You have questions about risk and compliance? We have answers 

Some practical takeaways from the Law Society’s Risk and Compliance Conference

At the Law Society’s Risk and Compliance Annual Conference 2024, attendees asked their most pressing questions to a panel of experts, who provided answers that were practical, insightful and provided risk and compliance teams with information they could use in their firms.

The first question set the tone for the session. A participant noted that the Solicitors Regulation Authority (SRA) are now using a formula for fines and it has increased its fining scope. Are these fines accurate? Should the formula be reformed?

Jayne Willetts, solicitor advocate for Jayne Willetts & Co Solicitors, responded clearly that no, the formula doesn’t produce accurate results and there is no relation in the fine to the seriousness of the breach. Basically, she said, it punishes those that earn a lot of money and not others. But, she added, when the case goes to the Solicitors Distribution Tribunal, there is a better formula that is based on the actual breach.

Another question referred to the top risks on the risk register. Kerrie Machin, partner at Mitigo responded that cyber risks are at the top and it’s important to carry out a risk assessment in relation to systems and data including hijacking and changing email accounts and bank details and ransomware attacks. He noted that bad actors are beginning to recognise that data is valuable. They can steal it and threaten to reveal it on the dark web. This actually happened in the past few months to some firms. 

Kayleigh Smale, a compliance and anti-fraud specialist, said that a firm wide risk assessment is  needed to ensure that the firm is covered, and it needs to be updated as needed, such as when new technology is introduced or new practice areas. It’s important to that the risk assessment is a  living, breathing document and keeps up with the SRA’s latest AML updates.

Emma Williams, director of European risk & compliance for Simpson Thacher & Bartlett LLP, believes that your people are your top risks. They provide the highest risk exposure and with the new workplace culture rules, the situation could get riskier. It’s been nearly one year since the rules were implemented so that requires review. 

Another question was raised about training, specifically the costs involved and what is the priciest element of it. 

Williams noted that fee-earners record their time to a particular code, so its difficult to see what the actual costs were while non fee earners don’t do that and its easy to see their costs are. Firms are asked by insurers and head offices what the costs are. Often for smaller firms this is complicated especially when they don’t have dedicated compliance teams. 

People, she believes, have a limited idea of what training is. It can be 10 minutes at a team meeting, it could be an e-mail, it could be video recordings. What’s important is to be smart about it and provide your staff with what they need. 

The next few questions were more technical. One participant wanted to know how to verify ID documents when a client is housebound and can’t get certified copies. Smale said that it’s important to use a risk based approach and ask if you have evidence why the client is homebound? Why can’t you pay a visit? You need to understand the risk of the matter.

Another participant asked if they need to screen counterparties for non regulated work. Williams said she thinks it depends on where you set your risk appetite. Some firms will screen everyone even if not they are not an actual client. She thinks you should but it’s not a legal requirement, although it might be for a sanctions check. Remember, to keep the check  proportionate to the type of work you are doing. 

Another participant asked about source of funds/ source of wealth inquiries in private client work. Williams agreed that it’s tricky. Do you start from a suspicious place? The firm needs to decide because there is little guidance and yet its important to understand the client’s source of funds and wealth.It’s hard to just suspect everyone, the starting point does not have to be that there is an issue.

The issue of compliance with KYC, beneficiaries with no photo ID and alternative acceptable forms of ID was raised. Smale noted that it depends on who they are. If someone doesn’t have a passport, you can confirm their identity in other ways but it requires a risk based approach. Ask yourself, what are you being asked to do? Does it make sense? It’s not a black and white issue with right and wrong answers.

Tips for getting partner engagement on risk and compliance were requested. Machin had one suggestion: Demonstrate what would happen if things went wrong and they got fined.  These are very easy areas to investigate, especially AML, and there is an obligation to deal with matters as effectively as possible. 

The touchy subject of a firm acting as a bank account was raised. Willets noted that for complicated property deals, this comes up often and usually at the last minute. It’s important that fee-earners are trained to be as alert as possible to the issue of money laundering in these kinds of cases. There are what she calls outlandish proposals such as restricting firms from holding client money, but she believes we need to ensure that the profession participates in these debates as restricting firms from client money and restricting compensation funds will be problematic for the legal profession.

Finally, participants wanted to know how to stay on top of SRA updates. Williams recommended joining Linkedin groups, checking on the SRA website, keeping up with the legal press and signing up to various newsletters.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.