Blogs

Two office workers touching a cyber security icon on a window screen

How to detect a cyber-attack via email at your law firm

The SRA recently confirmed that 100% of the reports of cybercrime they had came from email fraud. In addition, 98% targeted conveyancing, as it’s easier for fraudsters or baddies to try and defer large sums of money in this area of law. It’s therefore hugely important that law firms understand how to detect a cyber-attack via email.

This blog explores the various signs to identify suspicious emails that may lead to a cyber-attack via email.

Why do scammers want to access your email account?

Before looking at how to detect a cyber-attack via email, it’s important you understand why baddies want access to your email account.

When they have access to your email account, they can see emails that have come in and gone out of your account. This will give them access to a wide range of data.

This is especially dangerous for law firms as it could include details of transactions that are about to be made, together with personal details of those involved in the transactions. This could significantly help them when they’re trying to commit fraud.

Having access to your email account will also mean the baddies will have access to your calendar. If they’re planning to send fraudulent emails from your account, it’s more likely that they’ll do it when they know you’re not going to be online. That way, there’s more chance of you not noticing suspicious activity until it’s too late, and the damage has already been done.

What are the signs to identify suspicious emails that may lead to a cyber-attack?

When looking at how to detect a cyber-attack via email, there are numerous signs to look out for.

1. Emails with links asking you to sign into your account

The easiest and most common way for baddies to access your email account is by sending you a link, asking you to sign into your account. There are many different ways they do this. It might be an email from an account that appears to be Microsoft or Google, asking you to re-enter your password via a link. It might be an email from another source asking you to log into your email from a link, so you can sign a document. Even if it’s from an email sender you know and trust, their email account may have been hacked.

When you click on these links, the pages you go to are not genuine and instead of logging into your account, your details are stored. So, avoid clicking on these links in emails.

2. Emails saying that bank account details have changed

You’ll no doubt have heard about, or even received, emails that say things like “we’ve just changed our bank details”. Again, even if you trust the sender as you know them, they too may have been hacked, so it’s important to verify this. Give the person a call but don’t use the phone number on the suspicious email.

If you don’t verify this and it is the baddie’s bank account, it’s unlikely that you’ll see that money again.

3. Emails no in the style you'd expect from the sender

When you receive emails from suppliers, colleagues, clients, friends or family, usually, they tend to have their own style, using specific language and terminology. If you receive an email from someone you know, and it doesn’t use the style you’d expect from them, you should consider the email suspicious.

Again, try to authenticate the email by speaking to them, but if you call them, don’t use the number on the suspicious email. Remember, the email might be coming from the genuine sender’s account, but it doesn’t mean it’s them.

Knowing how to detect a cyber-attack via email from someone you don’t know when you don’t know their style, can be trickier. However, you can still consider the style. For example, if it was coming from a lawyer from another company, are they correctly using legal terminology?

Regardless, if anyone is asking you to transfer money, or do something else which may lead to fraud, think twice!

4. Emails with a sense of urgency

Many baddies send emails that ask you to do something as a matter of urgency. This could be something such as, your account will be deleted, or you’ll be fined if you don’t pay within a short space of time. They may even send emails posing as a manager from your business, asking you to transfer money, for example, saying they’re stuck in a conference and urgently need to make a payment, but their card is blocked.

Baddies want you to panic. They know you don’t want accounts to be deleted, get fined, or get in trouble at work, so you’re likely to take action quickly, as you’ve had little time to think.

The SRA recently said that 82% of the breaches that had been reported to them were as a result of human error, due to being under pressure. Therefore, if an email suggests you make a transaction quickly, don’t panic, think twice and do your due diligence.

5. Emails with signatures that are not quite right

Many baddies pose as reputable organisations, such as Gov UK, Royal Mail, high street banks, etc. Therefore, they include an email signature from that organisation, which often includes a logo.

It’s important to always check the email signature as there can be clear signs in detecting a cyber-attack. The signature and disclaimer may not use the right language or terminology or may even have spelling errors. The logo may be pixelated, stretched, or just seem a little off. If the email signature is suspicious, don’t click on any links.

6. Emails with email addresses that are suspicious

You may receive emails that name the sender and appear genuine. However, if you click on, or hover over, the email sender’s name, the full email address can be seen.

Baddies often have email addresses that appear suspicious and don’t fit with the person they’re pretending to be or the company they’re pretending they’re from.

7. Emails that aren't expected

Although we receive emails all the time that we’re not expecting, if you receive an email asking you to do something that may be considered suspicious, and you weren’t expecting that email, this may be a cyber-attack via email.

Again, you can call or speak to the person the email is from to determine whether the email is genuine.

8. Emails from clients saying there are last-minute changes

Just like with AML, emails that ask for last-minute changes, such as changes to the amount to be transferred, or changes to the bank details are suspicious.

Pick up the phone and speak to the client before you carry out any changes that the email suggests. Last-minute changes can be a red flag, so make sure you do your due diligence.

9. Emails on Friday afternoons

In conveyancing, a lot of completions take place on a Friday afternoon. As it’s the end of the week and many people are tired and want to get home for the weekend, it’s when baddies know lawyers are at their most vulnerable. Therefore, a lot of cyber-attacks via email take place on a Friday afternoon. This is called ‘Friday Afternoon Fraud’.

Therefore, make sure you continue to be vigilant on a Friday afternoon. Never act on impulse and get dragged into the urgency of an email, and treat all emails with caution.

Does a telephone call to the sender prevent a cyber-attack via email?

The clear and simple answer is no. The tactics of scammers are becoming more sophisticated and sometimes, you can make a call to the sender to check if the email is real, and actually end up speaking to the baddie!

When you get a phone number to call, you should also do your due diligence on that phone number. Check their website, check directories and do internet searches on the phone number to check if it’s genuine. If the phone number isn’t the genuine phone number of the genuine person, you’re more likely to find an inconsistency somewhere.

It’s important to note that there have been times when numbers appear genuine, even after due diligence checks. So, you really need to watch out for the other signs and be extremely cautious.

If you’ve fallen victim to a cyber-attack via email and transferred funds, can the recipient’s bank help?

If you find out you’ve fallen victim to one of these scams and transferred funds, the speed of your response is extremely important.

Don’t wait for your bank to contact the recipient’s bank. Find out which bank the money has been transferred to, by checking the sort code. Then, phone that bank, explain the situation, and ask them to put a hold on the recipient’s account. Although the recipient’s bank is under no obligation to do this for you, you may get someone on the line who’s willing to cooperate with you.

Remember, you don’t have days to stop the recipient from taking money from their account, but hours or even minutes. If you leave it too long, the baddies are likely to have cleared that account and you’re unlikely to ever see that money again.

Preparing for a cyber-attack

With every preventative measure in place, cyber-attacks can still happen. That’s why it’s extremely important to have a process in place in the event that one does happen.

We’ve prepared a useful guide on preparing for a cyber-attack which you may find helpful.

Get in touch

If you need advice or would like to talk to us about one of our products or services, simply get in touch and one of our experts will be happy to help.

How to detect a cyber-attack via email at your law firm Read More »

Man with PC and two laptops set up on a desk

The challenges of compliance legal tech

Leveraging compliance legal tech enables lawyers to get on with doing what they do best. It should be considered a partnership, with technology doing some of the heavy lifting involved in the daily administrative tasks that eat into lawyers’ billable hours.   

Although many advancements have been made in recent years, there are still challenges that are faced by law firms when adopting compliance legal tech.  

How has law firms’ appetite for legal tech changed since the pandemic?

Of course, the pandemic expedited many law firms’ plans to digitise the operations side of their practice. They had to find legal tech solutions overnight, such as digital postroom services, AML, KYC, and digital onboarding solutions, to enable their business to move to a ‘working from home’ environment.  

As a result, legal tech solutions were implemented with an urgency bias, so their appetite for tech was based on survival. It wasn’t necessarily about solving the problems they already had, it was about finding a way for firms to continue with as little interruption as possible.  

The legal tech implemented at the time was able to fulfil that need. However, what many firms are now left with is a number of digitised processes that often don’t speak to each other, and all need to be managed individually. This can be extremely time-consuming and complex.  

Therefore, the appetite law firms have for compliance legal tech has now changed. They were able to see how the legal tech worked for them during the pandemic in order for them to survive, and they’re now looking at it strategically. They want consolidation, and to build a future-proofed data and application ecosystem that’s incredibly strong.  

With teams now working differently – some working hybrid, some working from home, and some full-time in the office – law firms need to make sure there’s a collaborative tool so everyone can keep their fingers on the pulse.  

How has legal tech changed consumers’ expectations since the pandemic?

You’ll no doubt have read stories in the early days of the pandemic about people meeting in car parks to sign deeds over a car bonnet. In the digital world we were living in, this didn’t provide clients with a positive legal experience.  

As law firms adapted to the pandemic by implementing new legal tech, clients were able to see how legal tasks could be done immediately and recognised the significant benefits. This has obviously increased consumers’ expectations of tech within the legal sector.  

Consumers’ increased expectations have given rise to suppliers and other organisations within the legal sector to look at improving processes through legal tech. With more refined legal tech being implemented, the challenge law firms have now is how to link all these processes together effectively and make compliance processes seamless for their lawyers, and also their clients.  

There are already some systems that make the onboarding process easy for consumers. Clients no longer have to find time in their lunch hour to take their documents into a solicitors’ office or find someone to certify them. However, if the next part of the client’s journey isn’t similarly optimised, and they still have to go into the office to sign documents or get an update, this is unlikely to meet their expectations.  

Consumers are aware of how technology can make life easier for them, through tracking progress on particular purchases. For example, if they order a Domino’s pizza, they can track where the order is up to and when it’s due to be delivered; if they order an Uber, they can track the driver’s whereabouts and how far away they are. This is what consumers have come to expect from technology, and compliance legal tech should be addressing this and how clients’ expectations can be met.  

What challenges are law firms facing when it comes to compliance legal tech?

There are a number of challenges now being faced by law firms when it comes to compliance legal tech. 

1. Legal tech buying cycles

One of the challenges faced by law firms relates to the way buying cycles work for technology. It’s quite tempting for law firms to buy individual tech solutions one at a time to solve specific problems as they arise. However, this is causing issues.  

Contracts for legal tech can lock you in for years. Imagine you have one legal tech solution that ties you in for three years. Then, a year later, another problem arises needing a different tech solution, and this ties you in for three years. The more this goes on, how are you ever going to be able to join the dots and get all of your tech working together? This cycle needs to change.  

In an effort to tackle this challenge, law firms should be clear on what their medium-term core tech and application stack is. Once you’ve worked this out, for example, Microsoft, you can plan for all other tech to fit together and tackle issues when they arise. It sounds simple, but many firms don’t do this and it’s a problem we’re currently hearing a lot about.  

2. Finding the right legal tech solution

There are so many different technological solutions, it’s becoming increasingly difficult for law firms to know where to find those tech solutions that will suit your needs.  

The Law Society and the SRA are now working more to signpost firms who are interested in legal tech solutions. But, there’s still more that can be done.   

It’s important to ensure that it: 

  • Solves the problems you face 
  • Is fully compliant  
  • Meets clients’ expectations  

 Our article on finding the right legal tech solution can help when considering technology on the market. 

3. Getting buy-in from lawyers who don’t understand technology

Most often, traditional law firms, particularly high-street firms, don’t have a tech team, and not everyone understands the intricacies of technology. Talking in technology terms can sound alien to most, and something that should be avoided if you want lawyers at your firm to buy into new compliance legal tech.  

The language you use is key when trying to deliver supportive, process-improving technology. Rather than using technology terms, it should be approached from a problem-solving basis, otherwise, you may find yourself just talking into a void. Lawyers are more likely to have an affinity around efficiencies, profitability, client performance, and service standards, as these are the challenges most law firms face.  

You can talk to them about how the proposed new compliance legal tech can help, and the improvements to performance it will bring.  

4. Getting buy-in from law firms that don’t think they’re large enough for legal tech

We often talk about technology for high street firms providing them with an opportunity to level up. That trend has certainly increased over the last few years, especially now we have plug-and-play technologies.  

Several years ago, the sole practitioner of a property practice was able to completely corner the market. This was as a result of her having a direct consumer web interface, a subscription service that clients could log into, and discussion boards. We’re used to this type of interaction these days, but back then, she was way ahead of the curve.  

This just proves that, even back then, you didn’t need huge budgets to benefit from technology. You can still be a contender in the space, you might otherwise have thought, was where the larger law firms with bigger budgets sat. Technology has the potential to unlock so many opportunities.  

The types of technology solutions that are emerging now for high street law firms provides them with a much bigger resource and can even put them on the same playing field as online bankers.  

How can change management help with the adoption of compliance legal tech?

People don’t necessarily like change as it can be disruptive, so change management needs to be built into any plans when adopting new compliance legal tech. That way, you can ensure you’re meeting expectations, and not just proposing a dream solution that isn’t going to work.  

Having open conversations about the change management process is key to ensuring your staff are onboard. Finding people within your business to champion the change and having them work collaboratively with the software developer is a good way to feed the information back to the rest of the firm.  

One thing that staff get concerned about when it comes to legal tech and AI is the fear that they’ll lose their jobs. Technology is about supporting everyone, not about replacing anyone. If efficiencies can be made, why not let tech do the heaving lifting? That way, the lawyers can get on with doing what they do best.  

Over the years, the introduction of technology has already made a massive positive impact on the legal sector. Many conveyancing lawyers will remember that years ago, after completion of property purchases, they had to complete by hand a 20-page Stamp Duty document in black ink. If they got to the last page and made an error, they’d have to start all over again. That specific problem has been solved by tech that we now all use and understand. It’s for the same reason that new legal tech has been introduced – to make efficiencies.  

The reason people train to be lawyers is to become trusted advisors for their clients. The introduction of new technology will enable them to do just that, rather than wasting their time on other tasks that can be done for them. 

Get in touch

If you’d like to talk to us about our latest compliance legal tech, Teal Tracker, simply contact us and we’ll arrange for you to have a demo.

The challenges of compliance legal tech Read More »

People walking on a street seen from behind

How to spot the signs of human trafficking

Human trafficking, second only to drug trafficking, stands as one of the fastest-growing illegal enterprises worldwide. If we look beyond the immense human costs, it becomes evident that where human trafficking occurs, money changes hands. Law firms can play their part by serving as another line of defence against these terrible crimes by understanding how to spot the signs of human trafficking. 

Given the huge scale and pervasiveness of human trafficking, it’s essential for businesses to be proactive in identifying and addressing this issue within their supply chains. By not understanding how to identify the signs of human trafficking, we can inadvertently expose ourselves to significant risks. It falls upon all of us to make a collective decision not to let this happen on our watch, and to be alert to the red flags that indicate where human slavery may be taking place. 

In this article, we’ll delve into the critical topic of how to spot the signs of human trafficking. As compliance officers and lawyers, your role in combating this heinous crime and its connection to money laundering is vital. By familiarising yourselves with the signs, you can contribute to early detection and intervention, making a difference in the fight against human trafficking.  

The true extent of human trafficking

The true scale and cost of the crime is unknown. The Centre for Social Justice estimates that there are around 100,000 people in the UK in modern slavery, but this figure could just be the tip of the iceberg.  

An annual report from anti-slavery charity, Unseen, shows a 116% increase in calls to its UK Modern Slavery & Exploitation Helpline in 2022 compared to 2021.  

These figures present a bleak reality, exposing the widespread presence of human trafficking in our society. It’s a crime that operates ‘hidden in plain sight’, often occurring right before our eyes. 

The link between money laundering and human trafficking further amplifies the urgency of addressing this issue. A joint report by the Financial Action Task Force (FATF) and the Asia/Pacific Group on Money Laundering (AGF) revealed that this form of crime generates an estimated $150 billion in illicit profits annually. This is a staggering increase of $32 billion compared to a previous report in 2011. These profits stem from the criminal enslavement and exploitation of individuals worldwide. 

The breeding ground for human trafficking lies in the demand for cheap goods, cheap labour, and cheap sex. This exploitative industry thrives on the vulnerability of its victims and perpetuates their suffering. Shockingly, it remains one of the world’s most under-reported crimes, with countless victims suffering in silence. 

Efforts to combat human trafficking have included innovative campaigns, such as the app campaign supported by London’s 10,000 Taxi Drivers. This initiative aimed to eradicate modern slavery in hand car washes by equipping drivers with indicators of forced labour through an app. By raising awareness of the signs of human trafficking and empowering individuals to identify these signs of exploitation, we can collectively work towards dismantling human trafficking networks and providing support to those in need. 

Understanding the link between human trafficking and money laundering

Before we dive into the signs of human trafficking, it’s crucial to grasp the intricate connection between this heinous crime and money laundering. Criminals who engage in human trafficking have a sinister objective not only to exploit vulnerable individuals, but also to conceal the illicit proceeds generated from their abhorrent practices. This is where money laundering comes into play, serving as a tool for these criminals to disguise the origins of their ill-gotten gains and make it exceedingly challenging for law enforcement agencies to trace and intervene. 

Money laundering serves as a critical enabler for human trafficking networks, allowing them to legitimise their illegal profits and integrate them into the formal financial system. By laundering the money, traffickers can create a façade of legitimacy, making it difficult to distinguish between the proceeds from their criminal activities and lawful financial transactions. 

By linking human trafficking and money laundering, criminals not only profit from their exploitative activities, but also further perpetuate the cycle of abuse. The vast amounts of money generated from trafficking are used to fuel other criminal enterprises, perpetuating a cycle of crime that spans across borders and jurisdictions. 

Understanding this intricate connection between human trafficking and money laundering is essential for law firms. By recognising the signs of human trafficking, you can also be on the lookout for potential money laundering activities intertwined with this crime. Identifying and reporting suspicious financial transactions or patterns, you enable you to become an essential part of the collective effort to disrupt and dismantle these criminal networks. 

Understanding the types of human trafficking

Human trafficking involves the deplorable trade of individuals, exploiting them for various purposes, including forced labour, sexual slavery, or commercial sexual exploitation, all serving the interests of the traffickers or others involved.   

The scope of human trafficking extends to horrifying practices such as forced marriages, organ trafficking, and even people smuggling. By understanding the different types of human trafficking, we can better identify the signs and take appropriate action. There are six primary types of human trafficking. 

1. Trafficking for forced labour

This type of trafficking involves the coercion or deception of individuals for forced labour, often in industries such as agriculture, construction, domestic work, manufacturing, or the service sector. Victims are subjected to exploitative working conditions, long hours, minimal pay, and restricted freedom. 

2. Trafficking for forced criminal activities

Traffickers may force individuals, including children, into criminal activities such as drug trafficking, theft, or begging. These victims are often vulnerable and coerced through threats, manipulation, or violence, to participate in illegal activities against their will. 

3. Trafficking for sexual exploitation

This form of trafficking primarily targets women and girls who are coerced or deceived into engaging in commercial sexual activities against their consent. Victims are subjected to physical and emotional abuse, exploitation, and a loss of autonomy over their bodies and lives.

4. Trafficking for the removal of organs

Human trafficking for organ removal involves the illegal trade of organs and tissues, often through the coercion or abduction of individuals. Traffickers exploit the desperation of those in need of organ transplants, causing immense harm to the victims and risking their lives. 

5. Forced marriages

Traffickers can also exploit vulnerable individuals by forcing them into marriage. Victims can be used in this way for the benefit of others who want to enter a country or get access to benefits. It often involves sexual exploitation or servitude.

6. People smuggling

People smuggling refers to the facilitation of illegal entry or transportation of individuals across borders, often involving unauthorised and unsafe means. While distinct from human trafficking, it’s important to recognise the potential overlap, as vulnerable individuals may be subjected to exploitation and abuse during the smuggling process. 

By familiarising ourselves with these different types of human trafficking, we can broaden our understanding of the breadth and depth of this horrendous crime.  

The signs of human trafficking

Identifying the signs of human trafficking is important. There are some specific red flags that lawyers and compliance offices should be aware of when it comes to human trafficking and money laundering.   

While these indicators aren’t definitive proof, they can raise suspicion and warrant further investigation. Here are some potential red flags to keep in mind.  

1. Financial transactions 

There are a number of red flags to look out for in financial transactions, such as:  

  • High volume deposits through bank accounts and immediate withdrawals from border towns 
  • Ongoing ATM/ credit card transactions in even amounts between 10pm and 6am 
  • Credit card payments to online escort services for advertising 

2. Business account activity 

When looking at the activity of a business account, signs may include:  

  • Sudden activity changes in business accounts outside of the client’s expected profile 
  • Structured cash deposits at multiple ban branch locations 

3. Employment practices 

Red flags in employment practices may include:  

  • Workers’ contracts not readily available in a corporate transaction 
  • Observations during client visits, such as the employment of large numbers of migrant workers or the presence of children in and around the premises 

4. Behavioural signs 

There are behavioural signs that may cause suspicion, such as: 

  • Signs such as fearfulness, avoiding eye contact 
  • Hesitancy to talk to strangers 

5. Physical signs 

Certain physical signs of victims may also cause suspicion, as victims may:  

  • Appear to be isolated and rarely allowed to travel on their own 
  • Not possess passports or identification documents that would allow them to travel freely

6. Financial data and due diligence

Law firms that hold financial data as part of their anti-money laundering (AML) checks or during due diligence on a transaction may have an opportunity to spot red flags and gather information that could provide a clearer picture of a potential criminal or money launderer. 

Being alert to the signs of human trafficking is crucial in combating this horrific crime and its connections to money laundering. By familiarising yourself with the potential red flags and incorporating them into your compliance efforts, you can contribute to the early detection and prevention of human trafficking activities.  

If you suspect any form of modern slavery is taking place within your supply chain, or you suspect your client may be involved, flag it immediately with the person responsible for dealing with it at your firm. 

Educating your team and enhancing due diligence

Ensure that your compliance team receives comprehensive training on the signs of human trafficking. By integrating these best practices into your due diligence processes, you can further mitigate the risk of inadvertently supporting human trafficking or money laundering activities. 

You have a crucial role in combating human trafficking and its connection to money laundering. By familiarising yourself with the signs of human trafficking, reporting suspicious activity, and promoting awareness within your organisation, you contribute to a safer society and uphold the values of legal compliance. Remember, every action counts, and together we can make a difference. Stay vigilant, stay informed, and let’s end human trafficking. 

Get in touch

We work with law firms to ensure that anti-money laundering procedures and controls are in place. We also offer practical AML training for all staff, as well as specialist courses for those responsible for compliance. 

If you’d like to speak to one of our experts about how we can help, simply get in touch. 

How to spot the signs of human trafficking Read More »

Desk with coffee, glasses a pen and an assessment book

What are matter based risk assessments?

Matter-based risk assessments were introduced in the 2017 Money Laundering Regulations (MLR). Fundamentally, the idea is you’re supposed to look at the client and matter, and decide how risky it is for money laundering or terrorist financing. You can then decide on the amount of client due diligence (CDD) you need to do. This is what the matter-based risk assessments are for.

There has been some high-level feedback on the struggles that lawyers are having with the introduction, given that they were all doing CDD before. Firms already had processes and procedures in place which didn’t include this step, and it’s been difficult to try and include it. Nevertheless, this is now the law.

By now, you’ll no doubt have a new process in place that includes matter-based risk assessments. However, this article will help you determine whether your new process is compliant and is going to work.

What does the law say about matter-based risk assessments?

The matter-based risk assessments regulation sits at Regulation 28(12)(a) of the MLR. It states:

“The ways in which a person complies with the requirements to take CDD measures must reflect:

  • The firm’s risk assessment
  • Its assessment of the level of risk arising in any particular case”

The first thing you should be aware of when you look at this is that it was primarily written for banks. When banks talk about commencing a business relationship, that means someone opening a bank account. When someone has an account they can make what constitutes as regulated transactions whenever they want through their bank account.

In the legal sector, this is slightly different. People can’t do transactions using lawyers without them knowing about it. So, the approach taken by banks would be to do a client-based risk assessment when an account is first opened, take the information they have, and set up something called ‘transaction monitoring’. Transaction monitoring is where they would use software to monitor certain behaviours and when something looks odd, this would trigger an alert of possible fraud and may block the account.

When the Regulation talks about ‘the level of risk arising in any particular case’, it’s talking about an account facet of the business relationship. For lawyers, although it doesn’t actually say the word ‘matters’ it means matters.

CDD is a matter-based activity, and the ‘CDD measures’ mentioned in the Regulation come in five parts:

  1. Matter risk assessment
  2. Identify the client
  3. Verify the client
  4. Purpose and nature checks (this is where the source of funds and source of wealth lives)
  5. Ongoing monitoring

So, to complete your CDD measures, you need to make sure that you’re approaching your purpose and nature checks on a matter-by-matter basis. You can return to the same client risk assessment, but you also have to add the particular factors of each matter, if there are any, into the risk assessment.

What does the SRA say about matter-based risk assessments?

The SRA did some work reviewing a number of files in 2019/2020. From that, they commented on the Regulation involving matter-based risk assessments, which included:

 

  • 29% of the files didn’t have a written matter risk assessment: Although the Regulation doesn’t specifically say it has to be written down, it’s clear that the Regulators are looking to see a written record.
  • There was no conclusion following the risk assessment: This is something we see quite a lot. Although it’s unclear why this is the case.
  • Conflict with the firm’s risk assessment: Remember, it states in the Regulation that it must reflect ‘the firm’s risk assessment’. Therefore, if your firm’s risk assessment states that a particular department is high-risk, and you determine that a matter for that department is low-risk, it’s not consistent and they’ll pick up on this.
  • Assumption the E-ID system did it for them: There are systems that incorporate this as part of the process, but one of the things that the regulator is aware of is the over-reliance on technology.

The SRA has expectations that fee earners should know how to do matter-based risk assessments properly and they must reflect the firm’s risk assessment, as there shouldn’t be a conflict between the two documents.

 

What part of matter-based risk assessments are causing lawyers to struggle?

One of the biggest issues we’ve seen is many lawyers are not sure of the purpose of completing a matter-based risk assessment. Although we’ve found that many law firms do have policies in place confirming that matter-based risk assessments are mandatory, there are still blank and incomplete forms on the files.

There are instances when risk assessments have been completed at the start of the matter. However, as further information is gathered, such as the source of funds and source of wealth, or further CDD, the risk assessments aren’t revisited and updated.

Another issue we’ve come across relates to risk assessments being completed to an extent, and the risks are rated low, medium, or high. However, there’s no narrative behind the risk rating, so it’s impossible to see how they’ve come to this conclusion.

Overall, many lawyers tend to carry out risk assessments, but the information they’ve gathered is all in their heads, and in many cases, there’s a failure to write anything down, and this is essential.

Carrying out risk assessments correctly is extremely important as if the SRA carry out an audit on your files, they need to see that you’ve actually considered the risks, recognised any red flags, and identified what level of due diligence should be done for that client.

 

Considering practice or firm-wide risk assessments

There can’t be a conflict between your matter-based risk assessment and your practice or firm-wide risk assessment. It’s therefore important that you get your firm’s risk assessment right.

Your practice or firm-wide risk assessment needs to reflect the National Risk Assessment. This has the following as high-risk:

  • Trust and company service provision: Creation of trust, creation of companies, company secretarial work, and trust administration work are considered high-risk
  • Conveyancing: Both residential conveyancing and commercial property are considered high-risk
  • Misuse of client account: Anything going through the client account is considered high-risk
  • Sham litigation: Although generally litigation is low-risk, sham litigation is an arrangement that’s considered high-risk

As well as reflecting the National Risk Assessment, your firm risk assessment also has to reflect the Regulator Sectoral Risk Assessment.

Considering client risk

The Regulation itself gives you an indication of what high-risk sectors are, such as oil, arms, precious metals, tobacco products, cultural artefacts, ivory. If a client operates in these sectors, they would be considered high-risk clients.

Clients who operate in cash-intensive businesses are also high-risk. These include businesses such as nail bars, car washes, barbers, fast food, and any businesses where people would legitimately pay in cash. Baddies often open businesses like these to launder their dirty money together with the legitimate cash earned.

Politically exposed people (PEPs) are also considered high-risk. The law doesn’t give you much wriggle room in this area. If a client is a politically exposed person and does a certain job, this is high-risk.

The financial Action Task Force (FATF) issues a list of jurisdictions where there’s a particular concern with their ability to handle anti-money laundering. This list is the high-risk third countries list. As FATF can’t take on face value that money from those jurisdictions is genuine, everyone dealing with that money has to check. This is why enhanced due diligence is required on high-risk third countries.

 

Considering matter risk

There has been a recent change in the MLR relating to matter risk. Regulation 19(4)(a)(i)(aa) did state:

“a transaction is complex or unusually large, and there is an unusual pattern of transactions, and…”

This has now changed to:

“a transaction is complex or unusually large, or there is an unusual pattern of transactions, or…”

You’ll note that the words ‘and’ have changed to ‘or’. When the word ‘and’ was included, it suggested that there would need to be a combination of things for it to trigger. However, this is not the case.

We’ve noticed that many firms still have the word ‘and’ in their policies and therefore their matter risk assessment process is looking for a combination rather than any individual factor. So, when lawyers are doing a matter risk assessment which is complex, unusually large, has an unusual pattern of transactions or no economic or legal purpose, these need to be triggered individually.

So, make sure you check your policies and make any necessary changes.

What does LSAG say about matter-based risk assessments?

Each regulator used to publish their own guidance. However, in 2017 the regulators got together and formed the Legal Sector Affinity Group (LASG). LASG then produced one set of guidance, the LASG guidance, to be used across the sector. 

The LASG guidance confirms that matter-based risk assessments should not be a tick-box exercise but suggests you follow the below criteria:

  • Talks about risk ratings
  • Can have a template for similar cases, but it must not become a tick-box exercise
  • Should assess and have regard to negative news results
  • Suggest review of matter-based risk assessments on long-running matters – however, they don’t give an interval of how regular that should be
  • Focus on recording reasoning for assessment
  • Record why you’ve picked the CDD approach

When should you revisit matter-based risk assessments?

We know that there are things you simply can’t answer at the beginning of a case when completing a matter-based risk assessment. That’s why the matter-based risk assessment should be for the life of the file and not just a file-opening exercise.

Therefore, you need to consider all the stages where a matter-based risk assessment is needed. There are three particular stages when we believe this needs to be considered.

  1. When you’ve had an initial conversation with the client. You’ll have as much information as possible and are deciding whether there are any factors from the conversation that are causes for concern. This will determine what level of CDD we should do.
  2. When you’re undertaking CDD. Once you’ve received the documents from the client to undertake CDD, what you receive will either change your initial risk assessment or back it up. In reality, it’s only at this stage that you can do a proper risk assessment as you’ll now have all the CDD information.
  3. Before you potentially launder money. The last point in which to undertake a risk assessment is just before you do anything which could be laundering money. You should stop, revisit your risk assessment and update it before you potentially launder money.

It’s extremely important that you write everything down on your file. If it’s not written down, how are you going to prove that you’ve done it if something goes wrong? Regulators need to see that you’ve covered everything.

What help can be given to lawyers on matter-based risk assessments?

One way of ensuring lawyers complete a risk assessment in the first place is to make it mandatory in order for the file to be opened. However, although this helps ensure they complete one initially, they may only partially complete it or may not revisit and update it at key points of the case. We therefore suggest a three-step approach.

  1. Training: Training is key. Lawyers need to understand the importance of risk assessments and ensuring they receive good quality training can help significantly to drill down that point.
  2. File Reviews: A good way for firms to determine how lawyers are doing with their matter-based risk assessments is through file reviews. You’ll have a chance to discuss any specific issues and identify if there are specific departments that are struggling. This will allow you to revisit the training with them when it’s needed.
  3. Firm-wide risk assessment: If you’ve not already shared your firm-wide risk assessment, this may help. Lawyers will be able to see your thought process towards risk in different departments, and this will help them when completing their matter-based risk assessments.

Following this approach should help lawyers complete their matter-based risk assessments moving forward.

Get in touch

If you need any assistance with policy drafting and reviews, AML audits, or training, simply contact us and one of our experts will be in touch.

What are matter based risk assessments? Read More »

Computer coding on a screen

How to prepare for a cyber attack

Knowing how to prepare for a cyber attack is extremely important. This is especially so when you have a duty to protect your client’s data.

Most of us have faced that dreaded email which sends shivers down your spine. It starts with a simple greeting, but what follows can cause much panic and stress.

“Hi, I’ve received an email from one of your team, and we suspect it may be a scam, I thought you should know.”

The action you take within the first hour of a cyber attack may spare you from potential harm, and allow you to navigate through the intricate web of digital deception unscathed. That’s why knowing how to prepare for a cyber attack is essential.

The reality of cyber attacks

We often find ourselves falling into the trap of thinking a cyber attack will never happen to us. However, the truth is that the landscape has evolved significantly. With the rise of hybrid working and increasingly sophisticated hackers, the potential risks have intensified. It takes just one unsuspecting click on a seemingly harmless link for everything to unravel.

The Cyber Security Breaches Survey 2022, sheds light on the harsh reality of cyber attacks. The findings provide valuable insights into the prevalence, impact, and consequences of these incidents. Key findings from the survey paint a compelling picture of the evolving landscape of threats that businesses and individuals face in the digital age.

1. Prevalence of cyber attacks

The survey reveals that cyber attacks continue to be a significant concern, with a staggering 46% of businesses reporting that they’ve experienced cybersecurity breaches or attacks in the past year. This highlights the pervasive nature of the threat, and the need for heightened vigilance across industries.

2. Financial impact

The financial implications of cyber attacks are substantial, with businesses estimating an average cost of £8,460 for identified breaches. The survey reveals that larger organisations tend to face higher costs, with the average cost reaching £15,000. These financial consequences emphasise the importance of robust cybersecurity measures as a critical investment.

3. Human factors

Human error is still a leading cause of cybersecurity incidents, with phishing attacks being the most prevalent method of compromise. The survey highlights the need for comprehensive training and awareness programmes to empower individuals to recognise and mitigate potential threats effectively.

4. Consequences of cyber attacks

The impact of cyber attacks extends beyond immediate financial losses. Breaches can lead to reputational damage, loss of customer trust, and legal ramifications. The survey underscores the importance of incident response and recovery plans to minimise the long-term consequences of cyber incidents.

5. Proactive measures

The survey highlights the increasing adoption of proactive cybersecurity measures among businesses. This includes implementing cybersecurity policies, conducting regular risk assessments, and investing in security software and hardware. These measures show the growing recognition of the need to prioritise cybersecurity to safeguard sensitive data.

Now more than ever, it’s crucial for organisations to acknowledge the real and imminent dangers posed by cybercriminals. The evolving tactics and techniques employed by these individuals demand heightened awareness, proactive measures, and a collective commitment to cybersecurity.

What to do during a cyber attack

When faced with a cyber attack, you need to understand the urgency of the situation and move swiftly. Within the first hour, you should implement your response plan to contain the issue. We recommend the following proactive steps should be taken within the first hour.

1. Thorough system analysis

Engage an IT expert who specialises in cyber attacks. They’ll meticulously examine your systems to assess the extent of the breach. This comprehensive analysis provides crucial insights into the nature and impact of the attack.

2. Reinforcing security measures

Securing your digital assets is important. So, swiftly take actions such as changing email logins and passwords. Additionally, isolate the data breach to prevent further contamination of your systems, safeguarding the unaffected areas.

3. Strengthening authentication

To fortify your defences, promptly implement 2-factor authentication if you’ve not done so already. This adds an extra layer of security to protect sensitive information and ensure authorised access only.

4. Dedicated support team

To address the concerns and enquiries of your stakeholders, assign a dedicated member of your team to respond promptly and provide accurate information. Their role is crucial in keeping open lines of communication and offering reassurance during the incident.

5. Communication

There’s a need for seamless communication so make sure you brief your call team. This will ensure there’s an uninterrupted service and streamlined communication channel for your clients and stakeholders.

6. Transparent communication

Openness and transparency are paramount. We would suggest posting a detailed explanation of the incident on your website, ensuring your clients are informed about the situation.

Simultaneously, send an update to your mailing list. Recommend that if they’ve received the scam email that they contact their IT department immediately.

Incidents like these often serve as a stark reminder of the cunning and sophistication of cybercriminals. Despite regular screening of your systems, you can still experience an attack due to the ever-evolving threats we face from the baddies!

How to prepare for a cyber attack

Here are our top three tips on how to prepare for a cyber attack, which will enable you to respond  swiftly to a cyber attack situation and ensure effective damage control.

1. Have a comprehensive plan in place

One of the key factors that will enable you to respond quickly is ensuring you have a well-defined disaster recovery plan ready to be implemented as soon as an issue arises.

It’s crucial for every organisation to proactively establish a plan before any potential exploitation occurs. This plan can be as simple as naming a point of contact who’s familiar with disaster recovery protocols and can immediately initiate necessary actions to mitigate further damage.

While the aftermath can be addressed over time, having someone who knows how to promptly secure the systems is essential.

2. Build relationships with cybersecurity experts

In the face of an attack, wasting valuable time searching for reliable cybersecurity professionals is an unfortunate setback. We highly advise establishing connections with competent cyber experts in advance, and have their contact details readily accessible.

By having trusted experts on hand, you can swiftly engage their services during emergencies, minimising response time. This will optimise the chance of a successful resolution. If needed, we’re happy to share the details of our own cybersecurity specialist, whose expertise has been invaluable to us. Get in touch.

3. Prepare clear and transparent communications

When faced with a crisis, it may be tempting to keep the situation under wraps and avoid acknowledging any issues. However, we firmly believe that adopting an open and honest approach is the most effective way to handle such situations.

By being transparent with stakeholders and those who may be affected, firms can prove their commitment to protecting individuals and keeping trust. It’s crucial to have a well-thought-out communication strategy in place, ensuring that key messages are prepared in advance to promptly inform and address concerns.

It’s important to recognise that even major institutions with substantial worth have vulnerabilities and have experienced exploitations, such as ransomware attacks. While it’s impossible to completely avoid all risks, being prepared to handle problems swiftly when they arise is an invaluable skill.

Gaining valuable insights from a cyber attack

One fundamental truth holds: you can’t glean valuable insights from a situation that’s swept under the carpet and hidden from view. By embracing this principle, you can swiftly recognise the approach you should choose, enabling you to draft the necessary wording promptly and issue your message effectively.

When this happened to us, we were able to effectively reflect on the experience. We realised the potential benefits of preparing such communications in advance, as a proactive measure. With this realisation, we’ve now taken proactive steps to create a repository of pre-drafted messages, ensuring we’re better equipped for any future challenges that may arise.

We were also reminded of the strength and resilience that lies within our network. It was the collective watchfulness and genuine care of individuals in our community that helped to fortify our defences against cyber threats.

While we sincerely hope that you never encounter a day like the one, we experienced, we believe that preparation is key. Having a well-defined plan in place in advance will undoubtedly enhance your readiness and ability to navigate unforeseen circumstances.

Get in touch

As data protection experts, we work with firms to ensure that procedures and controls are in place to protect the data they process. We offer training courses for staff on protecting clients and themselves from cybercrime and data loss. If you’d like to speak to one of Teal’s experts about how we can help, simply get in touch.

How to prepare for a cyber attack Read More »

Tree growing from stack of coins

What’s the regulator guidance on source of funds and source of wealth?

Source of funds and source of wealth can be tricky because the regime we have is risk based. It’s not just about making sure you get bank statements. It’s also about the enquiries you make, the evidence you see, and what regulators think when looking at the work you’ve done.

Regulators want to know whether firms are doing this properly or not. Initially, the regulators were interested in firm-based risk assessments, did firms have one, did they assess the money laundering risks the firm was exposed to. They were then interested in whether law firms have their policies, controls and procedures in place.

Now, they’re looking at whether law firms are completing matter risk assessments. This is to ensure they have the right foundations for assessing the money laundering risks the firm is exposed to in respect of each matter. They’re also looking at identification and verification, including what checks you are doing, and what negative news are you looking at.

Eventually the focus will shift to source of funds and and source of wealth. This is because, you can’t stop money laundering by getting passports and utility bills. You can only stop money laundering by not moving dirty money. The enquiries you make in relation to source of funds and source of wealth are pivotal to the success of an AML programme. Therefore, I anticipate that regulators will start putting quite a lot of focus on that, on the basis that everything else is in place.

You can have perfect policies and procedures, with all boxes ticked. However, if a regulator can’t pick up a file and understand the source of funds and source of wealth work that’s been done, this is an issue. There therefore needs to be a proper process in place.

What’s the difference between source of funds and source of wealth?

Source of funds relates to where the funds of a transaction are coming from. You therefore need to consider what activity generated the funds, for example, salary, trading revenues or payments out of a trust. It relates directly to the economic origin of funds to be used in a transaction. Given funds are likely to be received via a bank account, source of funds would generally be evidenced by bank statements.

Source of wealth relates to how and why an individual has their wealth. You need to consider what activity generated their wealth, for example business ownership, inheritance or investments. Source of wealth can be investigated by taking reasonable steps to be satisfied that the funds used in a transaction appear to have come from a legitimate source.

The SRA on source of funds

A couple of years ago, the SRA released their findings and expectations when it comes to source of funds.

SRA Findings

The SRA’s findings included: 

1. ”21% did not evidence the client’s source of funds properly or at all“

What this tells you is that they’re not just checking to see whether you have some paperwork on file. They’re assessing whether it’s enough.

2. ”Companies used filed accounts, but these are old and have no relation on the current amount”

Filed accounts can actually be useful, even if they’re massively out of date. If you’re looking to prove a company is a properly trading business, having a history of filed accounts will help, especially if they’re audited. Although the client might not be showing you their current funds, a history of accounts will help you establish that the company has been trading properly.

That being said for you get the full picture of a company’s business you will need to make sure you have up to date file accounts.

SRA Expectations

The SRA’s expectations are:

1. ”We consider that carrying out and evidencing a source of funds check is crucial to comply…”

‘Evidencing’ is the important word here. One of the challenges we see, is lawyers being lulled into a false sense of security believing that their client isn’t a ‘baddie’. They can often talk themselves into thinking that they don’t have to look too deeply into source of funds and source of wealth. However, investigations need to be evidenced.

2. ”Obtain evidence of the funds early”

If there’s something in your source of funds and wealth information that leads you to a knowledge or suspicion, you’ll have to do a SAR. However, it’ll take at least 7 working days to do this.

You should therefore look at source of funds and source of wealth as early as possible so ensure the smooth running of a transaction. For example, if you wait a week before exchange of contracts before doing your checks, and you notice something suspicious, you’re not going to have time.

Although we understand just how busy lawyers are, this really is something that needs addressing early. Therefore, the processes built, not just in compliance, but also in file management, have to make sure that source of funds and source of wealth is plugged in at the right time.

The SRA and risk assessments for source of funds and source of wealth

The SRA are looking at risk assessments at the moment. As part of that, they want you to be risk assessing your client due diligence and your source of funds and wealth due diligence. A good question we suggest you ask is “Can I see on our file that you’ve considered the risk of money laundering after you have investigated the purpose and nature of the business relationship”. Usually, the answer is no.

When we’re auditing and file reviewing for our clients, it’s often difficult to see that this is happening. This is why we suggest having a 3-stage risk assessment:

  1. At file opening;
  2. When you review client due diligence (including source of funds); and
  3. Before the transaction takes place.

It’s a good way of documenting what you’re doing. It’s also a good trigger for fee earners to remind them that they need to be writing down their assessments because, in compliance if it’s not written down, the assumption is it didn’t happen.

Think of it like taking a maths exam. You get points for the correct answer, but you also get points for the working out, even if you’ve got the answer wrong. So, if something did happen, but you had all your source of funds and source of wealth evidence and you have written down that you have reviewed and assessed the risks, the SRA will take that into account. However, if it’s not written down, they’ll take the stance that you didn’t do it, and you’ll be in a lot more trouble.

Proceed of Crime Act (POCA) offences and the correlation between POCA and the Money Laundering Regulations (MLR)

What we often see is that lawyers feel source of funds and source of wealth is just a process they have to go through to get a file opened. This is understandable given the chance of a client actually being a baddie is slim, and the chances of being able to spot them is even slimmer. Some lawyers who’ve been trained for many years and do AML checks, hardly ever come across a baddie. It can seem like a very remote possibility and, therefore, a pointless task to them.

It’s rare that lawyers are sent to prison, and if they are, they’re more often than not baddies themselves. However, although the chance of a lawyer accidentally involved in money laundering going to prison is remote, it can happen. Take the case of Neil Bolton, a conveyancer in Manchester, who was went to prison several months. He acted for a baddie and pleaded guilty to a section 330, and for failing to comply with the MLR. He wasn’t the MLRO, he was a solicitor just doing his day job.

To prevent this outcome, you need to know about the correlation between both POCA and MLR.

1. POCA

If a POCA offence is committed, you can be sent to prison for up to 14 years. These offences are:

  • 327 – conceal, disguise, convert, transfer or remove (from the UK) criminal property
  • 328 – become concerned in an arrangement
  • 329 – acquire, use, or have possession of criminal property

You can also spend up to 5 years in prison if you commit an offence under s.330/1/2 – failure to disclose an offence.

In order to be at risk of committing one of those offences, you have to know or suspect, or someone else can infer that you should have known or suspected. It’s therefore all anchored on “Is there criminal property?”. So, the first question in your mental flow chart should be “Is there any criminal conduct?”. If there’s no criminal conduct that you suspect, then there probably isn’t any criminal property and you can’t commit an offence.

2. MLR

The penalties for not complying with the MLR are up to 2 years in prison and in order to comply you have to do 5 things:

  1. A matter-based risk assessment
  2. Identify your clients
  3. Verify what your clients have told you, by getting independent evidence to prove this
  4. Understand the purpose and nature of the business relationship
  5. Conduct ongoing monitoring

You’re only safe from criminal prosecution if you do all 5 of these.

3. POCA and MLR combined

These pieces of legislation don’t actually depend on each other. You can do all 5 things under the MLR, but if you suspect that a client is a baddie, then you’re going to commit an offence.

What lawyers often miss is that the opposite is true too. If a lawyer was acting for someone who definitely isn’t a baddie, for example, the Archbishop of Canterbury, but the work you’re doing for them is regulated, failure to carry out these checks is a criminal offence. If you don’t do your client due diligence, then the chances of you being able to spot a baddie is next to none and that’s why they make you do it.

When we talk about source of funds and source of wealth, what we’ve found is that many lawyers focus on whether the clients have the money. However, the focus should be on whether the money they have is dirty money. So, when thinking about source of funds and wealth policies, it’s not just about bank statements and utility bills.

Understanding the purpose and nature of a business relationship

Most lawyers usually go straight to source of funds and source of wealth but forget what other red flags they should be looking for. This falls under the purpose and nature of your business relationship, considering why you’re doing what you’re doing, why they’re asking you to do it and whether it makes sense. The guidance provides 5 questions which should be answered:

1. What is the purpose of the transaction?

You need to consider what the purpose of the transaction is: What’s the client hoping to achieve? Are they purchasing a property because they want to buy a new house?

For example, imagine someone with a corporate entity came to you as they wanted to purchase offices. However, there was no reason why they’d need to purchase offices as they run a garage. If they couldn’t give you a valid explanation as to why they were suddenly purchasing offices, you’ll need to investigate further. 

2. Is that usual for this kind of client?

Again, you have to look at the transaction the client is making and consider whether that transaction is usual for this sort of client. Think about what the client’s usual business practice is and whether this transaction usual for this type of business. If not, you’ll have to investigate further.

3. Is it an usually large or complex transaction?

This is a difficult one as there’s no tick box for this. Transaction sums and complexities differ from firm to firm, so it’s a difficult one for lawyers to get their heads around. The government understands we do need some more guidance on what’s considered ‘unusually large or complex’ and they’re currently looking at this.

However, the way we’d view an unusually large transaction would be to consider if it makes sense. For example, if a high-street hairdresser suddenly wanted to buy a £2m property, this would be an unusually large transaction for the type of work the hairdresser does.

When it comes to a complex transaction, again this is difficult, as some people believe everything is complex. What you need to look at here is whether the client is adding extra steps, or asking for steps to be removed as they want to rush it along, and considering if that makes sense. Some lawyers at this point would simply decline the work given the complexity.

4. Does it lack economic or legal purpose?

When considering if the transaction lacks economic or legal purpose, you should look at things like, whether they’re selling at an undervalue or an overvalue and why they’re doing this. For example, if someone wanted to rush everything through because of the stamp duty changes, this would make sense. However, if there’s no benefit for them in rushing a transaction, it would need further consideration and investigation.

5. Where is the money coming from and how did they get it?

Ultimately, this is what you’ll be investigating when it comes to your source of funds and source of wealth checks.

Money Laundering Regulations (MLR)

Unfortunately, there’s nothing in the legislation that tells you want you really need to do. That’s why lawyers find it so difficult to understand.

The only times you’ll spot reference to source of funds and source of wealth in the MLR is:

Regulation 28(11)(a) – Ongoing monitoring of a business relationship

Regulation 28(11)(a) states “scrutiny of transactions undertaken throughout the course of the relationship (including, where necessary, the source of funds) to ensure that the transactions are consistent with the relevant person’s knowledge of the customer, the customer’s business and risk profile;”

Relation 25(5)(b) – Politically Exposed Persons (PEPs)

Relation 25(5)(b) states “…take adequate measures to establish the source of wealth and source of funds which are involved in the proposed business relationship or transactions with that person;”

Regulation 33(3A)(c) – High Risk Third Countries

Regulation 33(3A)(c) states “…obtaining information on the source of funds and source of wealth of the customer and the customer’s beneficial owner;”

It would be better if we had confirmation of how far back you need to go, or how many documents you need to see. However, the reality is that having a formulaic approach sounds helpful, but it doesn’t work everywhere.

That being said, we would recommend that you have a process base line policy, you wouldn’t want the police to knock on your door and ask why you didn’t do it on this one. This is why we would ask for proof of documentary evidence for 6 months, wherever the funds have been.

Do you have to do a source of funds check if it’s a UK bank account?

This is a common myth which we’ve heard through our ‘Ask Teal’ service several times. Some lawyers think because money has come from a UK bank account everything is fine. But this isn’t the case.

There have been several UK banks fined for money laundering. Most recently was the NatWest who were fined almost £250 million for laundering approximately £365 million through their bank accounts. Baddies were going into various branches and depositing large sums of cash, one of which was £700,000 which was taken into a branch in a black bag.

Even if a bank suspects something and files a SAR, that doesn’t mean you don’t have to carry out the appropriate source of funds and source of wealth checks. There could be ongoing police investigations which you’re not aware of, and the banks are unable to tell you about. So, you really can’t use that as a safety blanket.

Get in touch

If you need advice or would like to talk to us about one of our products or services, simply get in touch and one of our experts will be happy to help.

What’s the regulator guidance on source of funds and source of wealth? Read More »

Brown paper torn to reveal the words "lessons learned" underneath

The Case of Nirosha Jayawardena and its Nine Key Lessons

In an ever-changing landscape, keeping abreast of new developments is essential in the legal profession. This week, I delved into the intriguing case of Nirosha Jayawardena, a solicitor who recently found herself suspended from practice by the Solicitors Disciplinary Tribunal for one month.

 

The decision was an outcome mutually agreed upon by Ms. Jayawardena and the Solicitors Regulation Authority (SRA). Alongside the suspension, there were several stipulated conditions about her future conduct.

 

The Unraveling of a Complex Case

The case drew me in due to its facts and unique circumstances, which I believe underscore vital points for everyone in the law firm to keep in mind. It serves as a stark reminder of how weak anti-money laundering (AML) controls coupled with non-compliance to Accounts rules can potentially result in substantial losses for small firms.

Within the case, we saw the firm fall prey to fraudulent individuals masquerading as property owners. These fraudsters successfully manipulated the firm into selling properties and directing the proceeds into their pockets. In dissecting what transpired, multiple compliance failures came to light.

 

Nine Key Lessons

 

  1. Small Firms are Targeted

It’s a common misconception that only large firms fall prey to nefarious activities. While it’s true that some criminals target big firms, low-complexity impersonation frauds often zero in on smaller firms. These firms may lack the technological advancements or stringent sign-off procedures that larger firms have invested in, making them an easier target.

 

  1. Repeat Offenders

What’s peculiar about this case is the audacity of the fraudsters. After successfully duping the firm once, they brazenly tried their luck a second time. That’s the unsettling nature of fraudsters. They will often test the waters with a legitimate instruction to gauge the firm’s security measures. If successful, they will exploit the vulnerability repeatedly until caught/detected.

 

  1. Disruptive Methods for ID Verification

In the case of Jayawardena, the client conveniently couldn’t visit the office but was able to arrive in a taxi. Such disruptions to standard protocols serve to distract the lawyer, hindering their ability to spot discrepancies.

 

  1. Passport Errors

In a busy legal environment, it can be tempting to overlook small details. However, every document, especially identification ones, should be meticulously scrutinised. Fraudulent documents are surprisingly accessible and can range in quality. The case underlines the importance of spotting typos or unusual language in documents.

 

  1. Ignoring the AML Policy

Needless to say, adhering to your firm’s policy is crucial. Unfortunately, instances of non-compliance do occur. It’s essential to make sure that all guidelines reflect actual practice. Having procedures in place that are habitually ignored only serves to undermine the entire policy.

 

  1. Breach of Solicitors Accounts Rules

Impersonation frauds often hinge on payments made to third parties. This case underscores the importance of handling such transactions with extreme caution. Reinforce this within your firm and ensure that the rationale behind such payments is captured in writing.

 

  1. Ignoring Warnings in Customer Due Diligence (CDD)

Knowing how to interpret electronic verification search results is a must. Document what your next steps are if the checks don’t pass. Ignoring warning signs can clearly lead to a cascade of issues down the line.

 

  1. Failure to Retain and Verify ID Copies

The Regulations mandate that CDD must be retained for 5 years past the end of the business relationship. This case emphasises the importance of not only keeping a copy of the ID but also following through with verification processes like authenticity checks on passports and driving licenses.

 

  1. Mandatory Training Courses

An intriguing element of this case was the requirement for Jayawardena to undergo training courses on AML and Accounts Rules. This is a prudent move and, as an trainer, one I wholeheartedly endorse.

While this might seem daunting, remember that knowledge is power. Let’s learn together and fortify our defenses against these ‘baddies’.

 

Get in Touch

For more information, simply get in touch and one of our helpful experts will contact you without delay.

 

 

The Case of Nirosha Jayawardena and its Nine Key Lessons Read More »

Hand writing the letters CDD on glass

Delegating CDD Responsibilities between Lawyers and Central Teams

As regulatory frameworks have evolved over the years, law firms have increasingly had to grapple with the challenge of managing Client Due Diligence (CDD) requirements. The introduction of the Money Laundering Regulations in 2003 was an important moment in this transformation. In response, many legal practices, including mine at the time, ended up establishing a dedicated centralised CDD team.

 

These teams emerged out of a need to streamline the cumbersome process that lawyers found themselves caught up in when conducting CDD. To facilitate this, we integrated ID searches into our case management system. This approach allowed the centralised team to handle the task of verifying client identities electronically, except in the case of conveyancing, due to the provisions of the CML Handbook, where documents were still needed.

 

The centralised team’s process was relatively straightforward: gather client information, attempt electronic verification, and when necessary, directly contact the client for additional details. Once all necessary data was gathered, it was forwarded to the lawyers.

 

However, a recent interaction with a former trainee, now a Money Laundering Reporting Officer (MLRO) at his firm, underscored a significant challenge: even when provided with detailed information about their corporate clients, lawyers often file this information away without a thorough review.

 

Moreover, many firms are struggling with properly conducting matter risk assessments. As revealed by regulatory findings, these assessments are not consistently completed, or accurately so, by the lawyers. This happens often because of an assumption that the central team is responsible for it.

 

This conundrum often raises a common question: how to strike a balance between central team assistance and lawyers’ duties? Here are a few pointers:

 

Manage Expectations: It’s essential to accurately represent the central team’s scope of work. Sometimes, in an effort to secure budgetary approval, the expected reduction in lawyer involvement is overstated. This can lead to lawyers presuming they are completely absolved from Anti-Money Laundering (AML) duties – A “get out for AML free” card if you will!

 

Clarity of Roles: Lawyers should have a clear understanding of their responsibilities. Generalised instructions, such as “conduct a risk assessment”, may not be sufficient. To ensure accuracy, break down the process into detailed steps. If possible, incorporate these steps into your routine procedures.

 

Prompt lawyers to prove they’ve done it: Assigning tasks that compel lawyers to engage with the information sent by the central team as part of the ongoing risk assessment process is crucial. This ensures active participation and reinforces the importance of their role in the CDD process.

 

Central Team Training: Central teams may often comprise individuals new to the legal sector. They may not fully comprehend what the lawyers need or the nature of information that lawyers are likely to possess. Hence, training them about the firm’s legal practices can improve their ability to anticipate and obtain necessary data.

 

The above suggestions serve as a starting point to bridge the divide between central teams and lawyers in the world of CDD. The ultimate aim is to ensure an efficient, effective CDD process that also ensures compliance with regulatory requirements and stops baddies from getting through!

Get in touch

If you need advice or guidance with AML compliance, we’re here to help you. Simply get in touch with one of our friendly experts today.

Delegating CDD Responsibilities between Lawyers and Central Teams Read More »

British pound notes scattered on a table with a calculator, pen and glasses

New SRA fining powers for AML – Be careful as they’re going to use them!

The Solicitors Regulation Authority (SRA) has long desired more robust punitive capabilities against traditional law firms. They have historically possessed the ability to impose significant fines on Alternative Business Structure (ABS) firms and can forward cases to the Solicitors Disciplinary Tribunal (SDT) for an agreed decision’s endorsement. However, there are now new SRA fining powers. These powers were broadened, enabling them to impose a fine of up to £25,000 without SDT referral and approval.

Recent case study

A recent noteworthy fine was imposed on an Oxfordshire-based two-partner firm, Ferguson Bricknell, for Anti Money Laundering (AML) breaches. The firm was penalised £20,000 for violations of the Money Laundering Regulations and the SRA’s Standards and Regulations. 

Although £20,000 might appear insignificant to some, for a small firm, it’s a considerable sum! If you consider a £200 hourly rate at 20% profitability, a lawyer would need to work for more than 14 weeks to generate the profit to cover it. This is because fines are paid from profit; there’s no special budget set aside for them!

The full decision is a worthwhile read, providing insights into the firm’s declaration to the SRA of a compliant Practice Wide Risk Assessment. The SRA periodically requests firms to confirm their compliance with certain regulations and verifies this by checking a sample of firms. In this instance, the SRA disagreed with the firm’s assessment of compliance and investigated further into its AML conformity.

Key take aways from the case

The case provides valuable insights into the SRA fining powers and their approach, and offers seven key takeaways:

Number 1

When the SRA communicates with a firm, ensure a response is made. If your Compliance Officer for Legal Practice (COLP) is the recipient, ensure they’re checking their spam emails as the SRA’s emails often land there.

Number 2

If you claim compliance, be certain that you’re indeed compliant. There is an abundance of guidance, including free templates for Practice Wide Risk Assessments. Never claim compliance if it’s not the case.

Number 3

Keep up with reviews. Set reminders and take action. To show that you’ve reviewed a document, log the date and reviewer’s name (and approval if needed) within a version control table in the document.

Number 4

Consider establishing an independent audit function. Although not mandatory for all firms, it’s crucial for those of significant size and nature. The audit doesn’t have to be external, but in smaller firms, it must be conducted by someone independent of the people who oversee the policies, controls, and procedures.

Number 5

Regularly train your staff. The latest Legal Sector Affinity Group Guidance emphasizes annual refresher training. Additionally, the Money Laundering Reporting Officer (MLRO) and the Money Laundering Compliance Officer (MLCO) should receive specialist training for their roles.

Number 6

Conduct a matter risk assessment, as required by the 2017 Money Laundering Regulations. The SRA expects to see an assessment on every file falling within the regulations’ scope, with enough information to judge the risk assessment’s accuracy.

Number 7

Perform source of funds and wealth checks when necessary. Make sure it’s complete before accepting or moving any transactional money through the client account.

The case underscores the SRA’s commitment to enforcing AML Compliance. They’ll act against non-compliant firms, even if there are no actual money laundering allegations. Firms are expected to take their responsibilities seriously, with disciplinary actions waiting for those who don’t.

Get in touch

If you need advice or guidance with aml compliance or  regulatory compliance, we’re here to help you. Simply get in touch with one of our friendly experts today.

New SRA fining powers for AML – Be careful as they’re going to use them! Read More »

digital screen with man clicking on risk management

Managing risk and learning from mistakes

As legal professionals, it is crucial to manage the risks we face daily and learn from our mistakes. The common goal of most professionals is to prevent messes in the first place. Building Compliance That Works is fundamental to being able to demonstrate resilience and self-reflection on internal policies and procedures.

In the legal sector, professional identity insurance has seen a significant increase, with some firms experiencing a minimum increase of 20% in their annual premiums. To combat the increase or limit it, it is essential to prepare early, not treat it as a tick box exercise, utilize a specialist broker, demonstrate that the taint has been removed, put in the work and time to the process, demonstrate your firm’s value on the proposal form, and have a standalone document. 

 

We all have problems, things which haven’t gone to plan, so how do we explain them?

If a problem is identified, Root Cause Analysis should be conducted for each instance. The purpose of this is not to blame a person but to investigate the different factors that enabled the incident to occur. In doing so, effective changes and prevention can be implemented to limit recurrence.

It is essential not to merely scratch the surface and dig down below to find the root cause. If the root cause is missed, the incident is likely to occur again, increasing the risk exposure. Human error is never the ultimate root cause, and firms or individuals should not feel ashamed in near misses. Instead, they should feel confident and empowered to share these experiences with others.

 

We worry people will fear it is a witch hunt if we dig too much into the issue.

Creating a positive environment to have these chats and building a safe environment where staff are confident that they will not be judged or penalised for asking for help or alerting a person to an underlying issue is crucial. Ensuring that the culture is embedded throughout the firm sets the right undertones for all staff, regardless of level or position.

Risk is there, through firms at all levels, and risks may change, but they are still present. Consider reporting lines or lines of support, whether internal or external. In most firms, the line manager automatically handles reporting lines, which can make people bury their heads and not speak out for fear of repercussions, insecurity, stress, and compromised decisions.

It’s important we face these causes, because without it people suffer. In many parts of the legal sector, (for example Conveyancing in 2022), there can be real risks that are exacerbated due to several factors outside the staff member’s control and, in some instances, the firm’s. Even if those risks do not transpire into meritorious claims, it is inevitable that there will be claims and complaints arising out of these risks, which will have a considerable impact on staff and firms.

Everyone, at one time or another, will make mistakes within their careers, and it is how we deal with them that helps shape our careers and share the firms we work within.

 

How can we mitigate the consequences of issues arising?

Make it easier to find out what actually went on – Recording file notes is essential, documenting what is done at each stage, what has been found, what the client has been informed of, when they were informed, and by what means, and why the matter cannot proceed further.

Supervise properly – In the remote world we currently operate within, identifying signs in others is crucial. If you are a supervisor, think about how to monitor, motivate, and supervise daily. Remote working adds another layer of complexity, making identifying a gut feeling a lot harder. Make a conscious effort not to focus solely on the work and be visible and personable, building trust and relationships.

Use your data – Data collection and analysis can help fill gaps and identify where and who requires support. Data that could be considered includes low WIP or alternative high WIP, money held on the file, inactive client records, average case length, non-billing for a period, what happens when the file gets to 75% of the fee estimate, and retainer profitability and written off time.

Taking action if you think there might be a problem – doing more file reviews, and stacking the odds in your favour is invaluable regarding risk exposure and learning. Get curious, ask why, and continue learning about your team and how they operate.

 

Get in touch

For more information about our risk management services, get in touch with our experts. 

Managing risk and learning from mistakes Read More »