Risk Outlook 2013/2014
Spring 2014 update
This paper provides an update on the key risks in the legal services market, indicating the issues that require attention from both us and those we regulate.
Read below Download (PDF 9 pages, 286K)
This paper provides an update on the key risks in the legal services market, indicating the issues that require attention from both us and those we regulate. We provide an update on risks that featured in our Risk Outlook 2013, as well as additional risks, which have since become more significant. Accompanying this update are papers on cybercrime and market consolidation.
This is the second of our updates on the Risk Outlook, which we provide to help you keep informed of key risks. It is important that you think about these risks, ensure that you are aware of your firm's exposure to them, and have plans in place to deal with them.
This approach is not just about compliance with outcomes-focused regulation, it is also an approach that can contribute to other business benefits.
In July we will publish a Risk Outlook for 2014/2015, which will include a refreshed analysis of current, emerging and potential risks.
Director of Risk
The first section of this update gives an overview of risks that have increased in significance since the Risk Outlook 2013. Inadequate systems and controls over the transfer of money is a contributing factor in many different types of fraud. This risk appears to have increased in frequency since it was featured as an emerging risk in last year's Risk Outlook. We also highlight the risks of cybercrime and bogus firms. These were not featured in the 2013 publication, but recent trends and intelligence highlight their emergence as significant risks.
The second section of the update outlines other key changes in risks covered in the 2013 Risk Outlook.
Update on risks that have increased
Inadequate systems and controls over the transfer of money
Law firm involvement with money laundering is something we take very seriously. As outlined in the Risk Outlook 2013, we see it as an emerging risk that some firms do not have adequate systems and controls to prevent, detect and report money laundering.
The number of reports we receive relating to money laundering is rising, with reports of firms perpetrating or facilitating money laundering up from 24 in 2012 to 68 in 20131. We currently have a number of ongoing serious money laundering cases involving law firms, and we see this risk as both serious and increasing. We are currently dealing with issues including involvement with the Russian mafia and inappropriate transactions following the Arab Spring.
Proper systems and controls help mitigate the risk of money laundering. Anti-money laundering controls are not only regulatory requirements but are also legal obligations for regulated firms under the Money Laundering Regulations, Proceeds of Crime Act and Terrorism Act. Alongside reports of suspected money laundering, we also receive 70-80 reports per year of firms having breached these legal obligations.
International guidance from the Financial Action Taskforce (FATF) has identified four main areas of focus for due diligence for law firms around money laundering: clients, source of funds, choice of lawyer and the nature of the retainer2. Under these four headings are 43 'red flags' – key indicators that money laundering could be taking place. Firms need to be aware of these 'red flags' and report any serious suspicious activity in line with their legal obligations.
We are aware of a number of broad trends in money laundering cases involving law firms. Understanding the methods criminals use to launder money through law firms can help strengthen systems and controls to better detect red flags and take action when they are detected.
The EU Fourth Money Laundering Directive is currently under international consultation, with final agreement expected late 2014 or early 2015. Risk of money laundering remains one of our priority areas of work, and we will be considering the implications for our regulated firms of any changes implemented into the UK Money Laundering Regulations as a result of the directive.
The term 'bogus firm' is used to describe a situation when criminals claim to be a law firm in order to commit crime, often in the form of stealing mortgage loans or convincing members of the public to pay upfront fees. The involvement of a law firm, whether genuine or bogus, is attractive to criminals because of the credibility it lends.
Bogus firms usually attract clients through scam emails, letters or websites. They can either be operating as a completely fake law firm, who we do not have a record of, or be a 'clone firm', impersonating an existing legitimate law firm.
In 2012, we received 349 reports of bogus firms and individuals, and published a warning notice to legitimate firms warning them of the risk of a bogus firm impersonating them to commit crimes3. The risk to consumers from bogus firms is rising; in 2013 we received 548 reports of bogus firms and individuals, a 57% increase on 20124.
We mitigate against this risk, as far as possible, through the publication of 'scam alerts' and promoting guidance to consumers on how to spot bogus firms5. However, this problem can be better managed if all firms take steps to mitigate the risk.
Good practices that legitimate law firms can carry out to reduce this risk include:
- carry out periodic internet searches of the firm's name to check for identity theft
- check the firm on the Law Society's 'Find a Solicitor' to ensure details are correct
- be alert to suspicious incidents such as transactions that you have no knowledge of, but that others seem to think your firm is dealing with
- regularly check our website for scam alerts
- contact our Red Alert Line if you believe someone has stolen the identity of your firm or anyone working within it6.
Contact our Red Alert line.
Online crime is becoming increasingly common and relevant to a wider range of firms. It presents a risk to client data and assets, as well as to the financial and structural stability of firms that are affected. Cybercrime refers to crime committed through the internet, which includes everything from hacking to harmful software.
Our paper on cybercrime, provides more details of the nature of this risk, your obligations to manage it, and signposting to other sources of useful information.
There are a number of simple steps firms can take to help control the risks from cybercrime, including:
- keeping browsers, operating systems and anti-virus systems fully updated
- ending or restricting the use of data sticks and email attachments, in favour of secure direct log-ins and online collaboration tools
- ensuring that staff can access only those files that they need, to protect against insider attacks.
Update on other key risks
The following risks were featured in the Risk Outlook 2013. New information is provided about the changing scale and nature of these risks.
Financial difficulty and dishonest misuse of client money or assets
The prevalence of financial difficulty in law firms was well reported over the last year, as was the correlation between financial problems and harm to clients through actions like misuse of client money and disorderly closure. Through data collection and proactive engagement, we have taken a robust regulatory approach to managing these risks7.
During the period that we have been focusing on financial difficulty, we have experienced an increase in reports of misuse of client money. The increase has been driven both by external reports to us and through our supervisors uncovering this issue in firms.
There is a strong likelihood that financial pressure is providing a motivation to some firms to engage in dishonest practices. Our recent research on this topic showed that in a file review of 76 firms in financial difficulty, more than a quarter displayed evidence of misappropriation or misuse of client money8. This is a significant proportion, which points to a correlation between financial difficulty and misuse of client money.
There is also evidence that the legal services market is going through a period of consolidation. This means that the structure of the market is shifting towards a profile with a higher proportion of large firms. As a result, there will be a change in the types of risk in the market.
As well as changes to the risk landscape, this change may also bring about opportunities. For example, the new structure of the market, and firms within it, may perform better at increasing access to legal services for a wider range of consumers.
Whatever the end result of market consolidation, the period of transition that is currently taking place, in itself also increases certain risks – including financial difficulty. Our paper on market consolidation looks at the factors driving this change and the risks of which firms need to be aware.
Lack of a diverse and representative profession
Encouraging an independent, strong, diverse and effective legal profession is one of the regulatory objectives in the Legal Services Act 2007. The need for us to contribute towards this objective is stated in our strategic plan 2013-20159.
In the Risk Outlook 2013, we outlined why we see lack of a diverse and representative profession as a current risk, providing evidence of disparity of access, pay and progression between groups, including those with protected characteristics under the Equality Act.
The Law Society has encouraged firms to examine their approach to equality by publishing a business case for diversity and inclusion in law firms10. This is a positive step towards managing this risk.
The business case highlights benefits for firms of a diverse workforce, including:
- the ability to work with corporate clients who require that their panel law firms match their approach to diversity and inclusion
- the ability to attract private and corporate clients from the increasingly diverse UK population
- attracting talented job applicants from diverse backgrounds
- recruitment and retention of a flexible and responsive workforce – talented staff may leave if they feel discriminated against, whether or not an actual accusation of discrimination is made.
Specific guidance is also provided for small firms, who may have less resource to commit to diversity and inclusion, through provision of small firm case studies11.
For firms of all sizes, there are five key points to help manage risk around diversity and inclusion:
- make diversity and inclusion a 'must have' for business success
- make formal plans for improvement and measure progress
- identify and develop the required capabilities to achieve improvement
- make diversity and inclusion everyone's responsibility
- have fair and transparent recruitment and promotion processes12.
The deadline has recently passed for firms to submit their workforce diversity data, and we will be publishing the results of the data collection and analysis to provide a snapshot of diversity in legal services for 2013.
Failure to co-operate or comply with notification and information requirements
Good quality and timely information is crucial to a risk-based regulator. It means that we can spend less resource on firms that already manage their risks effectively, and dedicate our attention on those that do not. This brings benefits to the public, consumers and well-run law firms.
Since the last Risk Outlook update in Autumn 2013, we have experienced two areas where a significant number of firms have failed to comply with SRA information requirements.
- 21 percent of firms did not comply with the requirement to provide the SRA with data on the diversity of their workforce by 31 January 201413. Firms failing to respond to requests for information about workforce diversity affect our ability to understand if and where improvements are being achieved and our ability to address key barriers.
- We are aware of a significant number of firms that did not comply with the requirement to notify us that they did not obtain professional indemnity insurance (PII) by 1 October 2013. From 29 December, these firms were no longer covered by the Extended Policy Period (EPP). The clients of uninsured firms that continued to practice may have been exposed to potential financial loss, interruption of matters and distress. The cost of regulatory action against these firms will be borne by the rest of the profession.
We will be investigating why firms failed to comply with these requirements, which in some cases will result in enforcement action, including referral to the Solicitors Disciplinary Tribunal in the most serious cases.
Lack of adequate succession or exit planning
We expect that firms will have a viable exit or succession strategy in place. This is particularly important when we are engaging with firms in financial difficulty and those who did not obtain professional indemnity insurance.
Over the last year, we have engaged with many firms who have implemented a successful exit or succession strategy which has prevented disruption to their clients and prevented costly SRA intervention. In January 2014, we published a list of firms who were closing, having entered the Extended Policy Period and not obtained indemnity insurance prior to 29 December. Many of these firms had made a conscious and well-planned decision to close or sell the firm in an orderly way, safeguarding client files, money and assets.
However, we have engaged with a minority of firms who have got into financial difficulty or did not obtain insurance and have not made any robust plans for closure or succession. Our work with these firms is often costly, even if formal intervention is not required. One part of disorderly closure that can be particularly costly is the organisation and archiving of stored files. During one intervention in 2013, we took possession of around 450,000 files as a result of the firm's poor archiving and retention policies. In planning for exit or succession, firms need to consider what will happen to the files in their possession, to protect both the clients who the files relate to, and the rest of the profession who will have to bear the cost of 'clean up'. Part of having an effective succession or exit strategy is demonstrated in the maintenance of an effective, ongoing approach to file storage and destruction.
1. SRA data
2. Money Laundering and Terrorist Financing Vulnerabilities of Legal Professionals, Financial Action Task Force, 2013
3. Warning notice: Bogus firms and identity theft, Solicitors Regulation Authority, 2012
4. SRA data
5. Warning notice: Bogus firms and identity theft, Solicitors Regulation Authority, 2012. Scam alerts are available on the SRA website at http://www.sra.org.uk/alerts/ and are published on our Twitter feed.
6. The SRA's Red Alert Line
7. Navigating Stormy Seas: financial difficulty in law firms, Solicitors Regulation Authority, 2013
8. Steering the course: Research into the characteristics and risks associated with law firms in financial difficulty, Solicitors Regulation Authority, 2014
9. SRA Strategic Plan 2013-2015, Solicitors Regulation Authority, 2013
10. Diversity and inclusion in law firms: the business case (PDF 15 pages, 460K), Law Society, 2014
11. Diversity and inclusion in small law firms: the business case (PDF 13 pages, 503K), Law Society, 2014
12. Diversity and inclusion in law firms: the business case (PDF 15 pages, 460K), Law Society, 2014
13. 79% of firms complete diversity data collection exercise on time, Solicitors Regulation Authority, 2014