Blogs

Laptop keyboard with symbols of AI, email and social media

SRA’s Sectoral Risk Assessment: Technology Risks

Anti-Money Laundering, Blogs, Legal Compliance /

There are four emerging risks that the SRA has identified in the Sectoral Risk Assessment which was published in July 2023. One of these emerging risks is technology risks. Here, we explain the SRA’s update on technology risks, and advice on what actions you should take.  

What technology risks are identified in the SRA's Sectoral Risk Assessment?

It’s not the first time that the SRA has mentioned technology risks that are emerging in the legal sector. There are several areas which are in discussion.

1. FinTech - Payment platforms

Recently, there’s been news about one payment platform allegedly allowing transfers from accounts that are identified for money laundering. This raises concerns about what checks are in place for these emerging industries. If they’re not traditional banks, how do we know that they’ve got safeguards in place for AML?

2. FinTech - Crowdfunding platforms

The SRA also talks about crowdfunding platforms, which is also mentioned in the National Risk Assessment. There are instances when people are genuinely crowdfunding in order to pay for their legal fees. However, there’s a risk that people may be using crowdfunding platforms as a way to obscure the source of wealth.

3. Cybercrime

There’s a lot of new legal technology out there, but if law firms don’t know how to use it, they won’t know how to protect it. This could lead to being exploited by the ‘baddies’ and becoming a victim of cybercrime, by them stealing personal information from your clients, infiltrating your bank accounts, etc.

A cyber-attack is an economic crime if the criminals access something that’s valuable, or if they want you to pay them with crypto-currency. So, this is no doubt on your radar already and you’re aware that you’ve got to have procedures in place to prevent cyber-attacks, and that those procedures are tested and working properly.

Over-reliance of technology

The SRA does make the point in their risk assessment about overuse of, and over reliance on, technology to do things like ID&V, with people relying on the big green tick on the report or the pass on the ID&V report as opposed to understanding what CDD has actually been checked and whether you have to do anything else.

With the increase in source of funds/source of wealth technology, understanding how it works and making sure that you’re satisfied with any conclusions that it’s drawing is extremely important.

What actions can be taken to mitigate the technology risks?

Firstly, review the work types that may be exposed to FinTech such as payment platforms and crowdfunding platforms and carry out a risk assessment.

Take a look at recent cyber-attacks of law firms that have resulted in fines from the ICO. You’ll see what investigations have been made and the disciplinary outcomes as a result. The investigations will likely include questions like:

  • When was last time you trained everybody?
  • What system do you have in place?
  • How do you know it works?

Although we’re discussing AML, there’s also an obligation in the Money Laundering Regulations that when you introduce new technology into your law firm, you need to have conducted a risk assessment about it.

When it comes to introducing new technology, you should make it easy for your law firm to comply by communicating exactly what the tech is doing and exactly how it works. If the SRA is doing an inspection, they’ll expect a good level of knowledge from the person responsible for AML on how the tech works.

Consider any tech you’ve introduced and carry out a risk assessment if you’ve not already done so. Also include any tech that you’re considering introducing. We often find that policies don’t include details of the process of any introduction of any new tech. What it should confirm is that a risk assessment will be conducted as to whether it increases or decreases the risk of money laundering or terrorist financing, and it will be recorded in the Practice Wide Risk Assessment.

Whether you’ve got a new case management system; changed your CDD provider; or got a new accounting system, as auditors we’d be asking to see your risk assessment in relation to each piece of new tech.

As with all things compliance, making sure everything is recorded in your assessment is essential!

Get in touch

At Teal Compliance, we’re here to support your journey towards regulatory and AML compliance.   

If you’re looking to ensure that you, your firm and your clients are safe, simply contact our experts today. 

Get in touch

SRA’s Sectoral Risk Assessment: Technology Risks Read More »

Ringbinder full of papers on a desk

SRA’s Sectoral Risk Assessment: Proliferation Financing

Anti-Money Laundering, Blogs, Legal Compliance /

There are four emerging risks that the SRA has identified in the Sectoral Risk Assessment which was published in July 2023. One of these emerging risks is proliferation financing. Here, we explain the SRA’s update on proliferation financing, the associated risks and advice on what actions you should take.  

What is proliferation financing?

Proliferation financing is the act of providing financial support to individuals or entities involved in the development or acquisition of weapons of mass destruction. Essentially, this means nuclear, chemical, biological or radiological weapons.

How does proliferation financing affect law firms?

When considering proliferation financing, you can’t just assume this doesn’t affect you as you don’t do any military work. You have to think about whether the business is actually a sham, which is financing such weapons.

In addition, many of the ingredients of nuclear, chemical, biological and radiological weapons are common, everyday products, such as fertiliser, chemicals and computer chips. Businesses that appear to sell these products for everyday use, may in fact be supplying them for the production of such weapons.

What does the SRA say about proliferation financing?

The SRA does recognise that the risk of proliferation financing in the legal sector is low. However, they make a valid point in that low frequency doesn’t necessarily mean low risk. So, you do have to consider the areas of work that may be exposed to this and, if you have them, you need to identify the risks.

What actions should you take for proliferation financing?

Firstly, you need to consider the work types that might be exposed to proliferation financing. Work types that might be exposed include trade finance, commercial contracts, manufacturing commodities, shipping/maritime and military defence.

Next you should consider jurisdictions. Are any of the countries involved subject to UN sanctions? Additionally, are any of the countries involved suspected of using, or seeking, weapons of mass destruction? Also are any of the countries involved thought to have a weak border? This relates to countries that could involve people sending ingredients of weapons of mass destruction to neighbouring countries, and bringing them back over the border.

Once you’ve carried out your investigation, you need to ensure that you record your assessment.

Just like with sanctions, even if you don’t think there’s a risk of proliferation financing for your practice, you must demonstrate to the SRA that you’ve thought about it. If this is the case, we suggest adding a line in your AML Practice Wide Risk Assessment to say you’ve considered proliferation financing, you don’t work in these areas or jurisdictions, and therefore you consider the risks to be low.

Like with everything, making sure you record everything is essential!

Get in touch

At Teal Compliance, we’re here to support your journey towards regulatory and AML compliance.   

If you’re looking to ensure that you, your firm and your clients are safe, simply contact our experts today. 

Get in touch

SRA’s Sectoral Risk Assessment: Proliferation Financing Read More »

Someone reviewing paperwork on their desk

SRA’s Sectoral Risk Assessment: Sanctions

Anti-Money Laundering, Blogs, Legal Compliance /

There are four emerging risks that the SRA has identified in the Sectoral Risk Assessment which was published in July 2023. One of these emerging risks is sanctions. Here, we explain the SRA’s update on sanctions, the associated risks and advice on what actions you should take.  

What does the SRA say about sanctions?

We know that sanctions is a completely separate regime to anti money laundering (AML), but the SRA has stated: “Firms cannot assume that sanctions are not relevant to them. There are a significant number of British nationals subject to sanctions.”

The problem with sanctions is the strict liability. If you’ve acted in breach of the sanctions, then you’re liable. It’s possible that you might get some relief from sanctions as a result of what you’ve done to try and prevent it, but that would be determined as part of the disciplinary process.

Sanctions doesn’t work like bribery and tax evasion, for example, the failure to prevent bribery or the failure to prevent corporate facilitation of tax evasion. Both of those have a statutory defence regime that says, if you follow the guidance issued by Government to try and prevent sanctions, then you’ll have a defence if it actually happens. There’s no equivalent in sanctions.

So, if you do have a sanctions breach, then you’re at the will of the adjudication process as to how your process will be looked at, and whether or not you’ll be disciplined. Doing sanctions training, having a sanctions policy and doing sanctions screening is not an automatic ‘get out of jail free’ card.

What is the SRA doing regarding sanctions?

The SRA is really ramping up on sanctions. If you’re from a larger firm, this may not be news to you. You’ve probably known about sanctions for a long time, have a sanctions policy in place, may have done sanctions training, and probably always do sanctions screening as part of a wider ID&V process.

However, for the rest of the sector, the SRA is expecting to see sections in your AML PCPs or in a separate policy about sanctions. They’re probably looking for you to have incorporated it into training, or at least communicated the policy in relation to sanctions. This includes how they happen, what to look out for, and what CDD you should be considering.

At the recent Law Society Conference, the SRA confirmed that they’re doing some thematic work on sanctions and inspecting firms. If we look at the potential changes in the forthcoming Economic Crime and Corporate Transparency Bill, the SRA’s remit, as in what they’re responsible to detect and prevent, is potentially going to be extended. We believe it’s highly likely that this will be extended to include economic crime as well as money laundering and terrorist financing.

Economic crime obviously carries sanctions with it. So, whilst at the moment we’re talking about sanctions in the context of your AML risk assessment, if it’s not already on your to-do-list, you should be looking into this. In the meantime, make sure that you’re recording sanctions in your Practice Wide Risk Assessment, demonstrating that you’ve thought about it. If it’s in a separate document, make sure you reference it.

Is there an overlap between sanctions and AML?

As we’ve already said, sanctions is a separate regime to AML. However, there is an overlap. Some of the things you need to consider for AML will also be relevant for sanctions, such as:

1. Jurisdictions

This is where you look at countries where there’s corruption. If you’re using commercially available CDD searching tools, they’re likely to have sanctions checks within them. However, there is a huge list of countries that you should be aware of.  

When looking at AML and CDD processes and procedures, think about when are you going to get a sanctions match. Do you do it after you’ve taken instructions, later on, or does it depend on what you find out? Always think about the timing of these things. If there’s some distance in your processes, make sure your lawyers have a good awareness of these high risk jurisdictions. That way, they’ll be able to identify them, not just because a search told them, but because they’ve thought about it.

2. Politically exposed people

Politically exposed people can get vast sums of monies from a country and then disappear with it. They then suddenly become sanctioned.

3. Complex corporate structures

The SRA makes the point that a person who becomes sanctioned may suddenly want to offload all of their assets to other people that they have control over. This is so the assets are being owned by those people, and move through banking systems in the name of these other people rather than themselves. So, your CDD, especially in relation to corporate structures, should involve considering:

  • Whether it makes sense for that person, or is this an attempt to evade sanctions?
  • Is it really under the ownership or control of the sanctioned person?

When considering complex corporate structures, don’t scrimp on CDD.

5. Sectors

Of course, there are lots of different sectors which are exposed to sanctions. However, if you have practice areas in the following, these are definitely areas where you should be carrying out a sanctions risk assessment and considering what you think the chances are of being targeted:

  • International trade
  • Shipping
  • Aviation
  • Immigration

Most high street firms don’t practice in these areas. They’re mainly found in larger law firms, and most larger firms have no doubt already got mature programmes in place for sanctions.

However, with immigration in particular, you need to recognise that it does appear in the SRA Sectoral Risk Assessment and that you should think about whether that’s something you’re likely to encounter.

What actions should you take for sanctions?

If you do get exposed to sanctions, you’ll no doubt have already done this work. However, for everyone who believes it’s unlikely to affect them, you do have to be cognisant of the SRA’s quote that “Firms cannot assume that sanctions are not relevant to them….”

If you don’t think that sanctions are relevant to you, make a risk assessment that states that they’re not and record that you’ve done that risk assessment. When you look at the sanctions guidance, it states you ‘should’ conduct CDD on counterparties. We believe you need to consider whether you should be doing this as part of a risk assessment first, before you implement a process.

Of course, your processes always depend on what your risk appetite is. If you’re a particularly risk averse kind of person, and you definitely want to sleep at night knowing that no sanctions could creep in at all, then you’re going to want to do sanctions screening for everybody.

Consider what action you already take. The SRA suggests that there’s a theme of people doing sanctions screening at the file opening stage, and then looping back around as part of ongoing monitoring. Of course, the issue with sanctions is usually about making economic advantages available to someone. It’s usually much later down the line than file opening. So, think about whether your screening has ongoing monitoring or whether you should rescreen if it’s a one off thing.

Consider if you’ve ever actually encountered sanctions. You may decide that you don’t have sanctions exposure, then you find out you do later on because, for example, there was a problem with processing a payment at your bank, or a problem had flagged up. If so, you might wonder whether your processes are adequate. If not, it might be that you don’t think you need to do much about sanctions. However, don’t say nothing about it! The SRA want you to demonstrate that you have thought about it.

Get in touch

At Teal Compliance, we’re here to support your journey towards regulatory and AML compliance.   

If you’re looking to ensure that you, your firm and your clients are safe, simply contact our experts today. 

Get in touch

SRA’s Sectoral Risk Assessment: Sanctions Read More »

Business women at desk meeting with laptop and notepad

Legal compliance issues: Embracing legal compliance for success

Audit, Blogs, Legal Compliance /

In the world of law firms, the mere mention of the “C” word tends to send shivers down the spines of many. Partners and owners alike sometimes choose to bury their heads in the sand, hoping that legal compliance issues will resolve themselves. However, the landscape is changing rapidly, and firms are evolving their approaches to business support. The old misconceptions of ‘fee burners’ and ‘fee earners’ are giving way to a proactive stance, where compliance isn’t just a requirement but a fundamental aspect of a firm’s culture. 

We believe that investing in business support is the compass that points your firm in the right direction. In this blog post, we’ll delve into why legal compliance is the cornerstone of your firm’s success. It’s not just about collecting a plethora of accreditations, although staying within the guidelines of these accreditations certainly minimises your risk exposure. 

Asking the right questions and breaking down silos

Are you asking the right questions to stay informed about your firm’s day-to-day activities? Are all departments collaborating to review risk registers and ensure everyone’s on the same page? Avoid the smoke and mirrors approach, which only masks underlying legal compliance issues. Instead, let’s shine a light on the importance of communication. 

Engaging with your employees is key to success. Often, during performance reviews, employees express a lack of communication. It’s not about inundating your team with every minor detail; it’s about involving them in achieving the firm’s objectives. Without effective communication, there’s room for important matters to slip through the cracks. 

Consider a compliance project. How many different team members are involved, and is there a streamlined approach to ensure continuity and prevent duplicate tasks? A joined-up approach is crucial. 

Ground-level knowledge: Your shield against regulatory pitfalls

Ground-level knowledge is your shield against regulatory pitfalls. To truly understand its importance, think of it as a solid foundation based on understanding, vigilance, and adaptability. In this section, we’ll explore why this knowledge is crucial for the well-being and prosperity of your law firm. 

1. A foundation of understanding 

Understanding begins with actively listening to what’s happening within your firm. It means having a finger on the pulse of daily operations, being aware of the challenges your employees encounter, and comprehending the intricacies of your clients’ needs. This understanding extends to the beliefs and values that underpin your firm’s culture, ensuring everyone is aligned with the same vision.  

2. The cost of ignorance 

When it comes to legal compliance issues, ignorance is not a valid defence. Regulators expect firms to be well-versed in the regulations governing their sector, and they won’t accept ignorance as an excuse for non-compliance.  

Ignorance can lead to dire consequences, including hefty fines, damage to your firm’s reputation, and even legal repercussions. In the eyes of the law, not knowing isn’t an excuse. Ground-level knowledge is your safeguard against such risks, as it empowers you to stay informed and take proactive measures to address potential legal compliance issues.  

3. The power of continuous review and analysis

Ground-level knowledge isn’t a static state but an ongoing process. It involves continuously reviewing your firm’s processes and critically analysing essential data. 

Regular process reviews enable you to identify bottlenecks, inefficiencies, or areas where compliance may be at risk. It’s similar to fixing weaknesses to make sure they can handle the challenges of time and close inspection. Additionally, the analysis of critical data allows you to spot emerging trends and potential compliance challenges before they escalate into formidable problems.   

Conducting a full 360 review of your business

The process of conducting a full 360 degree review of your law firm isn’t just a routine task; it’s a transformative journey that aligns your firm with the ever-evolving regulatory landscape. Visualise it as the compass that directs your firm towards its full potential in legal compliance. In this section, we’ll delve into why this comprehensive examination of your business is vital for your law firm’s success, particularly in the context of legal compliance, and how it can lead to meaningful change.

1. Celebrating achievements and strengths

Every law firm possesses unique achievements and strengths, often concealed in plain sight. Taking the time to recognise and celebrate these successes isn’t just about acknowledging your accomplishments in legal compliance; it’s about honouring what’s working exceptionally well within your compliance framework. These are the foundations upon which you can build a robust legal compliance structure for the future.  

2. Embracing a culture of self-scrutiny 

Genuine growth often necessitates introspection. It involves the willingness to roll up your sleeves and delve deep into the areas of legal compliance that require improvement. Just as a sculptor chisels away at a block of marble to reveal a masterpiece, your firm must be prepared to examine the rough edges within your compliance procedures.  

Scrutinising areas that need improvement isn’t a sign of weakness; it’s a testament to your dedication to legal compliance. It’s about identifying bottlenecks, inefficiencies, or outdated practices that may pose legal compliance issues. This process demands honesty and the willingness to address shortcomings proactively.  

3. Implementing systematic change

The true power lies in translating your observations and insights into systematic changes that enhance legal compliance. Instead of just pinpointing issues, you develop actionable solutions that bolster your compliance efforts. These changes may include streamlining compliance processes, investing in training and development for your compliance team, or adopting new technologies to bolster compliance tracking and reporting.  

This proactive approach creates an environment where your team can excel in legal compliance, your clients receive a top-notch service, and your firm operates with the utmost legal compliance diligence.  

Revisiting key performance indicators (KPIs)

Key Performance Indicators, or KPIs, are not confined solely to your fee earners. They’re a potent tool that can revolutionise your firm’s approach to maintaining compliance standards. In this section, we’ll explore why KPIs are indispensable, how they extend beyond the fee earners, and why regular reviews are essential to ensure they align with your legal compliance objectives. 

1. Expanding the scope of KPIs in legal compliance

While fee earners often take the spotlight, KPIs have a more profound role to play in the broader context of legal compliance. They should encompass every facet of your firm’s operations, from risk management to client service and regulatory adherence. By embracing a holistic perspective, you can foster a culture of compliance that permeates every department. 

KPIs that focus on legal compliance go beyond mere metrics; they become a compass guiding your firm towards a safer, more compliant working environment. They encourage proactive behaviours and decision-making that prioritises adherence to regulations, mitigating risks, and ensuring ethical conduct. 

2. The imperative of regular KPI reviews for legal compliance

KPIs are not static; they should evolve to reflect changing compliance requirements and your firm’s objectives. Regular reviews are the lifeblood of effective KPI implementation in legal compliance. 

During these reviews, you assess whether the KPIs are still relevant, achievable, and aligned with your evolving legal compliance goals. They provide the opportunity to recalibrate your firm’s course, ensuring that you continue to navigate the legal compliance landscape with precision. 

Independent file audits: Elevating legal compliance through insightful evaluation

Consider conducting independent file audits. They can unveil trends that highlight training issues or identify individuals with untapped potential. Striking a balance between micro-management and providing adequate supervision is essential for responsible leadership. 

Conducting independent file audits is a strategic manoeuvre that transcends routine checks; it’s an opportunity to gain unparalleled insights and elevate your firm’s commitment to legal compliance. In this section, we’ll explore why independent file audits are a linchpin in the quest for legal compliance excellence, how they unearth invaluable trends, and their pivotal role in honing the skills of your team.   

1. The power of independent file audits in legal compliance

Independent file audits are not mere paperwork exercises; they’re powerful tools for enhancing legal compliance. These audits provide an unbiased lens through which you can scrutinise your firm’s practices, ensuring they align with regulatory requirements and best practices. Beyond the checkboxes, they offer a holistic view of your firm’s performance in legal compliance. 

One of the key advantages of independent file audits is their ability to spot trends. These audits can unearth patterns that might otherwise remain hidden. For example, they can highlight recurring legal compliance issues or training gaps within your team. By identifying these trends early, you can proactively address them, fortifying your legal compliance framework. 

2. Enhancing training and identifying potential

The insights gained from independent file audits extend beyond compliance issues. They can also help identify individuals within your team who possess untapped potential. By recognising standout performance, you can nurture future leaders or identify team members ready for greater responsibilities. This not only benefits your firm’s growth but also bolsters its commitment to legal compliance, by having capable leaders. 

3. Striking the balance in legal compliance leadership

Achieving legal compliance excellence requires a delicate balance between oversight and empowerment. Micro-management stifles initiative, while inadequate supervision can lead to lapses in compliance. Independent file audits help strike this balance. They provide a mechanism for oversight without suffocating your team’s autonomy. 

Every role matters: A unified framework

In compliance, the significance of every role within your firm cant be overstated. It’s not just the lawyers or compliance officers; it’s every individual, from support staff to partners. Embracing a unified framework is the cornerstone of fostering compliance excellence. In this section, we’ll emphasise the importance of this cohesion where everyone comprehends their responsibilities, and how it results in tangible benefits for your firm. 

1. The power of a unified framework in legal compliance

Legal compliance isn’t a responsibility that falls solely on the shoulders of a select few; it’s a collective effort. Encouraging your entire team to work within an established framework ensures that legal compliance becomes an integral part of your firm’s DNA. This framework provides clarity, defining roles, expectations, and the processes that ensure adherence to regulatory requirements. 

2. Benefits of cohesion in legal compliance

When every team member understands their role within the legal compliance framework, several benefits emerge. First, it minimises the risk of compliance gaps or oversights. Second, it fosters a culture of accountability, where everyone takes ownership of their compliance-related duties. Third, it streamlines communication and collaboration, facilitating smoother compliance processes. 

In addition, a unified approach to legal compliance enhances your firm’s reputation. Clients and regulatory bodies, such as the SRA, perceive your organisation as one that takes its responsibilities seriously, instilling trust and confidence. It also mitigates potential legal risks, reducing the likelihood of legal repercussions or fines. 

Get in touch

At Teal Compliance, we’re here to support your journey towards compliance that works by mitigating the risk of legal compliance issues.  

We understand that compliance can be a daunting word, but it’s also the key to unlocking your firm’s full potential. Don’t hesitate to reach out if you need assistance. Together, we can navigate the compliance maze and ensure your firm’s continued success. 

Get in touch

Legal compliance issues: Embracing legal compliance for success Read More »

Ellie Shute, Associate and Compliance Consultant at Teal Compliance

A day in the life of Ellie Shute – Associate at Teal Compliance

Anti-Money Laundering, Blogs, Legal Compliance /

If you’re interested in a career in compliance, our associate,  Ellie Shute, talks about life at Teal Compliance, and what her work involves. 

About me

When I was studying law at university, the whole concept of compliance was a bit of a mystery to me. Surprisingly, I ended up falling into it after graduating. I embarked on a journey through various roles in different law firms, ranging from international researcher to compliance analyst. Along the way, I discovered my passion for navigating the realm of risk. So, when the opportunity to dive into AML compliance at Teal Compliance presented itself, I leapt at it without hesitation.

I’ve been part of the Teal team for a year now, and it’s been quite a ride. Stepping into the start-up life was a fresh experience for me, but I had a gut feeling that I’d made the right call. Working directly with my own clients has been incredibly rewarding. I’ve had the chance to forge relationships with diverse individuals and witness first-hand how my work can truly make a meaningful impact.

My role

When a firm needs assistance or guidance on anything related to AML, I’m their go-to person. My role covers a wide range of duties, from addressing spontaneous ‘Ask Teal‘ enquiries to crafting comprehensive policies and procedures from the ground up.

A significant portion of my time is dedicated to conducting audits for our clients, which involves conducting a thorough 360-degree examination of the firm. I’ll delve into their policies, interact with their staff, and scrutinise their client files. It’s during these audits that you truly get to dive deep into the inner workings of a firm and discover what drives it.

In between all this, you can catch me participating in our webinars, ‘Teal Talks,’ where we discuss various AML hot topics. Alternatively, you might find me crisscrossing the UK, delivering training sessions for our clients.

A typical day

I know it might sound like a cliché, but seriously, no two days are alike in my line of work! My schedule is usually booked weeks in advance with client tasks, so I have a rough idea of what’s coming. But you never know what surprises the day might bring.

When I’m in the middle of an audit for a client, one day I’ll be digging through their files, determining if they meet AML requirements. On another day, I’ll be chatting with staff members at a firm to see how much they know about their own company’s policies and procedures.

In the midst of all this, when I’m back at the office, my time is sprinkled with tea & cake breaks, impromptu quizzes, and convincing my colleagues to come and eat pizza with me at lunch.

What I love about what I do

One of the things that I love about my job is seeing how my work directly impacts our clients. We often work with small firms just dipping their toes into AML, and through our efforts at Teal, we help them kick-start their compliance journey and navigate the regulatory landscape.

On the flip side, we also have massive magic circle clients where I spend my time chatting to senior staff from around the globe about the regulations in their jurisdictions. It’s like a dream come true for the researcher in me!

Another aspect of my job that I greatly appreciate is the chance to apply my skills in fresh and innovative ways. Having previously worked as an international researcher, where my responsibilities included reviewing and analysing legislation from various countries, I had the opportunity while working at Teal, to take the lead in a significant audit for an esteemed magic circle firm. This audit involved the assessment of all of their international offices, and presenting my findings and recommendations to their senior team – the entire experience was truly remarkable.

Find out more

To find out more about a career with Teal, visit our careers page.

Find out more

A day in the life of Ellie Shute – Associate at Teal Compliance Read More »

2 men in suits reading a document at a desk with a pen in hand

What are the SRA doing to enforce lack of AML compliance within law firms?

Anti-Money Laundering, Blogs, Legal Compliance /

Sadly, law firms (along with other professionals) are still being labelled ‘ProfessiEnablers’ an arguably harsh term that has been in place for quite a few years now. This label was repeated by the National Crime Agency (NCA)’s UK Financial Intelligence Unit in their August 2023 update which stated that Professional Enablers’ “skills, knowledge and expertise are exploited by criminals to launder the proceeds of crime”.

For those of us that have dedicated our time, passion and finances to pursuing a legal career, this term is considered highly offensive. However, the term continues to be thrown at the legal sector because the levels of suspicious activity reports received by the NCA don’t reflect the level of serious organised crime that’s taking place within the UK. Their observations? Those of us within the profession are failing to spot the red flags of money laundering.

So, what are the SRA doing to enforce lack of AML compliance within law firms? As promised, they’ve continued to ramp up their anti-money laundering supervision and investigation measures, with dedicated AML teams being in place since 2019. This demonstrates their desire to dedicate time and resources to ensure AML compliance within firms.

Key Trends

Now, let’s take a look at some of the key trends they’re finding as a result of their supervision and investigation activities:

1. Firm-Wide Risk Assessments (A requirement since 2017)

Much to their despair, the SRA was finding that many firms didn’t have a Firm-Wide Risk Assessment in place, despite their numerous warning notices.

Similarly, a common trend was a failure to suitably tailor precedents according to the firm’s specific risks, namely client risk, product and service risk, jurisdiction risk, transactional risk as well as delivery channel.

They also addressed the fact that firms have returned Declarations to them stating that their Firm-Wide Risk Assessments were AML compliant, when this was far from the case. Whether this was intention or based upon reasonable belief that they were remains to be seen.

2. AML Policies, Controls and Procedures

Again, the SRA marked their disapproval at those firms who lacked any AML Policies, Controls and Procedures, a requirement that has been in place since the 2003 Regulations, and reiterated in the updated 2007 Regulations.

Surprisingly, they also found that some firms have robust and comprehensive suites of AML Policies, Controls and Procedures but these were effectively pointless as they weren’t communicated to staff who are the ones carrying out the day-to-day casework.

3. Lack of Independent AML Audits (where appropriate to the size and nature of the firm)

The SRA said that they expect most firms to have an independent AML Audit.

This is something that we see here at Teal Compliance. Many firms either don’t realise that they should have an Independent AML Audit or it’s something firms know they need to do, but don’t have the time, resources or budget to do.

Independent AML Audits can be a vital opportunity for your firm to address any deficiencies in your AML Policies, Controls and Procedures as well as to interview staff members and carry out review files to see whether the policies, controls and procedures are actually being adhered to as intended.

The SRA has confirmed that they intend to carry out AML audits for every firm, it’s a case of when this takes place as opposed to if this takes place.

4. Lack of AML Training within firms

Lack of targeted AML training within firms was another finding picked up by the SRA during their supervisory and investigative functions. Knowledge is power, so failing to equip staff with the knowledge and resources to spot red flags for money laundering can create large holes in a firm’s AML framework.

AML training should be a key focus for all firms, starting with the staff induction process and continuing on a regular basis (recommended annually as a minimum). Staff who work in higher risk sectors would expect to have more frequent bespoke training to their work type. However, distributing AML blogs and enforcement cases to staff can also form a supplementary part of the training framework, helping to keep staff members engaged.

The SRA has confirmed that its next Thematic Review will be in respect of AML training. This means they’ll also be visiting firms to review firms’ AML training processes. So, make sure your house is in order. The SRA will expect to see a training record detailing what training each staff member has had and when.

AML Breaches

Now, let’s turn to some of the statistic findings from the SRA’s supervision and investigations. In 2022, 249 AML Reports were made from the AML Supervision team with the most common breaches being as follows:

  • 61 Reports of failing to have proper AML Policies and Procedures
  • 60 Failure to carry out source of funds and source of wealth checks
  • 58 Failure to carry out risk assessment at client/matter level
  • 48 Failure to carry out Firm-Wide Risk Assessment
  • 47 Failure to carry out /complete CDD

SRA Enforcement Measures

Aside from sometimes causing catastrophic reputational damage, SRA enforcement measures can have a crippling financial impact on firms of all sizes. However, the SRA have continued to use their full fining powers – both at an individual level as well as a firm level. Let’s have a look at some of the key cases:

1. Mrs A - £2,000 fine

  • Failure to follow firm’s PCPs
  • Failing to establish appropriate level of risk
  • Failure to obtain source of funds and source of wealth information

2. Firm B - £20,000 Fine

  • Failure to have Firm-Wide Risk Assessment
  • Incorrect Declaration made to SRA regarding the Firm-Wide Risk Assessment
  • No independent audit
  • Failure to provide staff with AML training
  • Failure to carry out client and matter risk assessments
  • Failure to carry out source of funds and source of wealth checks

3. Mr C - 12 month suspension on Practicing Certificate

  • Failure to perform CDD adequately
  • Failure to perform EDD where appropriate
  • Found manifestly incompetent

For further information on the SRA’s New Fining Powers, please click here

What should law firms take away from this?

At the SRA’s conference in March 2023, Paul Philips, Chief Executive of the SRA, recognised that most firms are still trying to ‘catch up’ with the large amount of regulatory guidance and legislation that’s come into force in recent years. He stated that these firms will have nothing to fear.

It’s apparent that firms that are demonstrating wilful disregard to the requirement to have a comprehensive AML framework in place are those that are likely to feel the full force of the SRA’s fining powers, in addition to firms who return Declarations that they know to be incorrect.

The SRA also recognised that in times of wider economic pressures (such as the current cost of living crisis) there may be a tendency for firms to reduce their AML resources, whether that’s staffing levels or technology. However, they confirmed that AML resources must not be reduced and must remain a key priority for all firms.

Get in touch

If you require assistance with any of the topics discussed in this blog, such as assistance with your Policies, Controls and Procedures, AML training for your firm or you’d like to discuss our Independent AML audit services then please get in touch. 

Get in touch

What are the SRA doing to enforce lack of AML compliance within law firms? Read More »

Eilish Cullen, Compliance Consultant at Teal Compliance

A day in the life of Eilish Cullen – Senior Associate at Teal Compliance

Anti-Money Laundering, Blogs, Legal Compliance /

If you’re interested in a career in compliance, our senior associate, Eilish Cullen, talks about life at Teal Compliance, and what her work involves. 

About me

I’ve been working as a Senior Associate at Teal Compliance since November 2022. Having previously carried out Teal’s comprehensive Compliance Officer Training Programme, I was already aware of their reputation within the compliance industry. Prior to this, I worked at a small litigation firm in Liverpool and had several roles including Head of Department, Deputy COLP, Director and Complaints Partner. 

In my previous role, I carried out a wide range of tasks including fee-earning, supervision, training, elements of human resources, as well as policy drafting and compliance record keeping.

My role

My day-to day duties, usually consist of:

  • Reading Legal Futures/Law Gazette. Fellow ‘compliance geeks’ will understand the need to keep ourselves informed of Regulatory and AML developments.
  • I try to be active on LinkedIn. It’s a great platform to share our knowledge with clients, potential clients and those in the industry. I think it’s important for our clients to know about the services we provide and to put some personality into what others deem to be a ‘dry subject’.
  • I’ll plan out my day. This could be a Policy Review, Regulatory/AML training, CQS File Reviews or our most popular service – our independent AML Audit.
  • As Associates, we always keep an eye on our inbox for ‘Ask Teal’ enquiries. This is a central inbox where clients contact us seeking urgent guidance, and we aim to provide high-quality expert advice within a short period of time. Some of these can be very technical and tricky but between the Teal Team, we have always been able to assist.

A typical day

Whilst we’re thankful to have flexible working, I tend to work 9am-5pm.

Thankfully, the Management Team at Teal encourage taking regular breaks and are very keen on having good mental health strategies in place – no one wants a burnt-out employee! This means I always take my lunch break, something that didn’t really seem to happen in my last role due to other demands. I definitely feel more productive as a result.

Sometimes your best thoughts come to you whilst walking your dog – who would have thought?

What I love about what I do

One of the reasons I love working at Teal is the sense of job satisfaction I get, something I feel was missing in my last role due to ‘spinning so many plates’ and never truly feeling that I was adding value as a result.

Many of our law firm clients feel the same, with their time and resources being thinly stretched. Here at Teal, I’ve been given the opportunity to provide expert guidance to our clients and help to shape their compliance framework for the better which gives me a great sense of personal achievement. This is why I ‘do what I do’.

Diversity is also something that keeps me motivated. No month at Teal is ever the same! Alongside carrying out independent AML audits, CQS file review and AML training, I have also been selected to participate in round table discussions on financial management and regulatory issues. Having this level of exposure has been extremely beneficial for my career development within Teal.

That said, like many professionals, I’m sometimes plagued with the dreaded ‘imposter syndrome’ and doubt my own capabilities. However, I genuinely think this is counter-balanced by having a supportive and positive team around. Getting good client feedback also helps!

Find out more

To find out more about a career with Teal, visit our careers page.

Find out more

A day in the life of Eilish Cullen – Senior Associate at Teal Compliance Read More »

Filing cabinet draw with file partially lifted out named "suspicious activity reports (SARs)

The potential pitfalls of SARs: 10 ways to avoid them

Anti-Money Laundering, Blogs, Legal Compliance /

Filing Suspicious Activity Reports (SARs) should be a top priority for UK law firms, especially when dealing with situations that raise red flags for potential money laundering. However, the term ‘suspicious’ itself presents a conundrum due to its lack of a precise definition. The ambiguity surrounding suspicion demands clarity in expressing your concerns—not only to protect your firm against legal repercussions, but also to maintain transparency with your clients.

Here, we look at the pitfalls of filing SARs, and provide our top tips to avoid them. 

Battling financial crime

The 2022 Suspicious Activity Report (SARs) Annual Report, released by the National Crime Agency (NCA), presented a clear picture of the evolving landscape of financial misconduct, spanning 2020/21 and 2021/22. The report includes the following:

Setting new records

The report reveals an impressive 21% surge in SARs submissions, reaching a staggering 901,255 in the latest financial year. This increase underscores the growing vigilance within regulated sectors against potential money laundering and criminal activities.

Striking back at criminals

SARs continue to play a pivotal role in halting financial crime. An astounding £305.7 million was denied to suspected ‘baddies’ through Defence Against Money Laundering (DAML) requests – a remarkable 120.6% boost from the previous year’s £138.6 million. This surge reflects the effectiveness of SARs in curbing illicit financial gains.

Adapting to changing scenarios

The pandemic and geopolitical events have emphasised the adaptability and significance of SARs. Criminals exploited the pandemic chaos, underscoring the need for accurate financial intelligence – intelligence that SARs provide. The report highlights the role of SARs, in unearthing money laundering linked to sanctioned individuals and their affiliations, particularly following Russia’s invasion of Ukraine.

The potential pitfalls

Despite the crucial nature of SARs, there’s a challenge when it comes to what constitutes as ‘suspicion’. Cases like Lonsdale v National Westminster Bank plc [2018] EWHC 1843 (QB) have added to the complexity of this issue.

David Lonsdale, a property law barrister, found himself entangled in a situation where his bank accounts were frozen due to suspicions of money laundering.

Mr Lonsdale owned several properties and managed the finances of each of those enterprises with seven separate bank accounts; including one account for his earnings as a barrister, and another two joint accounts.

The bank's actions

In March 2017, NatWest decided to freeze one of his joint accounts for eight days while filing a SAR to the NCA. In December 2017, they froze all of his accounts while filing additional SARs. That same month, NatWest wrote to Mr Lonsdale, informing him that they were going to close all of his accounts, offering no explanation or justification.

Of course, if a bank has genuine suspicion of money laundering, they’re entirely within their rights to file a SAR and freeze accounts.

Mr Lonsdale's response

Mr Lonsdale vehemently objected to the closure of his accounts and the accusation of suspicious activity. Mr Lonsdale demanded an explanation, but the bank refused to discuss the issue. As a result, Mr Lonsdale requested disclosure of the SARs, as well as any notes leading to the decision, recorded against his accounts, under the Data Protection Act 1998 (since superseded by DPA 2018).

In line with DPA laws, the bank provided account data, but refused to share the contents of any of the SARs raised against him. This led Mr Lonsdale to file complaints on the grounds of:

  • Breach of contract
  • Breach of DPA 1998
  • Defamation of character

The bank continued to assert that they weren’t obliged to grant access to the contents of the SARs. This led Mr Lonsdale to escalate the case by making an application to the courts.

The case results

When the case was heard, the judge found in favour in Mr Lonsdale’s application to access the content of the SARs.

The judge stated that suspicion must exceed mere fanciful possibility and acknowledged the absence of a requirement for suspicion to be ‘clear’ or ‘firmly grounded and targeted on specific facts’.

What we learned

The lack of a formal legislative definition for ‘suspicion’ has led to confusion and subjectivity. However, the judge’s response implies that suspicion holds a subjective nature, although it must be genuine.

NatWest was within its rights to take action, as banks can freeze accounts if genuine suspicion exists. However, this case highlighted the need for transparent communication and well-founded suspicions.

It establishes that, in some circumstances, clients may be legally entitled to view a SAR made about them, which could, potentially, lead them to bring a defamation claim against the MLRO if that suspicion turns out to be damaging and incorrect.

10 tips to avoid the pitfalls of SARs

In line with advice from the National Crime Agency (NCA) and the insights from the Lonsdale case, here are ten effective ways to navigate the potential pitfalls when reporting suspicious activity:

1. Clear and concise language

Aim for simplicity over legal jargon. Remember, the ‘reasons for suspicion’ section of the SAR limits your input to 8,000 characters, which translates to about 1,500 words. Clarity is your best ally.

2. Precise reasoning

When expressing your suspicion of money laundering, provide a comprehensive narrative. Address the fundamental questions: Who? What? Where? When? Why? How? Leaving no room for ambiguity.

3. Thorough details

Don’t shy away from specifics. When identifying individuals and businesses involved, include as much detail as possible. If suspected criminal property is in the mix, ensure it’s outlined with precision while adhering to privilege guidelines.

4. Detailed information

Elaborate on every piece of information that contributes to your suspicion. Clearly explain how you encountered this information, creating a transparent trail that others can follow.

5. Distinguish facts from suspicions

Separate hard facts from suspicions. It’s essential to convey what you definitively know from what you suspect. This distinction adds clarity to your report.

6. Chronological sequence

Create a chronological timeline of events that substantiate your suspicion. Be meticulous with dates, providing a clear sequence that supports your case.

7. Justify suspicion

Go beyond a mere declaration of concern. Provide the rationale behind your suspicion. For example, if sizeable third-party transfers are involved, outline whether you contacted the client, explain the inadequacy of their response, and detail how the transfer pattern arouses suspicion.

8. Deviation from the norm

Highlight how the flagged activity differs from normal operations within the specific customer or business sector. This contextual insight strengthens the gravity of your concern.

9. Professional involvement

If your SAR implicates a professional enabler (like an accountant or conveyancer), assess their involvement. Specify whether their participation appears witting and provide reasons for your assessment.

10. Clarity on transactions

Clearly describe whether your suspicion pertains solely to transactions or if it extends to the professional behind them. Transparency in this regard bolsters the effectiveness of your report.

 

Given the potential for vagueness in the term ‘suspicion’, it’s reassuring to know that The Law Commission is working to provide clearer guidance on what constitutes suspicion. In the meantime, adopting these ten tips will bolster the thoroughness and precision of your SARs.

 

Get in touch

If you need advice or guidance with AML compliance, we’re here to help you. Simply get in touch with one of our friendly experts today.

Get in touch

The potential pitfalls of SARs: 10 ways to avoid them Read More »

Hands resting on laptop with Cyber Security on the screen

How law firms can prevent cyber-attacks

Anti-Money Laundering, Blogs, Legal Compliance /

Think of your accounts like your home. You can have the best locks and the best alarms but, if burglars want to get in, they can often find a way. However, having the best locks and the best alarms does deter them, and it’s the same with cybersecurity. You have to do everything you can to prevent cyber-attacks, protecting your law firm and making it as secure as possible.

When looking to prevent cyber-attacks at your law firm, there are a number of things you can do. This blog provides advice on ways to safeguard and limit your law firm’s exposure to cybercrime.

Safeguards to prevent cyber-attacks

There are numerous safeguards to prevent cyber-attacks. Some may seem a little obvious, but it’s important that they’re all in place to protect your law firm to the best of your ability. These are the most important safeguards:

1. Two-factor authentication on all logins

Whatever account you log into, you usually do so with a username or email, and a password. Two-factor authentication is an extra layer of security. Once you’ve input your username and password, you’ll then have an additional task to complete. This could be authorising the login via an app on your phone or computer, or a text message with a one-time-only code. It’s only when you complete this additional task that you’re able to access your account.

Make sure you have two-factor authentication set up on all your accounts, so it’s much more difficult for scammers, or baddies, to access them.

2. Regularly monitor sign-in activity on your account

Many logins, especially email logins, notify you when someone has logged into your account. These notifications can provide information such as who has logged in and where they’ve logged in from, for example, if they’re overseas.

Make sure, where possible, that you have these notifications activated. That way, when a baddie accesses your account, you’ll be able to act swiftly.

It’s important to note that the location may not always be genuine. If the baddies are using a VPN, they may be able to hide their location and make it look like they’re in the UK.

3. Anti-virus protection

Although it sounds obvious, anti-virus protection can significantly increase your security. It can often detect when a website looks odd, or something doesn’t look quite right. It will alert you to potential suspicious activity, giving your law firm an extra layer of protection, making it more difficult for baddies to get into your accounts, and helping you prevent cyber-attacks. Having your IT department test these firewalls is essential to check they are working.

4. Spam filter

The spam filter isn’t always reliable. Although it can detect some potential fraudulent emails and move them to your spam folder, it can often miss them. Also, genuine emails can often get caught up in spam. However, it does add an extra layer of security and makes you think twice about emails that end up in your spam folder.

5. Strong passwords

According to an article by Tech.Co on ‘Securing Accounts in 2023’, it’s quite easy for hackers to guess uncomplicated passwords. If a password is under 10 characters, it will only take 2 weeks to crack, and a simple 10-character password made of numbers or lowercase letters can be cracked in under 24 hours.  

Therefore, making sure your accounts have strong passwords is an extremely important part of safeguarding to help prevent cyber-attacks.

Limiting exposure to cybercrime

In addition to putting safeguarding measures in place to help prevent cyber-attacks, there are various ways in which you can also help limit exposure to cybercrime:

1. Where possible use an app for clients to confirm bank details

There are apps available where clients can confirm their bank details together with the name of the person that’s expected to receive funds and it will confirm their details. Some banks also now match up the recipient’s name. It’s important to note that these tools are useful for guidance, but you can’t rely on them to be 100% accurate.

2. Never accept bank details over email

Pick up the phone, or better still, speak to them in person to get their bank account details. Although we appreciate it’s not always practical to do that.

3. Set up daily payment limits and limits on amounts per transaction

Although this isn’t necessarily practical as a conveyancer, given you’re dealing with transactions of huge amounts of funds all the time, setting up daily payment limits and limits on amounts per transaction can be very beneficial. If you’re unable to do this with your client account, you might want to consider it for your current account.

If you do this, and a baddie does access your account, they’ll be limited to what they can transfer, which limits your exposure to risk.

4. Dual authorisation on banking

Dual authorisation on banking can be really useful. It’s the modern-day equivalent of having two signatures on a cheque. The advantage is, if there is a scam, one person failing to recognise it is possible, but two people failing to recognise it is much less likely.

5. Have more than one bank account

The advantage to having more than one bank account is that if baddies manage to get into one account, they’re only limited to the funds in that account.

Taking a step back from the cybersecurity reasons, there’s also a practical reason for having more than one bank account. Money in most UK banks is under FCS protection. Your money is protected up to £85,000, but anything over £85,000 is not covered by FCS protection. It’s unlikely that more than one bank would go under at any one time and therefore spreading your money across different bank accounts limits your risk.

6. Regular virus checks

Having regular virus checks on all your devices, such as phones, tablets, laptops, and PCs, can significantly reduce risk and prevent cyber-attacks.

7. Have a good IT response

When a cyber-attack takes place, your response time is extremely important. If something were to happen, you need IT support on hand, rather than trying to find someone to help and wasting valuable time. Having someone at the end of the phone, who put your systems on lockdown and limits your exposure is extremely important.

How to prepare for a cyber-attack

It’s important that you prepare for a cyber-attack by ensuring that a firmwide policy is in place which details what should be done in the event of a cyber-attack

It’s also important to ensure that everyone has had the relevant training, which includes how to detect a cyber-attack. The SRA has suggested that you should probably have training every four months as people can easily forget what they have to do, so they need a reminder.

Carrying out a root cause analysis after an attack is important to establish why the attack happened and what measures can be put in place to stop it happening again. 

Cybersecurity insurance

Many people believe that in the event of a cyber-attack, their business or professional indemnity insurance will cover it. However, they don’t actually cover cyber-fraud. 

Insurance companies know that cybercrime is a substantial risk so the cybersecurity insurance they offer usually has an extensive premium and a rather hefty excess. Many law firms when assessing the risks believe that the cost of the premium and excess is so large, that they’re never going to claim on it, and therefore, having it would effectively waste their money.

Because cybercrime is so high-risk, the insurers often put a lot of limitations on the policy as well as expectations on the policyholder. So, if you do have cybersecurity insurance you need to ensure you’re well aware of all of these points and also what the insurers’ reporting requirements are in terms of time periods. Otherwise, you may find yourself in a situation where you pay a lot for a policy that isn’t fit for purpose.

What are the SRA regulations in the event of a cyber-attack?

In the event of a cyber-attack, you need to contact the SRA. As a solicitor, you have certain obligations under the account rules.

If money has been sent to the wrong person from the client’s account, the SRA regulations state that you need to pay that money back into the client’s account immediately. You can’t wait to try and get the money back first.

There was a case where the SRA fined a law firm as they didn’t pay the money back into the client’s account for four months. This was a breach of accounting rules that resulted in a significant fine.

There’s also a requirement to report the incident to the ICO within 72 hours. 

You also need to tell your client. You don’t want your client to find out another way, such as if it ends up on the news, or the regulator contacts them. Be honest and open, even when it’s difficult.

Get in touch

If you need advice or would like to talk to us about one of our products or services, simply get in touch and one of our experts will be happy to help.

Get in touch

How law firms can prevent cyber-attacks Read More »

Two office workers touching a cyber security icon on a window screen

How to detect a cyber-attack via email at your law firm

Anti-Money Laundering, Blogs, Legal Compliance /

The SRA recently confirmed that 100% of the reports of cybercrime they had came from email fraud. In addition, 98% targeted conveyancing, as it’s easier for fraudsters or baddies to try and defer large sums of money in this area of law. It’s therefore hugely important that law firms understand how to detect a cyber-attack via email.

This blog explores the various signs to identify suspicious emails that may lead to a cyber-attack via email.

Why do scammers want to access your email account?

Before looking at how to detect a cyber-attack via email, it’s important you understand why baddies want access to your email account.

When they have access to your email account, they can see emails that have come in and gone out of your account. This will give them access to a wide range of data.

This is especially dangerous for law firms as it could include details of transactions that are about to be made, together with personal details of those involved in the transactions. This could significantly help them when they’re trying to commit fraud.

Having access to your email account will also mean the baddies will have access to your calendar. If they’re planning to send fraudulent emails from your account, it’s more likely that they’ll do it when they know you’re not going to be online. That way, there’s more chance of you not noticing suspicious activity until it’s too late, and the damage has already been done.

What are the signs to identify suspicious emails that may lead to a cyber-attack?

When looking at how to detect a cyber-attack via email, there are numerous signs to look out for.

1. Emails with links asking you to sign into your account

The easiest and most common way for baddies to access your email account is by sending you a link, asking you to sign into your account. There are many different ways they do this. It might be an email from an account that appears to be Microsoft or Google, asking you to re-enter your password via a link. It might be an email from another source asking you to log into your email from a link, so you can sign a document. Even if it’s from an email sender you know and trust, their email account may have been hacked.

When you click on these links, the pages you go to are not genuine and instead of logging into your account, your details are stored. So, avoid clicking on these links in emails.

2. Emails saying that bank account details have changed

You’ll no doubt have heard about, or even received, emails that say things like “we’ve just changed our bank details”. Again, even if you trust the sender as you know them, they too may have been hacked, so it’s important to verify this. Give the person a call but don’t use the phone number on the suspicious email.

If you don’t verify this and it is the baddie’s bank account, it’s unlikely that you’ll see that money again.

3. Emails no in the style you'd expect from the sender

When you receive emails from suppliers, colleagues, clients, friends or family, usually, they tend to have their own style, using specific language and terminology. If you receive an email from someone you know, and it doesn’t use the style you’d expect from them, you should consider the email suspicious.

Again, try to authenticate the email by speaking to them, but if you call them, don’t use the number on the suspicious email. Remember, the email might be coming from the genuine sender’s account, but it doesn’t mean it’s them.

Knowing how to detect a cyber-attack via email from someone you don’t know when you don’t know their style, can be trickier. However, you can still consider the style. For example, if it was coming from a lawyer from another company, are they correctly using legal terminology?

Regardless, if anyone is asking you to transfer money, or do something else which may lead to fraud, think twice!

4. Emails with a sense of urgency

Many baddies send emails that ask you to do something as a matter of urgency. This could be something such as, your account will be deleted, or you’ll be fined if you don’t pay within a short space of time. They may even send emails posing as a manager from your business, asking you to transfer money, for example, saying they’re stuck in a conference and urgently need to make a payment, but their card is blocked.

Baddies want you to panic. They know you don’t want accounts to be deleted, get fined, or get in trouble at work, so you’re likely to take action quickly, as you’ve had little time to think.

The SRA recently said that 82% of the breaches that had been reported to them were as a result of human error, due to being under pressure. Therefore, if an email suggests you make a transaction quickly, don’t panic, think twice and do your due diligence.

5. Emails with signatures that are not quite right

Many baddies pose as reputable organisations, such as Gov UK, Royal Mail, high street banks, etc. Therefore, they include an email signature from that organisation, which often includes a logo.

It’s important to always check the email signature as there can be clear signs in detecting a cyber-attack. The signature and disclaimer may not use the right language or terminology or may even have spelling errors. The logo may be pixelated, stretched, or just seem a little off. If the email signature is suspicious, don’t click on any links.

6. Emails with email addresses that are suspicious

You may receive emails that name the sender and appear genuine. However, if you click on, or hover over, the email sender’s name, the full email address can be seen.

Baddies often have email addresses that appear suspicious and don’t fit with the person they’re pretending to be or the company they’re pretending they’re from.

7. Emails that aren't expected

Although we receive emails all the time that we’re not expecting, if you receive an email asking you to do something that may be considered suspicious, and you weren’t expecting that email, this may be a cyber-attack via email.

Again, you can call or speak to the person the email is from to determine whether the email is genuine.

8. Emails from clients saying there are last-minute changes

Just like with AML, emails that ask for last-minute changes, such as changes to the amount to be transferred, or changes to the bank details are suspicious.

Pick up the phone and speak to the client before you carry out any changes that the email suggests. Last-minute changes can be a red flag, so make sure you do your due diligence.

9. Emails on Friday afternoons

In conveyancing, a lot of completions take place on a Friday afternoon. As it’s the end of the week and many people are tired and want to get home for the weekend, it’s when baddies know lawyers are at their most vulnerable. Therefore, a lot of cyber-attacks via email take place on a Friday afternoon. This is called ‘Friday Afternoon Fraud’.

Therefore, make sure you continue to be vigilant on a Friday afternoon. Never act on impulse and get dragged into the urgency of an email, and treat all emails with caution.

Does a telephone call to the sender prevent a cyber-attack via email?

The clear and simple answer is no. The tactics of scammers are becoming more sophisticated and sometimes, you can make a call to the sender to check if the email is real, and actually end up speaking to the baddie!

When you get a phone number to call, you should also do your due diligence on that phone number. Check their website, check directories and do internet searches on the phone number to check if it’s genuine. If the phone number isn’t the genuine phone number of the genuine person, you’re more likely to find an inconsistency somewhere.

It’s important to note that there have been times when numbers appear genuine, even after due diligence checks. So, you really need to watch out for the other signs and be extremely cautious.

If you’ve fallen victim to a cyber-attack via email and transferred funds, can the recipient’s bank help?

If you find out you’ve fallen victim to one of these scams and transferred funds, the speed of your response is extremely important.

Don’t wait for your bank to contact the recipient’s bank. Find out which bank the money has been transferred to, by checking the sort code. Then, phone that bank, explain the situation, and ask them to put a hold on the recipient’s account. Although the recipient’s bank is under no obligation to do this for you, you may get someone on the line who’s willing to cooperate with you.

Remember, you don’t have days to stop the recipient from taking money from their account, but hours or even minutes. If you leave it too long, the baddies are likely to have cleared that account and you’re unlikely to ever see that money again.

Preparing for a cyber-attack

With every preventative measure in place, cyber-attacks can still happen. That’s why it’s extremely important to have a process in place in the event that one does happen.

We’ve prepared a useful guide on preparing for a cyber-attack which you may find helpful.

Get in touch

If you need advice or would like to talk to us about one of our products or services, simply get in touch and one of our experts will be happy to help.

Get in touch

How to detect a cyber-attack via email at your law firm Read More »