious breaches that must be reported. You have to report any facts or matters you ‘reasonably believe are capable of amounting to a serious breach’. Plus, you have to inform the SRA of an-ything you reasonably believe should be brought to its attention so it can investigate whether a serious breach has occurred. This means you can’t turn a blind eye to potential serious breaches by, for example, other firms.
Once you know what has to be reported, you should address your mind to the dynamics of breach report-ing—as between the firm, its solicitors and compliance officers.
The new Code for Solicitors imposes personal breach reporting obligations on individual solicitors (includ-ing RELs and RFLs). The last thing your compliance officers want or need is for individual solicitors to by-pass them entirely and make reports directly to the SRA. Fortunately, solicitors will satisfy their reporting obligation if they provide information to their firm’s COLP or COFA, as and where appropriate, on the un-derstanding that the compliance officer will make the report to the SRA. Even so, this could cause practical problems for the compliance officer receiving an internal report, eg where they:
have assessed the report but do not believe the external reporting threshold has been reached and therefore do not make a report—the SRA may question that judgement if it then receives a direct report from the person making the internal report
have made a report to the SRA, but do not feel it is appropriate to notify this to the person making the internal report—this could lead to double reporting and the SRA questioning the firm’s internal processes
Then there is the interplay between whistleblowing, other reporting mechanisms (eg data breach/ICO) and the SRA’s reporting regime. Firms need to think carefully about how to handle this in their breach reporting pol-icy and procedures. See Practice Note: Breach reporting 2019—Interaction between reporting obligations of compliance officers, individuals and the firm. Precedent: Breach reporting policy—law firms has been carefully drafted to encourage solicitors to route all breach reports directly or indirectly through the firm’s compliance officers, where appropriate.
Having determined how best to navigate your way through these choppy waters, don’t forget to make sure all your staff are on board the good ship Reportiana. There’s no point updating your procedures if no one knows about it. See Precedent: Training materials—breach reporting 2019—law firms.
2. (Re)assessed your firmwide AML risks
While this is not a new requirement, earlier in 2019 the SRA conducted a review of how firms were ap-proaching compliance with the Money Laundering Regulations 2017 (MLR 2017), particularly in respect of firm-wide risk assessments.
It asked a sample of 400 firms to send in their risk assessment documents and the results were not good. Reviewing the responses, the SRA found that many were poor quality and in some cases firms did not have an assessment in place at all, despite it being a legal requirement. In all, the SRA found over a fifth of the firm’s surveyed did not have a compliant risk assessment...
As a result of the findings from its review, the SRA is now writing to all of the approximately 7,000 firms caught by the MLR 2017 requiring their COLP to sign a declaration confirming that the practice has a firm-wide money laundering risk assessment in place.
Failure to comply is not only a breach of MLR 2017, but also a breach of SRA requirements. The latest SRA Risk Outlook highlighted that the SRA began 172 investigations about AML compliance in the first three quarters of 2019 and has taken more than 60 cases to the Solicitors Disciplinary Tribunal in the last five years.
Risk assessment is also not a one-time event. You should be keeping your AML risk profile under regular review (and indeed the amendments to MLR 2017 implementing the Fifth Money Laundering Directive, in force from 10 January will increase your obligations in this regard), so even if you have a risk assessment in place, you should have considered whether it needs a refresh.
For guidance on firm-wide risk assessment and a Precedent risk assessment, see subtopic: AML & coun-ter-terrorist financing—Risk assessment.
3. Updated your accounts procedures
Specificity is so last decade. Who wants 86 pages of detailed Accounts Rules and guidance when you can have six pages of join-the-dots? What kind of person wants to operate under prescriptive but clear require-ments and timescales when they could grapple with the meaning of subjective terms such as ‘promptly’, ‘fair’ and ‘appropriate’?
The SRA does acknowledge that operating under the new regime will require an ‘exercise of judgment and this will be an adjustment for many firms compared to the 2011 Accounts Rules’. But this ain’t sufficient jus-tification for sticking with the tried-and-tested way of doing things.
And it’s not just this conceptual shift you’ll have to get to grips with. All that woolly terminology camouflag-es some substantive changes, eg:...
third-party managed accounts are finally with us officially
there’s a revised definition of client money
speaking of client money, it has to be paid into client account ‘promptly’
detailed provisions covering court of protection deputies and trustees of pension schemes have been removed—all money held by them is client money and the Accounts Rules 2019 will apply in full, unless the money is held in a joint account
obligations in relation to payment of interest have been substantially shortened, changed slightly and moved into the Code of Conduct for Firms
prescribed wording for the reporting accountant’s letter of engagement have been replaced with a provision that the SRA may specify terms from time to time—no such terms have yet emerged but could appear at any time
the concept of office money and office account is no longer required—it seems the SRA is only interested in client money and there are only two references to ‘business account’ in the entire Accounts Rules
For a more detailed list, see Practice Note: SRA Accounts Rules 2019—Contrast with SRA Accounts Rules 2011. SRA guidance on specific elements of the Accounts Rules 2019 is beginning to emerge, but the most useful guidance is addressed to the reporting accountant.
It seems the SRA didn’t want your COFA to feel left out. They should have reviewed and updated your ac-counts procedures. See:
Practice Notes: SRA Accounts Rules 2019 and Client account procedures and records 2019—law firms
You’ll also need to train your staff. This will probably involve ninja training for your finance staff and noddy training for fee earners and other support staff. See Precedent: Training materials—Accounts procedures for non-finance staff 2019—law firms.
4. Planned for Brexit
A fraught year of will-we, won’t-we questions over whether the UK would leave the EU at all and, if so with what sort of deal and when, finally ended with some form of resolution.
Following the general election in December, it now appears overwhelmingly likely that the UK will leave the EU on 31 January 2020, but with a transitional agreement to take us through to the end of 2020. This means, in the short term at least, your no-deal Brexit planning can be put to one side and you can concentrate on the implications for your firm of leaving under the transitional terms of the Withdrawal Agreement.
Whether the UK has a long-term deal in place by the end of the year is another question and it would be a brave firm that doesn’t continue, for now, to monitor and assess its position in the event of a no-deal sce-nario on expiry of the Withdrawal Agreement.
By now, you will of course have a good idea of the implications of Brexit for your firm and have made ap-propriate plans and taken the necessary actions to manage the process. Deal or no deal, you will need to consider the impact of Brexit on the whole of your business, including:
your lawyers, eg visa and practising requirements if they are qualified in the EU, or EU nation-als or UK nationals working in the EU, and
your firm, eg your ability to continue to provide services from offices in the EU or on a fly-in/fly-out basis, your supply chains, data processing, intellectual property rights
For a recap of some of the key areas to consider and a host of Brexit trackers and Practice Notes, see subtopic: Brexit—compliance and risk management. For an overview of the latest Withdrawal Agreement Bill, see News Analysis: The new EU (Withdrawal Agreement) Bill—what’s changed?
5. Reviewed your process for accepting undertakings
The SRA has tinkered with the definition of ‘undertaking’, but to no real effect and this isn’t the reason why undertakings makes our top ten. If you want to know what the SRA has changed, see Practice Note: Under-takings and the SRA 2019—What is an undertaking?
The thing you should worry about is not what is an undertaking, but rather who might be giving an undertak-ing to your firm.
The 2019 SRA regime permits solicitors to practice in new and different ways. In-house solicitors can pro-vide a wide variety of legal services to external clients. Non-SRA regulated businesses can now employ practising solicitors to provide certain legal services. And then there is the brave new world of the freelance solicitor.
Generally, when receiving an undertaking from a practising solicitor before November 2019, you could as-sume they were insured. However, this is certainly not the case with freelance solicitors. To be clear, an un-dertaking given by a freelance solicitor is entirely valid, but the real issue is whether that solicitor is ade-quately insured if they fail to discharge the undertaking. The level of risk depends on the category of free-lance solicitor. For more guidance, see Practice Note: Dealing with freelance solicitors.
There are also practical questions about how monies paid to a third party represented by a freelance solici-tor will be held. Freelance solicitors cannot hold client money, nor can solicitors working in-house or for an unregulated entity.
We’ve therefore updated Precedents: General undertakings policy and Undertakings policy for property transactions to contain specific requirements about accepting undertakings from freelance solicitors, in-house solicitors and other professionals.
6. Amended COLP/COFA job descriptions (and indemnities)
It’s probably a good time to refresh the job descriptions you issued to your COLP and COFA back in 2011. The core duties of your compliance officers remain unchanged—take reasonable steps to ensure compli-ance and report breaches to the SRA. Granted, the formal requirement to keep a record of compliance fail-ures has disappeared from the Standards & Regulations, but it’s resurfaced in SRA guidance on the re-sponsibilities of COLPs and COFAs.
Nevertheless, you should probably update any specific requirements in the job descriptions around breach reporting—see item 1 above, plus Precedents: Compliance officer for legal practice—COLP—job descrip-tion and role profile—2019 and Compliance officer for finance and administration—COFA—job description and role profile—2019.
If you’re going to review the job descriptions, you may as well also review any indemnity agreement you entered into with your compliance officers—see Precedents: Deed of indemnity—compliance officer for legal practice (COLP) and Deed of indemnity—compliance officer for finance and administration (COFA).
7. Kept your eye on cybercrime and information security risks
With everything else that’s being going on in the last year, it can be difficult to keep up with some of the business-as-usual areas of risk management, such as cybercrime and information security. Just because other areas have come to the fore, does not, however, mean that these can take a back seat. Information and cyber security remain a priority risk in the SRA’s latest Risk Outlook and a major risk to firms.
Dealing with an incident is invariably costly and time consuming. It can be detrimental to your staff, your clients, your business and your reputation. Regular (and repeated) training is therefore a must, to maintain high levels of awareness and vigilance within the firm and to help build a culture of reporting so you can quickly identify and remedy issues that arise. Fitting in training can be a real challenge but this is one of those areas where you simply cannot afford to ‘wait until things are a bit quieter’.
8. Reviewed your privacy notice (grounds for processing special cate-gory personal data)
It’s taken 18 months for the ICO to fill the black hole created by the GDPR for law firms that process special category personal data of clients and third parties on the ground of establishing, exercising or defending a legal claim, ie under Article 9(2)(f) of the GDPR.
Article 9(2)(f) of the GDPR is drawn very narrowly and the government missed the opportunity to widen its operation via the Data Protection Act 2018 (DPA 2018). This left law firms in a cleft stick when processing special category personal data in circumstances in which explicit consent was not appropriate...
Better late than never, in November 2019, the ICO published guidance on the Lawful basis for processing special category data confirming that Article 9(2)(f) includes processing necessary for:
actual or prospective court proceedings
obtaining legal advice, or
establishing, exercising or defending legal rights in any way
It is necessary, however, to sound a word of caution. This interpretive expansion derives solely from ICO guidance—the GDPR is drawn more restrictively and there is no legislative basis for this expanded interpre-tation in DPA 2018 (unlike the Data Protection Act 1998). This may be a concern for firms that operate at EU level although most firms will be content to rely on the ICO’s interpretation.
The Law Society has also provided guidance that:
‘GDPR Art 9(2)(f) permits processing of special categories of data for the establishment, exercise or defence of legal claims. This should be interpreted as permitting the processing of special categories of data for the provision of legal advice.’
You will need to form your own view about how comfortable you are relying on the guidance of the ICO and Law Society. Where you are not satisfied that you can rely on Article 9(2)(f), you should consider an alterna-tive ground. Realistically, this is likely to be explicit consent. See Practice Notes: Processing special cate-gory personal data of clients—law firms and Processing special category personal data of third par-ties—law firms.
9. Added the digital badge to your website
Following partial implementation of the SRA Transparency Rules in December 2018, the next phase has now come into force—the addition to your website of the digital badge (aka the ‘clickable logo’).
The digital badge became mandatory along with the rest of the SRA regime changes on 25 November 2019 and the SRA has already indicated it will be doing a further sweep of firms’ websites to review compliance with the transparency requirements in general, including application of the badge.
The digital badge is available in three colourways (don’t get too excited—one is black and white and another is shades of grey). Full instructions on how to apply the digital badge are available from the SRA’s ‘partner’, Yoshki here. For more information on the SRA’s transparency rules, see Practice Note: Price and service transparency—law firms.
10. Made people aware of the new SRA regime
Last, but certainly not least, everyone in the firm will be affected by the SRA changes, and needs to know about them. Including you. You should have trained or briefed all of the following:
the firm’s staff generally—everyone needs to be aware of the new SRA regime, and their responsibilities under it, including the SRA Principles and when they apply, your breach reporting policy and procedures, and a general understanding of the key changes and their practical im-plications for the firm
solicitors, RELs and RFLs—the SRA Code for Solicitors applies directly to all individual solic-itors, RELs and RFLs in your firm and SRA-regulated individuals need to understand their ob-ligations and the SRA’s expectations of them
the firm’s management/partners—while all solicitors, RELs and RFLs have personal obligations under the SRA Code for Solicitors, the firm’s managers, ie the partners, are also jointly and severally responsible for compliance by the firm with the SRA Code for Firms and should therefore understand what the Code for Firms covers
the compliance team—for obvious reasons, the compliance team will need to have an in-depth knowledge of the SRA Standards and Regulations, including the SRA’s enforcement strategy, and ensure the changes are translated (as necessary) into the firm’s policies and procedures across the board...
We have published a number of Practice Notes and Precedent training aids to assist you, eg:
We have also, of course, been reviewing and amending all our affected content. To keep track of what’s new and updated, see Practice Note: SRA reforms 2019—new and updated content or check out the ‘New and updated content’ section of our monthly highlights. If your conscience is seriously troubling you and you haven’t really started tackling the SRA changes, see Practice Note: SRA changes—project planning.
For more information on Lexis®PSL Practice Compliance
Find out more or call 0330 161 1234.
Business of Law
Sign up to receive our latest news, insights and how-to-guides to help you run your independent law firm. All links in red are only available to subscribers of Lexis®PSL Practice Compliance. To subscribe of for more information, call 0330 161 1234.