How do firms protect themselves in today’s regulatory environment?

Straight talk on aligning regulatory priorities from panellists at the Law Society’s Risk and Compliance Annual Conference

Many law firms’ regulatory priorities are determined by outside forces, such as regulators or guidance. But, as Richard Farquhar, financial crime and risk manager for Ashurst, noted, firms can’t just focus on that. They need to look at wider obligations and determine what the risks are.

Farquhar moderated a panel at the Law Society’s Risk and Compliance Annual Conference 2024 that focused on how law firms can manage their compliance in the current regulatory environment.

Andy Donovan, managing director and founder of VinciWorks’ Compliance Office, said that firms need a more bespoke approach. Customised compliance is more effective, he noted. Get specific, he counselled, and make sure you have audits in place. if you’re not checking it, it’s not happening, he added.

Donovan likes the templates the regulators are circulating. He acknowledges the “chilling effect” they could have but that’s only if people don’t use them correctly. They won’t be perfect for your firm, he noted, but don’t be bound by the templates. Use them as guidance and make sure you have flexibility built in. And check out the many tools that are now available for firms. There are good tools out there, he said. Just make sure it’s flexible and customisable.

Will that help firms avoid sanctions? There’s no doubt it’s a scarier regulatory environment. Donovan said that we’re seeing more fines and larger ones. He believes a seven-figure fine is on its way to some firm from the Solicitors REgulator Authority (SRA).

There is cause for concern. How can firms protect themselves? According to Donovan, firms who follow these four points have a better shot at staying out of the SRA’s crosshairs:

Have clear policies and procedures and make sure they stay up to date
Communicate these policies and procedures clearly. Make sure you have a good training programme
Implement systems to track everything. Make sure you do regular audits and reviews
When you do spot issues, make sure you remediate the problem and create a report. Significantly, think about what you can do in the future to minimise the risks of that happening again

If you do these four things, he said, the SRA will have a hard time criticising your firm.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”