Coronavirus

Coronavirus – Dealing with your client due diligence requirements (“CDD”)

In this Blog on some of the many queries received from our clients through our Ask Teal Service, we look at the most popular question we’ve had on how to deal with meeting your CDD obligations during a lockdown period.

We are in unprecedented times and it’s unlikely you’ll be able to obtain certified copy documents from the majority of clients as they will struggle to deal with this during a period of restricted movement or total lockdown. It’s worth remembering that the CDD documents we collect are not used purely for anti-money laundering purposes but also to satisfy other requirements such as those set by UK Finance (i.e. where a client purchases a property with a mortgage, you’re required by the UK Finance Handbook to see an original document and keep a copy of it) and also to identify fraudulent transactions.

With any instructions you receive from new clients not previously known to you, it’s unlikely you’ll be able to meet your clients face-to-face in the short term to check their identification documents. Usually this would lead you to having to seek enhanced due diligence. However, bear in mind that for one of the highest (and busiest) risk areas for AML purposes, property transactions, that it’s unlikely that any matters will be able to complete in the near future given the lockdown. Indeed, on 26 March the government issued guidance for buying and selling residential properties.

Should you wish to progress a matter in the meantime, you could consider using consider electronic verification services – something that many firms already use as part of their processes. Whilst UK Finance has not yet provided guidance on whether electronic verification may be used to satisfy their requirements, we understand that a number of law firms have spoken with them to see whether they will allow firms to obtain copy documents and then use electronic techniques to verify their authenticity. We recommend speaking with UK Finance and also with individual lenders to clarify whether they’ll permit this form of CDD during this period.

Commonly, we see firms using EVS running a two track approach: they still obtain documents from clients and then use their EVS to validate those documents. EVS generally:

1) check against data that they hold (usually credit reference agency files and other data such as electoral roll registers) to verify whether clients actually exist,

2) on most EVS you can use their functionality to authenticate your documents by checking algorithms contained on documents provided to you (for example, those you find on a passport or driving licence).This can be a much more robust check than reviewing original documents yourself, as it can often be difficult to spot a fake.

You can also hold a virtual call (for example using Skype or Zoom) with your client to check the picture contained within the document, if they have the facilities to do so. Firms then run the document through their EVS.

Shazia Zamir of Team Teal has recently written a blog on EVS, where she takes us through the different types of services available and gives an overview of their “pros and cons” (https://www.tealcompliance.com/single-post/2020/02/02/The-benefits-of-Electronic-Verification).

Using CDD in this way was envisaged by the Fifth Money Laundering Directive. The 2019 version of the Money Laundering Regulations state that where you have an electronic verification which is protected from fraud and misuse (i.e. by authenticating the document), then you may use that for verifying a client – and the risk of the client being non face-to-face and the need to undertake EDD falls away, provided you know that your client has had the document authenticated.

However, if you feel these processes aren’t as robust as your current procedures, remember these are only temporary measures for you to consider. If you decide to depart from your usual Policy, we recommend that you prepare a Policy Addendum detailing the changes. It’s open to you to carve out any types of work where you do not wish any new measures to be deployed.

The SRA has now issued guidance on CDD issues arising due the epidemic. They have pointed out that Rule 8.1 of the Code of Conduct for Solicitors (Rule 7.1 of the Code of Conduct for Firms applies this Rule equally to firms) says you must identify who you are acting for, but that this is not prescriptive and up to you to determine what is necessary. They go on to state that you have discretion to put together a risk-profile for work and appropriate requirements. They acknowledge that face-to-face contact is not necessarily required and you may consider using other means, giving examples such as email, telephone and virtual appointments, whilst highlighting that you should ensure that you comply with the CDD requirements in the Money Laundering Regulations.

The SRA also discusses whether electronic verification is sufficient for EDD purposes, stating that it may be enough, provided that the service provider uses multiple sources of data in the verification process. They also point out that e-verification only confirms that someone exists and not that your client is who they say they are, so that if there is anything to suggest that they aren’t, you will need to do further EDD.

For full details see: https://www.sra.org.uk/sra/news/coronavirus-qa

Coronavirus – Dealing with compliance remotely

In this Blog looking at some of the many queries received from our clients through our Ask Teal Service, we consider how to deal with compliance obligations remotely.

How can we ensure compliance works remotely?

The Solicitor’s Regulatory Authority will still expect compliance to happen and undoubtedly some elements of compliance, such as supervision of staff, are likely to be more challenging than others to deal with remotely.

If you are the Compliance Office for Legal Practice it’s your job to take steps to ensure compliance is working at your firm and to detect and to report serious breaches of regulatory obligations. This can be done:

Through complaints or claims: These processes are unlikely to differ in the current climate, whether you are offsite or onsite.

Supervision: As we think that supervision is likely to be one of the biggest challenges to law firms with significant numbers of staff working remotely, we will discuss this separately in other Blogs.

File reviews: Many firms undertake monthly file reviews, others quarterly. At this point, we don’t know how long we are going to be working remotely. We do know that vulnerable persons have been asked to keep social distancing measures in place for 12 weeks. We’ve also seen other jurisdictions extending their initial two week lockdown periods. We know that school exams have been cancelled. So, we could be preparing for at least one quarter’s worth of disruption.

Many firms still undertake paper reviews. We have been considering how to do this when working offsite. You will need to make arrangements to get files to your file reviewers to enable the work to be done.

For reviews usually done online, this raises other challenges. During onsite visits, the paper files we are given to review often don’t contain all the necessary information. Client due diligence information is often kept in a separate file. The correspondence folder may be missing information or even empty as the Fee Earner has not yet filed communications from their desktop onto the file. Good file hygiene and discipline is going to be critical and you should remind your staff of this.

Self-reporting: It will be critical that staff understand why you ask them to self-report. We prefer to talk about staff reporting “incidents” rather than “breaches”, i.e. incidences of when policies and procedures have not been adhered to. At this time, it is highly likely that your policies and procedures will be applying to situations that you did not conceive of. For example, your Working at Home Policy will most likely be designed with Fee Earners in mind and how they operate, rather than support staff such as receptionists and secretarial staff or accounts staff. You will not have visibility of how staff will be working so it will be very important that you encourage staff to let you know if they believe that changes in your policies are required.

Coronavirus – The biggest risk and compliance issue

In this Blog dealing with questions received from our clients through our Ask Teal Service, we look at what we see as the biggest risk and compliance issue that will arise as a result of Coronavirus and the impact it has on law firms.

What do you think the biggest risk and compliance issue will be?

Mistakes, undoubtedly. Staff are going to be feeling under pressure, feeling scared about quite a lot of things; illness, suffering possible bereavements, any financial disruption and the impact on their job that that might have. This could lead to a lack of concentration and staff suffering from mental health issues.

From a risk manager’s point of view, this creates situations where we see things happening such as staff missing deadlines and key dates, then realising that they have done something wrong and not wanting to tell anyone for fear of getting into trouble – this may then lead to further problems such as backdating of documents and similar things. So there is clearly the potential for things to go wrong and for claims to be made against your firm’s professional indemnity insurance.

We think that these issues will likely arise as a result of isolation being experienced by staff and a lack of support from others, a lack of good regular communication with staff members, and from the usual files reviews and supervision dropping away – these are all things that will lead to negligence claims.

One of the challenges that we have in the legal market is that we are already in a hardening market for professional indemnity insurance. It is likely that underwriters will be looking to see what measures law firms have put in place now to combat claims arising from the disruption likely to be caused by Coronavirus to enable them to continue good risk management. This will allow firms to put forward their best case to insurers at the time of renewal.

Coronavirus – Client confidentiality issues when working from home

In this next blog in our series looking at some of the many queries received from our clients through our Ask Teal Service, we consider the client confidentiality issues that may arise when staff work from home.

What are the likely client confidentiality issues when staff work from home?

You’ll need to ensure that your firm continues to comply with rule 6.3 of the Code of Conduct for Firms (which of course applies equally to solicitors), obliging it to keep the affairs of both current and former clients confidential unless disclosure is required or permitted by law or where the client consents.

You’ll also need to consider data protection issues, including the security of the information held at home.You may already have considered this as part of your work in connection with the GDPR.

You should consider how work will be undertaken by staff based at home. For example, where staff have families and may not have access to childcare, they will need to fit in their work alongside other important commitments. With schools closed, it may be difficult to prevent children from interrupting staff whilst working. Staff may need to give some thought as to how they can communicate with clients in a confidential and professional way.

You may recall the famous case at a London law firm where a Partner revealed confidential client information to his wife’s best friend, who then revealed that J K Rowling had written a detective novel under a pseudonym – and he was subsequently disciplined by the SRA.

You should provide guidance to your staff on how to deal with client information when it is kept out of the office. Ensure laptops contain appropriate and current security features and that staff continue to follow your security protocol.If staff use their own equipment, you should check that their virus software is up-to-date and robust.

Remember: criminals will be aware that many eyes may be taken off balls in these highly unpredictable times so it is important that staff are aware of the risks of working at home, in these difficult times, and take steps to mitigate them.

What about dealing with confidential waste?

After scanning documents, you will need to ensure that confidential waste is securely disposed of.

This includes scanned documents and any work produced at home, including draft documents. Consider providing staff with shredding bags to use at home if they don’t have access to a shredder. These can then be returned to the office for secure disposal when staff are next in the office.

Coronavirus – Succession Planning

Photo by Emma Matthews Digital Content Production on Unsplash

One of the interesting features of the current lockdown is how it seems to be enabling people to open up their minds on thinking about their businesses. Maybe it has something to do with our seeing how the Powers That Be are restructuring themselves away from the traditional confrontational model that has evolved over the history of modern democracy and adopting a more collegiate approach.

Part of that greater visibility is very much in evidence at the moment with Mr Johnson finding himself battling with the more severe manifestation of COVID-19. Apart from some minority extreme views – including a town mayor who has been sacked by her party for saying that Mr J’s suffering in ITU was completely deserved – expressed by media trolls, there has been some welcome and very human support unfettered by political issues. Mr J’s plight has also brought into very sharp focus how the Government is dealing with his absence. The answer is in a largely seamless temporary transition of responsibilities for maintaining momentum and direction. Business goes on and the fight against the virus continues.

So how is this reflected in the running of our own businesses? Key and core compliance standards state very clearly that we should all have an effective and implementable Business Continuity Plan in place. This is not just a Disaster Recovery Plan, which deals with how we get back on our feet after being stopped in our tracks. The key word is “Continuity”, implying that although we may feel pain from a traumatic event, business goes on with both momentum and direction.

A key element of this is in our succession planning. This doesn’t just involve who’s going to take on the role of Senior or Managing Partner, MD or CEO or indeed who is next going to be elevated to an equity position. We are looking at a whole range of situations where team leaders or individuals with key roles in fee earning teams (and including key admin/management roles such as COLP, COFA, MLRO, DPO) need to be backed up by someone capable of filling those roles without internal or external customers being able to see any perceptible join.

Of course, in smaller firms it may be that there simply isn’t the internal resource to fill the void. In these circumstances you may have to look to external help from another like-minded firm, or other outsourced resourcing, for example in compliance or parts of the necessary financial management.

This is all an important part of the duties to clients set out in the Principles.

There are other aspects of Continuity Planning that are often overlooked that are significant in securing stability in a crisis:

When did you last check your non-PII insurances?

Are your

KeyPerson Insurances,Health Insurances, and(if the worst comes to the worst) Life Insurance Policies

maintaining an appropriate level of cover? Providing effective continuity through locum cover can be an expensive business, especially when you’re still paying a high-level salary to the affected person.

And fee-earning will inevitably see a drop in the early stages of cover.

It’s also vital that when planning you ensure that you have the right person in the role of back-up.

Remember that: –

It’s emphatically not a paper title – the nominated person must know what’s involved and be committed to take on the task. There should be consensus in the Management Team that you have the right people in the right posts. The rest of your colleagues at all levels should also be fully aware that you have a plan in place and who will be doing what. Are the deputies properly trained in what they’re supposed to be covering? If not, urgent steps need to be taken for the right level of training to be delivered, whether sourced internally or externally. The regulatory bodies will need to see audit trails both of the decision-making process and the training plan and schedule.

So once again it turns out that “bare” compliance issues in the COVID-19 crisis have much more flesh on them than you would first expect and are closer to the heart of how we manage and lead our firms than we might have anticipated. Nobody could have foreseen the cataclysmic effects of Coronavirus four months ago when the issues uppermost in our minds were the Election and Brexit. But that doesn’t mean we should feel that we’re too late to get to the party of making our SOP’s and Compliance Policies really relevant and fit for purpose. And without relishing the thought of ending on a pessimistic note, if there does turn out to be a second wave, wouldn’t we prefer to be prepared?

Coronavirus – Supervision in a broader context in a locked down world

Photo by Mati Flo on Unsplash

So how do you go about this supervision thing when you’re all isolated?

There’s much that’s written elsewhere on the Teal Compliance website about the ways in which you can effectively implement a robust supervision system when we’re all working in different locations.

But there are wider implications just in the general good governance sphere of running a business in a thoroughly business-like way. Supervision isn’t just the lynchpin of SRA Principle-Centric, well-delivered legal advice. Other regulatory standards, particularly AML, Lexcel and GDPR/DPA, set it at the heart of effective compliance delivery. And looking at it from a purely common-sense point of view, why wouldn’t you have very clear definitions of roles and their ceilings and reporting and escalation lines right through to COLP, COFA, and DPO level?

It’s something of a truism, but actually having the right people in the right roles is crucial to being able to demonstrate effective Governance. It’s not just a question of seniority or experience – although these are obviously factors to consider.

We will also need to bring into the mix: –

how potential supervisors manage their own workloads; andwhether they have the capacity to take on additional responsibilities;what their style is like – are they empathetic and constructive with their supervisees?;their capability to act as a catalyst to encourage more junior colleagues to identify, address and sort their own problems;whether they are they good teachers;how they are able to interact with their own supervisors.

These are complex areas to identify but they are all crucial in getting the right person in the right role.

The best forum for identifying them is in the firm’s Personal Development Review system.

Does your firm’s system cover these areas effectively and is it fit for purpose?

Really important meetings in this context are very difficult to deal with remotely as it is easy to miss the nuances that can come through (for example in body language) in a real world one to one.

However, as we get used to dealing with matters in a virtual world then it may be an aspect that will become more commonplace. Preparation work in the completion and consideration of questionnaires and answers certainly can be carried out. Interim follow up/catch up/ periodic or weekly one to ones could also be developed to operate virtually.

All the above is likely to beg the question of relevance when we’re all in crisis-handling mode and trying to ensure financial survival. But surely we owe it to our firms to broaden the scope of what survival means as soon as we possibly can?

Things aren’t likely to return to the status quo ante and we need to plan to what changes we are likely to have to adapt and how we can deliver effectively. A well-structured and organised firm is far more likely to survive viably to enable it to move forward when things eventually return to normality. We need to look behind the bare text of what the Regulations say and look at what it seeks to achieve and harness this so that it forms a useful and integral part of our firms’ core strategies. Compliance doesn’t have to be an enemy!

Given that in the immediate future we are likely to have more time on our hands due to the drop in new matters coming on stream, where could we start? Try breaking down the task into manageable chunks; involve your team in the thinking process; review how effectively the supervision structures and procedures are working in your firm.

Some of the tasks will be:

Defining the scope of the roles;Defining the person qualities;Identifying potential candidates;Defining the firm’s structure graphically and developing it into an organogram.

Effective structures are pointers to a well-organised entity that has a strong belief in good governance principles. They’re usually aware of how they work best – and it’s a short step from there to a well-maintained bottom line with the capability to grow when some semblance of normality returns.

There’s a real opportunity here – but we’ll be either broke or too busy fee-earning to seize it when we’re the other side of the COVID-19 crisis – so grab hold of it now!

Coronavirus – Merging under pressure and compliance due diligence

Sadly, in these challenging times, there are firms that, for one reason or another, are finding themselves in unexpected commercial difficulties that make their longer term viability questionable.

Radical reconstruction by consolidation through merger may be the only alternative to closing doors for good, with all the unsavoury knock-on consequences that this entails.

So now – more than ever – there are likely to be opportunities for merger to the potential benefit of both parties.

In any potential merger situation it is becoming increasingly clear that compliance needs to be at the top of the priority list. Overall, it is a great indicator as to the management style of the merger target as, on a broader scale, the major regulatory standards are placing an increasing significance on the wider principles of good governance as an underpinning ethos to the compliance that they foster.

So… if you’re an acquiree what do you need to do to prepare the firm for marketing, and as an acquirer what do you need to look for?

They are actually two sides of the same coin. If you are the firm looking for help through merger, it’s similar to a job interview – prepare, prepare, prepare, and then prepare. This applies to training all levels of staff in what we are doing and why. Make sure that everyone is on board as their future employment may depend on it.

As an acquirer, the due diligence cannot be too thorough, especially in the current climate when many personnel are likely to be dispersed.

The overarching standard is of course the SAR Principles, revised and reduced from 10 to 7 in November 2019. They are as follows and should be thoroughly interrogated: –

“You act:

in a way that upholds the constitutional principle of the rule of law, and the proper

administration of justice.

in a way that upholds public trust and confidence in the solicitors’ profession and in legal

services provided by authorised persons.

with independence.

with honesty.

with integrity.

in a way that encourages equality, diversity and inclusion.

in the best interests of each client.”

In support of these Principles the firm needs to have a COLP and COFA and you should check that the roles are filled by someone who is appropriately qualified and trained – and takes the role seriously.

You are seeking to adduce evidence that the firm not only talks a good talk but actually delivers on those verbal assurances. There will usually be two aspects to the proof needed that there is such delivery.

You will need to check that there are SOP’s that are encapsulated in a systematised written format. These will, or should, form recognisable parts of the firm’s Operations Manual. It maybe that there are a number of different manuals though e.g. the Data Protection or Lexcel Manuals. If the Manuals are stored electronically the fact that they’re all in the same “Compliance” area is indicative of how orderly the firm’s management processes are. Hopefully the Manuals will all be assembled ready for inspection – a well organised firm should have sufficient confidence in its systems to know what a merging firm will be looking for.

You will need empirical evidence. This will take the form of findings from interviews, both formal and informal, and from written records relating to inductions, training and Personal Development Reviews or Appraisals.

There will be clues as to the effectiveness of the firms’ governance with such items as structural organograms and procedures for escalating responses for incident handling. Minutes from meetings of all types, and policy review schedules can also be very helpful

Aside from broader good governance you should check for clear documentation of the firm’s supervisory structures. There is increasing emphasis being placed on this in the SRA principles as well as the GDPR/DPA legislation.

How do you find it?

1. The paper (or electronic equivalent) trail is self-explanatory – time consuming but worthwhile.

2. Gathering empirical evidence is more challenging but probably more revealing. The firm’s COLP and COFA will always be interviewed. Further interviews should be carried out with a good cross-section of all staff and include front and back office staff at all levels. Remember that conversations solely with partners/senior management will give a slanted perspective.

3. Insurances

Appropriate levels of PII insurance will be checked together with the firm’s Complaints and Claims registers in support of this.How these are administered is a good indicator of the general management style of the firm and attitude towards compliance.

Appropriate cover in other areas to complement the firm’s Business Continuity Planning will also be checked.

Supervision

From the point of view of supervision checks you should speak to both supervisors and supervisees on whether issues are dealt with on a one-to-one basis or in teams; whether training needs are formally identified and how the training is delivered and monitored.

File Reviews.

These are another rich source of data and are a vital part of delivering the quality required by the SAR. Check how often they are carried out and by whom and what happens to the results of the reviews.

Training Schedules and Attendance Records

These are very revealing about the firm’s overall attitude towards compliance and its effective implementation especially when read in conjunction with staff interviews for cross-referencing

The firm’s approach towards conflicts avoidance should be carefully monitored.

The firm’s management of its central Key Dates diary should be similarly examined.

How do you evaluate it?

1. It is advisable not to rely on just one opinion and to apply some sort of consistent level of scoring on how compliance is being managed.

2. Results from interviews are likely to be more subjective so a structured series of open questions contained in a questionnaire will help towards achieving consistency

What is it telling you?

Working on a “RAG” (Red, Amber, Green) method of assessing levels of compliance it would be highly unusual and deeply suspect to come up with a full pack of Greens. It is a useful indicator but not the whole story. What you are really looking for is the overall style of approach to the whole portfolio of regulatory compliance. Every firm will have setbacks or issues occurring that expose actual or potential weaknesses in a firm’s breach prevention armoury. These are of themselves not necessarily the most important thing. What really matters is: –

how the firm approaches dealing with the actual or potential issues andthe overall compliance-embracing culture of the firm andhow the firm works to embed and keep embedded this culture at all levels

If you are in any doubt about carrying out this sort of exercise then you shouldn’t hesitate to ask for outside help. A third pair of eyes can in any event add an element of objectivity that may be difficult to maintain internally when people are either enthusiastically – or unenthusiastically – polarised about a merger project.

Good Luck!