Legal Compliance

Two train tracks merging

Merging under pressure and compliance due diligence

Blogs, Legal Compliance, Regulatory Compliance /

There are firms that, for one reason or another, are finding themselves in unexpected commercial difficulties that make their longer term viability questionable. Radical reconstruction by consolidation through merger may be the only alternative to closing doors for good, with all the unsavoury knock-on consequences that this entails. 

So now – more than ever – there are likely to be opportunities for merger to the potential benefit of both parties and compliance due diligence is extremely important.

 

Compliance due diligence 

In any potential merger situation, it is becoming increasingly clear that compliance needs to be at the top of the priority list. Overall, it is a great indicator as to the overall management style of the merger target as, on a broader scale, the major regulatory standards are placing an increasing significance on the wider principles of good governance as an underpinning ethos to the compliance that they foster.

So… if you’re an ‘acquiree’, what do you need to do to prepare the firm for marketing, and as an ‘acquirer’ what do you need to look for?

They are actually two sides of the same coin. If you are the firm looking for help through merger, it’s similar to a job interview – prepare, prepare, prepare, and then prepare. This applies to training all levels of staff in what we are doing and why. Make sure that everyone is on board as their future employment may depend on it.

As an acquirer, the due diligence cannot be too thorough, especially in the current climate when many personnel are likely to be dispersed.

 

The SAR Principles

The overarching standard is of course the SAR Principles, revised and reduced from ten to seven in November 2019. They are as follows and should be thoroughly interrogated:

“You act:

  1. in a way that upholds the constitutional principle of the rule of law, and the proper administration of justice.
  2. in a way that upholds public trust and confidence in the solicitors’ profession and in legal services provided by authorised persons.
  3. with independence.
  4. with honesty.
  5. with integrity.
  6. in a way that encourages equality, diversity and inclusion.
  7. in the best interests of each client.”

In support of these Principles the firm needs to have a COLP and COFA and you should check that the roles are filled by someone who is appropriately qualified and trained – and takes the role seriously.

You are seeking to adduce evidence that the firm not only talks a good talk but actually delivers on those verbal assurances. There will usually be two aspects to the proof needed that there is such delivery.

You will need to check that there are Standard Operating Procedures that are encapsulated in systematised written format. These will, or should, form recognisable parts of the firm’s Operations Manual.

It maybe that there are a number of different manuals though e.g. the Data Protection or Lexcel Manuals. If the Manuals are stored electronically the fact that they’re all in the same ‘Compliance’ area is indicative of how orderly the firm’s management processes are. Hopefully the Manuals will all be assembled ready for inspection – a well organised firm should have sufficient confidence in its systems to know what a merging firm will be looking for.

You will need empirical evidence. This will take the form of findings from interviews, both formal and informal, and from written records relating to inductions, training and Personal Development Reviews or Appraisals. There will be clues as to the effectiveness of the firms’ governance with such items as structural organograms and procedures for escalating responses for incident handling.

Minutes from meetings of all types, and policy review schedules can also be very helpful aside from broader good governance you should check for clear documentation of the firm’s supervisory structures.

There is increasing emphasis being placed on this in the SRA principles as well as the GDPR / DPA legislation.

 

How do you find it? 

The paper (or electronic equivalent) trail is self-explanatory – time consuming but worthwhile. Gathering empirical evidence is more challenging but probably more revealing.

The firm’s COLP and COFA will always be interviewed. Further interviews should be carried out with a good cross-section of all staff and include front and back office staff at all levels. Remember that conversations solely with partners/senior management will give a slanted perspective.

Insurances – Appropriate levels of PII insurance will be checked together with the firm’s Complaints and Claims registers in support of this. How these are administered is a good indicator of the general management style of the firm and attitude towards compliance. Appropriate cover in other areas to complement the firm’s Business Continuity Planning will also be checked.

Supervision – From the point of view of supervision checks you should speak to both supervisors and supervisees on whether issues are dealt with on a one-to-one basis or in teams; whether training needs are formally identified and how the training is delivered and monitored. This is especially important in the new era of remote working in which firms are currently operating. This topic has been explored in other recent blogs on the Teal Compliance website.

File Reviews – These are another rich source of data and are a vital part of delivering the quality required by the SAR. Check how often they are carried out and by whom and what happens to the results of the reviews.

Training Schedules and Attendance Records – These are very revealing about the firm’s overall attitude towards compliance and its effective implementation especially when read in conjunction with staff interviews for cross-referencing. The firm’s approach towards conflicts avoidance should be carefully monitored.

The firm’s management of its central Key Dates diary should be similarly examined.

 

How do you evaluate it?

It is advisable not to rely on just one opinion and to apply some sort of consistent level of scoring on how compliance is being managed.

Results from interviews are likely to be more subjective so a structured series of open questions contained in a questionnaire will help towards achieving consistency.

 

What is it telling you? 

Working on a “RAG” (Red, Amber, Green) method of assessing levels of compliance it would be highly unusual and deeply suspect to come up with a full pack of Greens. It is a useful indicator but not the whole story. What you are really looking for is the overall style of approach to the whole portfolio of regulatory compliance.

Every firm will have setbacks or issues occurring that expose actual or potential weaknesses in a firm’s breach prevention armoury. These are of themselves not necessarily the most important thing. What really matters is, how the firm approaches dealing with the actual or potential issues, and the overall compliance-embracing culture of the firm, and how the firm works to embed and keep embedded this culture at all levels.

If you are in any doubt about carrying out this sort of exercise then you shouldn’t hesitate to ask for outside help. A third pair of eyes can in any event add an element of objectivity that may be difficult to maintain internally when people are either enthusiastically – or unenthusiastically – polarised about a merger project.

Get in touch

If you’d like to know more about how Teal’s compliance services can help, simply contact our experts today. 

Get in touch

Merging under pressure and compliance due diligence Read More »

Manager talking to colleague on video call

Managing Risks When Supervising Remotely

Blogs, Legal Compliance, Risk Management /

Effective supervision has always been important from a risk management perspective but never more so than now, when it comes to managing risks when working remotely. Especially if you’re having to grapple with new technology and processes.

 

SRA Code of Conduct

As it is a requirement of the SRA Code of Conduct for firms to have in place an effective system for supervising client matters, most firms will already have policies and processes in place. However, these processes will need to be reviewed to ensure that they are still workable and effective in light of the remote working and different hours that some staff may be working to fit in around childcare and home schooling.

 

Supervision process

When reviewing supervision processes, consideration should be given to the following key areas:

Experience of Staff: The staff that are being supervised and their qualifications and level of experience. For example, qualified experienced Solicitors will not need as much day to day supervision or quality checking as a Paralegal or Trainee Solicitor.

Communication: Good clear communication is key as, in the office, some supervision happens informally as Supervisors can overhear a telephone conversation when someone is struggling or can be approached for a quick sense check of a matter that a member of their team is unsure about or they need clarification about a query they have received from a client.

It is important that good communication continues between a supervisor and their team to ensure a high level of work and effectiveness is maintained as well as staff morale.

Consideration should be given to weekly team meetings and one on one meetings being held via Skype or Zoom. Dates and times for these meetings should be agreed in advance and put in everyone’s diaries so staff can plan their work and appointments around them. An agenda should be prepared in advance so all staff know what is going to be discussed and what they need to bring and prepare. This will ensure that these meetings are as productive as possible and valuable time is not wasted.

File Surgeries: Allocating a file surgery day each week can also be an efficient and effective way of ensuring that matters can be supervised and allow both the supervisor and team members to plan and manage their time and work effectively. Staff should be informed of a timeline by which they need to email and confirm to their supervisor the issues they wish to discuss at the file surgery meeting together with the name and file number of the matter if applicable. The supervisor should then acknowledge receipt and allocate a time slot to their team member on the allocated file surgery day for the matter to be discussed over the telephone.

File Reviews: It is important that these reviews continue as these are a very effective way of supervising and of being able to identify any potential issues that could turn into a claim or a complaint if not dealt with. Consideration should be given as to whether the number of file reviews undertaken needs to be increased for some staff. It should be noted that file reviews can also help identify any other office processes and policies which may need to be reviewed and amended as a result of people working remotely.

Checking of Work: Supervisors should inform their team on the process for the checking of work before it is sent to clients. Confirmation should be given to each team member of the process that needs to be followed and when the supervisor will need to receive the work by together with the timescale for them reviewing the work and returning it. This will help staff be able to effectively manage key dates and timelines as well as client’s expectations.

 

Get in touch

If you would like any help reviewing or preparing a Supervision Policy, please get in touch with our experts today.

Get in touch

Managing Risks When Supervising Remotely Read More »

Paparazzi in car snapping a photograph

What is a Politically Exposed Person (PEP) and how do I know if my client is one?

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance /

The SRA expect solicitors and firms to continue to meet the high standards the public expect (which includes upholding the rule of law). It’s therefore important to ensure that all staff are aware of their obligations when onboarding clients, and this includes understanding what a politically exposed person is.

On a number of occasions, we’ve seen panic set in as soon as someone sees the words “match” for their client on a politically exposed person screening request, but there’s no need to panic! Just because someone is classified as a politically exposed person does not necessarily mean they are a “baddie”!

 

What is a politically exposed person and why are they considered high risk?

A politically exposed person is a person who is or, within the last year, has been a:

  • Head of State/Government
  • Minister
  • Assistant Minister
  • MP
  • Member of judiciary
  • Member of Courts
  • Member of Auditors
  • Member of boards
  • Member of central banks
  • Ambassador
  • High-ranking officer in the armed forces
  • Member of administrative management
  • Member of supervisory bodies
  • Member of state-owned enterprises Member of governing body of a political party
  • Board of an international organisation (for e.g. FIFA)

In addition, a person will also be classified as a politically exposed person if they are:

  • A member of a politically exposed person’s family
  • A known close associate of a politically exposed person (whom the politically exposed person is in business with)
  • A beneficial owner of the politically exposed person’s property (someone who enjoys the benefits of ownership even though the title of the property is in another person’s name)

 

Why is a politically exposed person deemed high risk?

A politically exposed person is deemed high risk because they generally present a higher risk for potential involvement in bribery and corruption due to their position and the influence that they may hold.

Therefore, the main aim of applying Enhanced Due Diligence (EDD) to work involving a politically exposed person is to mitigate the risk that the proceeds of bribery and corruption may be laundered.

A politically exposed person is also an easy target for identity theft due to a great deal of their personal information being publicly available.

 

How do you find out if your client is a politically exposed person?

The best way to check whether someone is a politically exposed person is through politically exposed person screening solutions (PEP screenings) online. Many firms already have electronic verification which will normally include PEP screening as part of the checks that are carried out. Some online screening solutions will also provide additional information, such as adverse media and any criminal conduct – a good way to check whether your politically exposed person is a “baddie” or not!

Don’t forget Google, it is amazing what information you might find from a Google search.

 

The Regulations  

Regulation 33 (1)(d) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) states that EDD is required in situations where the client is a politically exposed person, or a family member or known close associate of a politically exposed person. Therefore, it is important to establish whether or not your client is a politically exposed person at the outset.

In addition, under Regulation 35 of the MLR 2017, if your client is a politically exposed person you must:

  • Get senior management approval for the business relationship
  • Take adequate measures to establish the source of wealth and source of funds
  • Closely monitor the business relationship throughout

 

Get in touch

If you need any assistance when dealing with a  politically exposed person,  please get in touch and we would be happy to help.

Take a look at the compliance services we can offer or alternatively, get in touch with one of our experts. 

Get in touch

What is a Politically Exposed Person (PEP) and how do I know if my client is one? Read More »

someone typing on laptop on wooden desk

The SRA Transparency Rules – Is your website compliant?

Blogs, Legal Compliance, Regulatory Compliance /

As you’re no doubt aware, the SRA Transparency Rules (the Rules) came into force back in December 2018 requiring firms to publish price and service information for various practice areas. It’s important that you check this regularly, to ensure it’s up-to-date. 

What areas of law does it cover?

You need to publish the price and service information on your website if you publicise that you work in the following areas of law: 

  • Residential conveyancing
  • Probate (uncontested)
  • Motoring offences (summary offences)
  • Immigration (excluding asylum)
  • Employment tribunals (unfair/wrongful dismissal)
  • Debt recovery (up to £100,000)
  • Licensing applications (business premises)

If your firm doesn’t have a website, you must still have this information available upon request in other formats.

Information about the SRA requirements

The Rules also require all firms to publish details of their complaints procedure on their website, including how and when a complaint can be made to the Legal Ombudsman and to the SRA. From 25 November 2019 firms were also required to display the SRA’s digital logo in a prominent place on their website.

You may also be aware that the SRA has been conducting a programme of random sweeps of firm websites to monitor on-going compliance with the Rules. 

In November 2019 they reported that during a sweep of 447 live websites conducted in March/April 2019, only 25% of firms were fully compliant with the Rules. Of the remaining 75%, 58% were partially compliant and 17% were not compliant with the Rules at all. However, the SRA did provide useful feedback on the most common areas of non-compliance which were:

  • Failing to publish the required complaints information
  • Failing to specify the amount of VAT applied to costs and disbursements
  • Failing to display information on key stages and/or timescales
  • Failing to provide a description or costs of likely disbursements

We’re aware that the SRA has more recently been contacting firms with the results of their sweep. Several firms we’ve spoke to were surprised to learn that they’re only partially compliant, despite undertaking considerable work on their respective websites. In our experience, whilst the SRA will indicate to a firm the service areas that they consider non-compliant in terms of the information provided, unfortunately they don’t provide exact details of the non-compliance(s), but instead state “insufficient information” has been provided.

When assisting clients to identify the missing information, we’ve found the SRA templates of suggested text to be very helpful.

Our own research

We undertook our own survey of 10 websites for compliance with the Rules and found the following:

  • Fully compliant: 1
  • Partially compliant: 8
  • Non-compliant in all areas: 1

When looking at the websites, we noticed that the issues flagged by the SRA after their first ‘sweep’ still featured high on the list of areas of non-compliance. We located the SRA’s digital badge on 8 out of the 10 websites reviewed.

Get in touch

At Teal, we offer firms a website audit service. We provide guidance on whether we consider that your website is compliant with the Rules and can assist with any remedial action needed. We can also provide guidance and assistance if you’ve received an SRA Notice informing you of non-compliance and directing you to take remedial action.

If you’d like to know more, or if we can assist, please get in touch.

Get in touch

The SRA Transparency Rules – Is your website compliant? Read More »

UK Passport camera icon

Who should certify client identification documents and what should they check?

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance /

Some of the certifications I’ve seen on client identification documents that fee earners have uploaded as part of their client due diligence checks, have led me to raise an eyebrow.

One of my favourites was a document certified by someone whose occupation was detailed as “Retired”!

Having worked in Risk and Compliance for over 7 years, one question I would regularly hear was “who can certify my client’s identification documents?”.

Firms will have different policies and procedures in respect of this. However, it is worth considering the following points when deciding whether you are happy to accept the certification on a document:

  • Is the person certifying the documents a professional person or ‘of good standing’ i.e. are they regulated, or do they work in a position of trust?
  • Is the certifier easily identifiable?
  • Would you be able to contact the certifier if needed to verify their certification? A bank, building society or post office official could move jobs/professions, making it difficult for you to contact them.
  • Does the certifier have the relevant skills to know whether what they are certifying is a true original document?
  • Has the document also been certified as a true likeness?

The majority of firms only accept certified client due diligence documents from a professional regulated person for example a solicitor, a banker or a notary. The reason for this being that they are then able to demonstrate to the relevant authorities, if necessary, that the person in question who certified the documents was of “good professional standing”, easily identifiable to contact if necessary and competent at document inspection and imposter detection.

We had a query a couple of months ago as to whether documents must also be certified as a “true likeness”. My view is that this wording should be used where the document being certified contains a photograph. If the certifier does not stamp a document containing a photograph with the wording a “true likeness”, and states a “true copy” then they are suggesting that they have ONLY seen the original document and therefore the individual who the document relates/belongs to was not present at the time the document was certified. This, to me, defeats the whole point of getting documents containing a photograph certified in the first place!

If you come across documents containing a photograph that are only certified as a “true copy” it is worth double checking with the certifier that the individual was present at the time the document was certified or that the certifier has met the individual in person previously and can confirm that it is a true likeness.

Don’t forget to make sure the document being certified is in date – It’s surprising the number of times I have seen client identification documents that have expired but have been recently certified.

 

Get in touch

If you’d like to know about how our services can help, please get in touch with our experts today. 

Get in touch

Who should certify client identification documents and what should they check? Read More »

Hand holding a small plant against the sky

SRA Standards and Regulations 2019 – Principle 4 To Act with Honesty

Blogs, Legal Compliance, Regulatory Compliance /

The much-anticipated SRA Standards and Regulations 2019 have been live since 26th November 2019 and I am sure many law firms are still racing around updating policies and training staff on what this means for them.

The Solicitors Regulatory Authority (“The SRA”) have driven this change to the Regulations with a view to enabling innovation, growth and increased competition in the legal market, something which the legal sector seems to be falling behind on compared to other sectors. Not much has changed in the Regulations, as the SRA’s main aims were to make simpler rules which were focused on higher professional standards as well as making it easier for law firms to make their own decisions and have more flexibility in how they deliver their legal services.

The SRA have however made a few significant changes to the Principles. One being the addition of Principle 4 “You Act with Honesty”. But what does this mean for you?

It is important to highlight that the Principles apply to everyone who is employed by a law firm. This includes paralegals, support staff and managers, it does not just apply to Solicitors. This isn’t something new, however I feel this is something that isn’t always communicated to non-qualified staff. I have worked in several law firms and out of all those firms, only once was I made aware that the Principles applied to me. Even then I still didn’t really understand the importance and implications of this. It’s therefore crucial that law firm employees are given the necessary training so that they understand their obligations under the Principles.

The question is, why has the SRA added the Principle to act with honesty when there is already the Principle to act with integrity? The SRA recognises there is an overlap between Principle 4 “You Act with Honesty” and Principle 5 “You Act with Integrity”, however they have explained that a person can lack integrity without necessarily being dishonest and have said “The concept of integrity is wider than just acting dishonestly”.

To act dishonestly is a very serious matter, as a finding of dishonesty is likely to result in a solicitor being struck off. If an employee who is not a solicitor is found to be dishonest, the SRA can disqualify them from working in a law firm.

Only recently, the Head of Operations at international law firm Schillings was disqualified from working in the profession after he was caught selling mobile phones belonging to his employer. 95 mobile phones were sold for a total of £13,547, which the employee kept for himself. He is now disqualified from acting as the head of legal practice, head of finance and administration, or as a manager of any licensed body. He is also disqualified from being employed by any licensed body. A case which makes it clear to all employees that not adhering to the Principles can significantly affect your whole career!

So, what actions do the SRA consider to be dishonest? They have provided a few examples in their guidance which include;

  • Backdating or creating false documents – Whilst the SRA understand there are normally mitigating factors for this type of action, such as inexperience and stress, given its seriousness, the SRA have said that this cannot be a justification to act dishonestly
  • Taking or using someone else’s money without their knowledge or agreement
  • Lying to or misleading someone – In a recent case, a solicitor of 12 years was struck off for misleading his clients. For 6 weeks he told his clients he was awaiting a response from the court in respect of their application, when in fact he hadn’t even submitted the application. In his evidence he said that he was under enormous amounts of pressure and was too ’embarrassed’ to admit he was struggling
  • Giving false information to their firm’s insurer
  • Misleading a court, tribunal, regulator
  • Lying on a CV and misleading partners in their firm – Earlier this year a paralegal was banned from working for any regulated firm without the SRA’s permission after claiming on her CV she had a first class LLB law degree and had completed the Bar Professional Training course, when this was not true.

When considering if conduct is dishonest, the SRA have said that they will apply a two-stage test;

  1. What was the individual’s genuine knowledge or belief as to the facts at the time?
  2. In view of their knowledge or belief at the time, was their conduct dishonest by the standards of ordinary decent people?

BUT….. it is important to remember, even if someone is not found to have acted dishonestly, they may still be considered to have lacked integrity.

Below are a few suggestions to assist your understanding in this area;

  • Read the SRA guidance note on Acting with Honesty which has some useful SRA examples to help understand their approach.
  • Ensure your firm and all your employees are given the necessary training so that they understand their obligations under the Principles. It’s not always made clear to non-qualified staff that the Principles also apply to them.
  • Remember mitigating factors such as stress, inexperience and pressure can change the way in which someone would normally behave. This could be a trigger for them to act in a way that the SRA would deem as “dishonest”. If you are an employer, look after your staff and ensure they have the support they need to avoid this happening. If you are an employee and you feel like you are struggling, don’t feel embarrassed to ask for help, it’s likely there are others who feel the same as you do. Just keep in mind its ultimately your career that is at risk if you don’t speak up.

 

Get in touch

For more information about our services and how we can help, get in touch with one of our experts today.

Get in touch

SRA Standards and Regulations 2019 – Principle 4 To Act with Honesty Read More »

someone calculating bills on a calculator

Don’t forget to pay your ICO fee!

Blogs, Data Protection, Legal Compliance /

The UK Information Commissioner’s Office (ICO) has recently launched a campaign to send reminders to all UK registered companies to ensure that they comply with their legal obligation to pay an annual data protection fee, where this applies. This is the start of an extensive project to ensure that the ICO fee is paid by everyone who needs to pay it.

Under the Data Protection Act 2018 organisations processing personal information are required to pay a data protection fee unless they are exempt – this fee replaces the old annual registration fee. If you are an organisation holding personal information for business purposes on any electronic device, including using CCTV for crime prevention purposes, it’s likely that you’ll need to pay the fee. The ICO maintain a public register of those registered, so your clients will be able to check whether you take your data protection obligations seriously.

The amount of the data protection fee depends on a company’s size and annual turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations it will be £40 or £60 (you can reduce the cost by £5 if you sign up by direct debit). As it’s a statutory fee, no VAT is payable on the fee. The ICO provides a useful self-assessment tool which will calculate how much you need to pay (see self-assessment) – and is definitely worth using to ensure that you are paying the correct amount. In terms of exceptions, charities pay £40 regardless of size or turnover and public authorities only need to go by staff numbers. There are a number of exemptions. You don’t need to pay a fee if you are processing personal data only for one or more of the following purposes:

  • Staff administration
  • Judicial functions maintaining a public register
  • Accounts and records
  • Not-for-profit purposes
  • Advertising, marketing and PR
  • Personal, family or household affairs
  • Processing personal information without an automated system such as a computer

Since introduction of the latest data protection fee in May 2018, over half a million organisations have registered with the ICO to pay it. However, between 1 July and 30 September 2019 the ICO issued 340 monetary penalties to organisations who haven’t paid the fee. You are breaking the law if, as a controller, you process personal data or are responsible for the processing of personal data, for any of the non-exempt purposes and you have either not paid a fee or not paid the correct fee.

In addition to a fine, the ICO names the majority of those failing to pay. This clearly has reputational implications for your business.

The very fact that GDPR exists at all suggests that data protection is being taken more seriously than before. Although fines tend to be the ICO’S last resort, the data protection fee is going to be vital to the ICO if it’s to function properly as whilst money received from fines is passed to the Government, the data protection fee is used by the ICO to fund its data protection work. Clearly, if organisations ignore the requirement to pay en masse, this could drive the ICO to flex its muscles by making an example of some of them.

If your fee is a renewal you should receive a payment reminder from the ICO – but don’t rely solely on this and ensure you diarise the payment date as a key date, so you don’t end up with fine which could easily have been avoided. If you don’t pay when you need to, you’ll receive a notice of intent from the ICO 14 days after expiry. You’ll then have 21 days to pay or make representations as to why you think you don’t need to. If you still don’t pay or fail to notify the ICO that you no longer need to pay, you may be issued with a fine of up to the maximum penalty of £4,350 (150% of the top tier fee) – so it’s clearly important that you pay the correct fee, if due, and on time.

 

Get in touch

To find out more about our data protection services, contact our experts today. 

Get in touch

Don’t forget to pay your ICO fee! Read More »

Man holding up in front of his face a picture of his face

The Benefits of Electronic Verification

Anti-Money Laundering, Blogs, Legal Compliance /

The world of electronic verification is an ever-evolving industry, with some providers supporting features like facial recognition, authentication of documents, direct access bank account information, and PEP and Sanctions screening.

Electronic verification should provide you with a level of certainty that the individual is who they say they are and, for corporate entities, that a legal entity exists and has an active company status.

Electronic identification can be used either as part of a wider process or, where appropriate, as the only source of identification. Before using any provider, you may want to consider the following:

The information supplied by the data provider is considered sufficiently extensive, reliable, and accurate.The provider allows users to capture and store the information they have used to verify an identity.

There are several benefits achieved by using electronic identification and verification (EV):

Improved Customer Experience

Using EV can assist in streamlining your current verification process. It can lead to enhancing the overall client experience making it easier for the client to submit identity documents securely in a matter of minutes ready for teams to receive and review.

Quicker Onboarding of Clients

Faster access to transmitted documents can reduce the time it takes to conduct Customer Due Diligence (CDD) and onboard the client. Adopting this approach may also help you carry out a risk assessment quickly to decide whether you would like to act for the client . It may even form part of your decision-making process when assessing any risks during the course of the instruction.

Document Verification

Most current providers allow you to verify documents. If you are interested in this feature just remember your provider is verifying the authenticity of the document having been issued using the machine-readable zone (MRZ code). It is important to remember a documentation verification check is not verifying the identity of the person, it is verifying the document.

Identity Verification

If you are a firm looking to verify the identity of a person some providers offer a different feature which includes biometric data and facial recognition. Here the client is usually asked to take a live photo of themselves using an app and identity documents are uploaded. The picture and identity documents are compared by the system and all including the results are transmitted electronically to the firm as a pass/fail. The system is verifying the identity of the individual, which can help firms address issues where obtaining a correctly certified identity is a concern.

Clear Audit Trail

UK/EU providers are usually GDPR compliant, offering you a secure place to save all searches for a period of time, and helping you demonstrate a clear audit trail. Remember to check that your terms and data protection statements specify the use of authorised third parties to process personal data.

Increased Accuracy

Automating your CDD process can make a manual task easier to manage and give increased accuracy. Politically exposed persons and sanctioned designated individuals/entities are automatically highlighted as risks. In addition, automating your take-on process by using digital technology to compare documents can improve quality and eliminate human error when comparing documents using the untrained eye.

 

Get in touch 

For more information about how our services can help, contact our experts today.

 

Get in touch

The Benefits of Electronic Verification Read More »

3 office workers sat around desk working on laptops

What happens to GDPR on exit day?

Blogs, Data Protection, Legal Compliance /

GDPR during the transition period

As we’re all well aware, the UK will finally leave the European Union later today. The UK and the EU will then have until 31 December 2020 (the “transition period”, provided for in the withdrawal agreement) to negotiate an agreement setting out their future relationship. This raises the question: will the UK still be bound by the GDPR post-Brexit? In short, yes. During the transition period, GDPR will continue to apply and the data protection landscape will remain unchanged.

The current regime consists of the EU GDPR, supplemented by the UK Data Protection Act 2018 (DPA). As well as modifying the EU GDPR, the DPA applies a similar data protection regime (referred to as the “applied GDPR”) to areas falling outside the scope of EU GDPR. So for now you should continue to follow the current rules and regulations and ICO guidance.

During the transition period, if you are offering goods and services to customers in the EU, the ICO has confirmed that you do not yet need to appoint a European representative but may need to do so from the end of the transition period.

What happens at the end of the transition period?

Following through on its commitment to incorporating EU GDPR into domestic UK law on exit day, the UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (the “Exit Regulations”), which will apply changes needed to the EU GDPR so that it remains relevant to the UK after Brexit (such as removing references to the UK’s participation as a member state), and merges the EU GDPR with the DPA to ensure that the UK data protection framework continues to function correctly. This regime will be known as the UK GDPR.

The EU GDPR will continue to apply in the UK until the end of the transition period – from this point on UK GDPR will apply. What the exact data protection landscape will look like post 2020 will depend upon the negotiations that take place during the transition period, but we believe, based on the information available to us now, that it’s unlikely there will be any change to the existing main data protection principles.

Currently all personal data moving from the UK to the US is governed under the Privacy Shield framework agreed to by the EU and the US. The good news is that the Exit Regulations will ensure that this arrangement will continue so that data still flows from the UK to the US. However, US entities will need to update their privacy notices to expressly extend protection to transfers from the UK.

Adequacy Decisions

What we also know is that from the end of the transition period, the UK may be classified as a “third country” for the purposes of EU GDPR. The EU GDPR places restrictions on data transfers to third countries (i.e. countries other than EU member states and the three EEA states that have adopted a national law implementing GDPR (Norway, Iceland and Liechtenstein)). To date, the EU has granted a number of adequacy decisions, where they determine whether a country offers personal data an adequate level of protection, including in favour of the Isle of Man, Jersey and Guernsey.

It’s highly likely that the UK will apply for adequacy status from the EU and the EU has already indicated that it’s prepared to consider this but won’t do so until after exit day. But unless this happens before 31 December 2020, UK businesses processing data on behalf of EU data controllers will only be able to transfer data if appropriate safeguards are in place to protect the data transfer to the UK. This includes putting in place some form of data transfer agreement with the EU business incorporating the standard data protection contractual clauses (known as “Model Clauses”) approved by the EU, as a legal basis to protect the transfer of personal data to the third country.

However, once adequacy status is granted, the UK would no longer be classified as a third country and the need for Model Clauses or other safeguards to be put in place would fall away. Just how long this process will take is unknown, but it’s unlikely to happen quickly and there’s no guarantee it’ll happen before 31 December. Businesses dealing with third countries should therefore follow developments regarding the granting of an adequacy decision closely, as breaches of the requirements relating to this particular area of EU GDPR are subject to the higher level of fines (up to €20 million or 4% of annual global turnover, whatever is higher).

If your business transfers data to countries outside of the EU where the EU has already made an adequacy decision, then the position will remain unchanged and your data can continue to flow. The UK government has confirmed that it will recognise existing EU adequacy decisions made prior to exit date. However, you should still keep a close eye on developments as you may see the situation where the EU subsequently grants an adequacy decision to a country and the UK takes a different stance and chooses not to adopt it.

Summing Up

At the current time, whilst we’re in the transition period, there shouldn’t be too much for businesses to do with the majority of data protection rules staying the same, but it’s important that businesses follow developments as we move towards the end of the transition period. As the ICO says in its guidance on post Brexit data protection, your best preparation at this point in time is to ensure you comply with GDPR now.

Get in touch

To find out more about our data protection services, simply get in touch with one of our experts today.

 

What happens to GDPR on exit day? Read More »

Two front doors. One with a correct number and one with a made up number

Preventing a repeat of Dreamvar

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance /

Dreamvar – more than a year on …….. so, what has changed?

It’s likely most conveyancers will shudder when they hear the name Dreamvar. It’s the case that changed the liabilities and responsibilities of lawyers and conveyancers when dealing with residential property transactions. But in practice, what has actually changed since this case?

Firstly, a brief background for those unfamiliar with the details of the case. The case involved the liability of solicitors in cases of identity fraud. A fraudster posed as the seller of a property in London worth about £1million and succeeded in selling the property to an innocent buyer, Dreamvar. Once the property was sold the fraudster seller and the purchase monies disappeared. Dreamvar went on to sue his solicitor, for negligence (in contract and tort) and for breach of trust. He also sued the fraudster seller’s solicitor in negligence, for breach of warranty and breach of trust.

The High Court ruled that only Dreamvar’s solicitor could be liable and dismissed all claims against the fraudster’s solicitors. This seemed a little harsh given the solicitors acting for the fraudster had not taken sufficient steps to verify their client’s identity as required by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

The case therefore eventually made its way to the Court of Appeal. The Judge ruled the solicitors representing the fraudulent property vendor should share responsibility along with those representing the duped buyer of any losses. The Court of Appeal ordered both firms involved to make financial contributions.

However, it wasn’t just the solicitors involved that were in the firing line, the Law Society was also criticised. The case discussed the Law Society’s Code for Completion by Post (“The Code”) and argued that its processes did not consider the prospect that a sale is not genuine.

The Law Society agreed that their Conveyancing Protocol (“The Protocol”) and The Code needed updating and confirmed they intended to take the courts comments into account when making the amendments. And true to their word, the Law Society updated The Code and The Protocol this year.

The Law Society have made it clear that there are no changes in substance to the Code. Their revisions to the Code aim to make it clearer that the seller’s solicitor only gives undertakings where there is a genuine sale, thereby providing better protection for purchasers.

Similarly, with The Protocol the Law Society confirmed the number of steps have been reduced, however the obligations under the Protocol remain the same. They have made some procedural changes that you should be aware of, especially if are acting for the seller. In particular, the Protocol now states that Solicitors in CQS firms who are acting for the seller must

Obtain instructions for dealing with remittance of gross/net sale proceeds and details provided by the seller of UK bank account for remittance of proceeds. Obtain evidence that the bank account is properly constituted as an account conducted by the seller for a period of at least 12 months. Confirm that remittance will be made to that account only.

This means the solicitor must, if they are a CQS firm, request details of the bank account for the sale proceeds and they must also obtain evidence that the account belongs to the seller, showing that they have had and been using the account for at least 12 months.

This is a great way to ensure the purchase funds are going to the correct person! Only last month a woman named Sarah Broadbelt was jailed for 20 months for fraud and possessing a false identity document, after she sold a property for £75,000 back in 2015, without the real owner knowing. This case shows the lengths criminals are willing to go in order to commit this type of crime. Broadbelt went as far as changing her name by deed poll to that of the property owner’s so that she could apply for a passport and open bank accounts! That is real dedication!

Had the new Protocol and Code been in place (and been followed) it would have been far more difficult for Broadbelt to pose as the real owner of the property given that she, as the seller, would have been required to provide at least 12 months bank statements to show that not only was the bank account in her name, but it had also been in use by her for those 12 months.

So, what should you be doing now?

If you haven’t already, review The Protocol and The Code and ensure you have the right policies and procedures in place to enable your staff to follow them – do your firm and staff know about the need for further details about the seller’s bank account?

Don’t forget to communicate the changes to the relevant staff – there’s no point in updating policies and procedures if no one is told they have changed (they don’t have a crystal ball!)

Even if you are not CQS Accredited, it is good practice to follow The Protocol and The Code, it is not only there to protect your client and your firm but you as their solicitor/conveyancer too!

Get in touch

If you’d like to know more about the services we have to offer, get in touch with one of our experts today.

Preventing a repeat of Dreamvar Read More »