Protecting client money

Why this risk matters

  • Most firms hold money for clients in a pooled client account. Protecting that money is one of the most basic duties of a solicitor.
  • If staff have access to client money, then it is very important to supervise them appropriately. This should involve limiting access to only those who need it. We see cases where employees of firms have misused money without their employer knowing.
  • We also see cases where poor systems and controls have led to client money being misappropriated by third parties.

Trends

  • We receive, on average, 43 reports of misappropriated client money each quarter. This has fallen from a peak of 54 reports at the start of 2016.
  • Email modification fraud, commonly known as 'Friday Afternoon fraud' often targets conveyancing funds:
    • This happens when criminals impersonate genuine people going through property transactions. They do this by breaking into individuals’ email systems or forging emails from them.
    • The criminal then contacts the solicitor using the stolen or falsified address, and asks for their bank account details to be changed. The solicitor accepts the change of details and sends client money to the criminal’s account.
    • We also see cases where the criminal impersonates the law firm and tells the client that the firm has new bank details. In these cases, the client sends the deposit and other monies to the fraudster’s bank account.
  • Over the last year, solicitors have reported to us over £12m of client money stolen by cybercriminals. Reports have increased by 52% (103 in 2016 to 157 in 2017).
  • We get regular reports of bogus firms copying the identity of real firms, often with the intent to steal client money. We received 640 reports of this in the 12 months to January 2018.

Actions

  • Firms that hold client money need to have appropriate systems and controls to protect that money and to comply with the SRA Accounts Rules. They must be able to monitor how well these systems are working. Steps that they can take include:
    • appropriate vetting, supervision and training of staff
    • good accounts management and audit
    • appropriate controls on the client account, including who can access it, when and how.
  • Any firm dealing with client money needs to be aware of email modification fraud, and have a system to manage this risk. This can include:
    • exchanging bank details with the client and any third parties at the start of the transaction, including the other party’s conveyancer, and being clear that this will not change under any circumstances
    • training staff to be aware of any email asking to change bank details, and to verify this by telephone to a previously known number
    • taking care to protect client information as these details can be used by criminals to identify targets
    • considering using systems that offer lawyer checking services, to suit the law firm's particular circumstances, to verify that what is described as the contact or bank information for a third party law firm is genuine.
  • Firms need to report any case of stolen client money to us, even if the money has been replaced.
  • Where solicitors and firms report the loss of client money to crimes such as email modification fraud, we will respond proportionately. Where we have taken action against firms in such cases, it has been because they
    • did not have suitable systems to protect against crime
    • did not replace lost money promptly
    • did not report matters promptly.
  • Firms who knowingly misuse their clients’ money are likely to be referred to the Solicitors Disciplinary Tribunal. A solicitor was struck off after they took nearly £100,000 from the client account and claimed £328,000 of excess costs.
  • When we learn about criminal activities or frauds targeting those we regulate, we issue scam alerts to warn the public and law firms about known threats and to help them recognise patterns. Our warning notice about bogus firms gives more information.

Further information

Print page to PDF