Matthew Tasker

Two train tracks merging

Merging under pressure and compliance due diligence

There are firms that, for one reason or another, are finding themselves in unexpected commercial difficulties that make their longer term viability questionable. Radical reconstruction by consolidation through merger may be the only alternative to closing doors for good, with all the unsavoury knock-on consequences that this entails. 

So now – more than ever – there are likely to be opportunities for merger to the potential benefit of both parties and compliance due diligence is extremely important.

 

Compliance due diligence 

In any potential merger situation, it is becoming increasingly clear that compliance needs to be at the top of the priority list. Overall, it is a great indicator as to the overall management style of the merger target as, on a broader scale, the major regulatory standards are placing an increasing significance on the wider principles of good governance as an underpinning ethos to the compliance that they foster.

So… if you’re an ‘acquiree’, what do you need to do to prepare the firm for marketing, and as an ‘acquirer’ what do you need to look for?

They are actually two sides of the same coin. If you are the firm looking for help through merger, it’s similar to a job interview – prepare, prepare, prepare, and then prepare. This applies to training all levels of staff in what we are doing and why. Make sure that everyone is on board as their future employment may depend on it.

As an acquirer, the due diligence cannot be too thorough, especially in the current climate when many personnel are likely to be dispersed.

 

The SAR Principles

The overarching standard is of course the SAR Principles, revised and reduced from ten to seven in November 2019. They are as follows and should be thoroughly interrogated:

“You act:

  1. in a way that upholds the constitutional principle of the rule of law, and the proper administration of justice.
  2. in a way that upholds public trust and confidence in the solicitors’ profession and in legal services provided by authorised persons.
  3. with independence.
  4. with honesty.
  5. with integrity.
  6. in a way that encourages equality, diversity and inclusion.
  7. in the best interests of each client.”

In support of these Principles the firm needs to have a COLP and COFA and you should check that the roles are filled by someone who is appropriately qualified and trained – and takes the role seriously.

You are seeking to adduce evidence that the firm not only talks a good talk but actually delivers on those verbal assurances. There will usually be two aspects to the proof needed that there is such delivery.

You will need to check that there are Standard Operating Procedures that are encapsulated in systematised written format. These will, or should, form recognisable parts of the firm’s Operations Manual.

It maybe that there are a number of different manuals though e.g. the Data Protection or Lexcel Manuals. If the Manuals are stored electronically the fact that they’re all in the same ‘Compliance’ area is indicative of how orderly the firm’s management processes are. Hopefully the Manuals will all be assembled ready for inspection – a well organised firm should have sufficient confidence in its systems to know what a merging firm will be looking for.

You will need empirical evidence. This will take the form of findings from interviews, both formal and informal, and from written records relating to inductions, training and Personal Development Reviews or Appraisals. There will be clues as to the effectiveness of the firms’ governance with such items as structural organograms and procedures for escalating responses for incident handling.

Minutes from meetings of all types, and policy review schedules can also be very helpful aside from broader good governance you should check for clear documentation of the firm’s supervisory structures.

There is increasing emphasis being placed on this in the SRA principles as well as the GDPR / DPA legislation.

 

How do you find it? 

The paper (or electronic equivalent) trail is self-explanatory – time consuming but worthwhile. Gathering empirical evidence is more challenging but probably more revealing.

The firm’s COLP and COFA will always be interviewed. Further interviews should be carried out with a good cross-section of all staff and include front and back office staff at all levels. Remember that conversations solely with partners/senior management will give a slanted perspective.

Insurances – Appropriate levels of PII insurance will be checked together with the firm’s Complaints and Claims registers in support of this. How these are administered is a good indicator of the general management style of the firm and attitude towards compliance. Appropriate cover in other areas to complement the firm’s Business Continuity Planning will also be checked.

Supervision – From the point of view of supervision checks you should speak to both supervisors and supervisees on whether issues are dealt with on a one-to-one basis or in teams; whether training needs are formally identified and how the training is delivered and monitored. This is especially important in the new era of remote working in which firms are currently operating. This topic has been explored in other recent blogs on the Teal Compliance website.

File Reviews – These are another rich source of data and are a vital part of delivering the quality required by the SAR. Check how often they are carried out and by whom and what happens to the results of the reviews.

Training Schedules and Attendance Records – These are very revealing about the firm’s overall attitude towards compliance and its effective implementation especially when read in conjunction with staff interviews for cross-referencing. The firm’s approach towards conflicts avoidance should be carefully monitored.

The firm’s management of its central Key Dates diary should be similarly examined.

 

How do you evaluate it?

It is advisable not to rely on just one opinion and to apply some sort of consistent level of scoring on how compliance is being managed.

Results from interviews are likely to be more subjective so a structured series of open questions contained in a questionnaire will help towards achieving consistency.

 

What is it telling you? 

Working on a “RAG” (Red, Amber, Green) method of assessing levels of compliance it would be highly unusual and deeply suspect to come up with a full pack of Greens. It is a useful indicator but not the whole story. What you are really looking for is the overall style of approach to the whole portfolio of regulatory compliance.

Every firm will have setbacks or issues occurring that expose actual or potential weaknesses in a firm’s breach prevention armoury. These are of themselves not necessarily the most important thing. What really matters is, how the firm approaches dealing with the actual or potential issues, and the overall compliance-embracing culture of the firm, and how the firm works to embed and keep embedded this culture at all levels.

If you are in any doubt about carrying out this sort of exercise then you shouldn’t hesitate to ask for outside help. A third pair of eyes can in any event add an element of objectivity that may be difficult to maintain internally when people are either enthusiastically – or unenthusiastically – polarised about a merger project.

Get in touch

If you’d like to know more about how Teal’s compliance services can help, simply contact our experts today. 

Merging under pressure and compliance due diligence Read More »

Woman looking at screen in office, contemplating

The ICO has teeth, and is not afraid to use them!

So, we all knew that the ICO had been equipped with a fine set of gnashers by the GDPR and DPA legislation. What we didn’t know was what it would take to get them to bare them or actually use them. Or what the consequences of an ICO mastication would look like when the bits had been spat out.

Well this last week has given us some strong clues in the shape of the BA and Marriott International reports giving details of proposed penalties. Both proposed fines are, in real terms, huge at £183M and £99M respectively. Both organisations are considering appeals.

But are the fines in line with expectations? They certainly fall well short of the maximum possible under the GDPR. Speculation when the BA breach first hit the headlines was that the total damage could end up well north of £1bn once damages paid to individual data subjects and costs had been taken into account, with the fine fines accounting for up to half the final sum. In the event, the proposed fine amounts to more like 1.5% of their world-wide turnover rather than the 4% maximum permitted by the Act.

It will therefore be very interesting to read the decision notice in each case once they are issued. In previous reports published by the ICO it appears that it is the attitude of the firm to the handling of the breach, the levels of co-operation in dealing with the fallout, and the data protection culture of the firm as a whole that are the influential factors when the level of punishment for a breach is considered.

What is clear though is that even if the punishment thermometer can be reduced to a factor of, say, 1.5% of turnover this is a highly significant sum to bear for any size of firm. Would your firm be able comfortably to digest it?

For fines aren’t the whole story. There may well be other costs to pay in damages to affected data subjects, not to mention the reputational damage to the firm as a whole. And this is without taking into account the often significant time expenditure in investigating and reporting on the breach, working on putting it right with possibly large numbers of data subjects, working with the ICO in their investigation, and retraining of staff in data protection awareness and minimisation of risk. How many organisations have made provision in their financial statements for the possibility of breach related fines?

So, in analysing the events of the past few days: –

Don’t…

  • Think that the GDPR and DPA don’t apply to you? They Do!
  • Think that the ICO won’t act if you have a breach? They clearly will!
  • Relax in the mistaken belief that to have a set of paper policies alone is sufficient to demonstrate compliance? It’s not!
  • Forget to keep your Statement and Data Protection related policies and procedures under regular review and updated? The Regulation requires it!
  • Ignore the importance of regular awareness training for all staff at all levels and for new staff inductions to place an appropriate level of emphasis on the firm’s data protection culture? It’s a vital contributor to effective breach recognition and management!
  • Afraid of enlisting outside help? A third pair of eyes can assist objectively and save huge amounts of valuable internal time!

Do…

  • Ensure that DPOs/persons responsible for data protection or Heads of Compliance are fully aware of their responsibilities.
  • Ensure that your Privacy Statement is up to date and the internal contact details are accurate.
  • Ensure that your DP policies are up to date and regularly reviewed, and the reviews documented.
  • Ensure that your IT systems are up to the task and, if appropriate regularly “pen” tested and the findings acted upon.
  • Ensure that your DP team is meeting regularly, and their meetings and action plans documented.
  • Ensure that a regular refresher awareness and breach awareness and management training programme is in place for all levels of staff.
  • Ensure that your outsourced contracts contain provisions dealing with the Controller/Processor elements of DP and that their own DP operation is compatible with your requirements.
  • Ensure that there is an embedded data protection culture in the firm that is perceived to be – and is – led from the top.

Get in touch

The ICO’s actions this week have issued a statement of intent to be ignored at our peril – how does your DP package shape up?

If you’d like more information on data protection, or would like to find out how we can help, simply get in touch with our experts today.

The ICO has teeth, and is not afraid to use them! Read More »