Legal Compliance

Old court building

Practical GDPR tips for barristers

Blogs, Data Protection, Legal Compliance /

I recently presented at a GDPR and Cybercrime training session for a wonderful group of Fee Earners, who are members of a Barristers Chambers. During training I was asked some very interesting questions and as a group these issues were openly discussed. I was so impressed with the healthy discussions, I thought I would share some of the scenarios and the suggested solutions.

Scenario one

Article 5(1)(f) of the GDPR requires that personal data shall be:

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”

Very often barristers will take a bundle to Court containing evidence, case management paperwork (e.g. application forms and directions), statements, expert reports and documents relating to a case. Unless the court has specifically directed otherwise, a bundle will normally be contained in one A4 size ring binder or lever arch file limited to no more than 350 sheets of A4 paper.

The file is usually transported by hand by Counsel to the hearing. Quite often Counsel will travel by train and the file is usually kept in a bag and needs to be placed in the luggage compartment quite a way from the reserved seat they have been allocated, especially on a busy train. How can Counsel protect that bag and the contents in this situation?

There are various options you may want to consider:

  • If there is no option but to take a court bundle in a paper file (which will inevitably contain personal data), book a seat with extra leg room, these seats are allocated directly next to the luggage compartments. That way the bag is your view all the time.

  • Ensure the bag is lockable – should the worst happen, and it is stolen, you are protecting the contents as far as you can.

  • Consider taking an electronic copy of the bundle, perhaps on an encrypted USB stick which is password protected for access.

Scenario two

Article 5(1)(a) of the GDPR requires that personal data shall be:

“processed lawfully, fairly and in a transparent manner in relation to individuals”

Privacy notices describe all the privacy information that you make available or provide to individuals when you collect information about them. They help with building confidence with individuals in what you are doing with their personal information. Privacy notices should include:

  • who you are;

  • what you are going to do with their information; and

  • who it will be shared with.

Very often a barrister will have their own ICO number, however, they rarely have a website on which to publish a privacy policy. In practice if they do receive a Subject Access Request from an individual exercising their rights, this will normally be coordinated through Chambers.

The question was asked whether the privacy notice of the chambers could be updated to publish all individual barrister ICO numbers, provide individuals with details of the processing and how to request a SAR and how the Chambers will deal with it?

I have to say this is a very practical approach given most Barristers use Chambers for their administrative duties. Provided you have covered the points listed above and detailed any data sharing activity you may conduct, practically this may be useful way of managing data privacy and ensuring obligatory time limits are met.

Scenario three

The accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.

One of the ways you can demonstrate compliance is to record your assessment of risks in relation to data security and your processes to mitigate that risk. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.

Often Barristers are asked to take on students for work experience for college or sixth form students looking to work in the legal field. The question posed was whether the same obligations imposed on employees are applicable to someone who is onsite for work experience?

Whether the individual is a work experience student, a casual member of staff, an employed Clerk or a Barrister, there should be no distinction. The obligation to ensure they have understood the importance of keeping data subject information safe/confidential and what to do if a data breach has occurred applies to everyone.

Ensure you have carried out adequate due diligence on the work experience student, and consider a confidentiality agreement. Allocate enough time during induction for the student to digest and understand your data privacy policies and procedures and most of all don’t forget to mention in the privacy notice that data is shared with work experience students.

Get in touch

See how Teal can help with your data protection needs. Alternatively, contact our experts today for advice.

Practical GDPR tips for barristers Read More »

Corner of a UK driving licence

Identification: The differences between AML, KYC, CDD & CID

Anti-Money Laundering, Blogs, Legal Compliance /

Call me pedantic, but I like precision when I’m talking about compliance. Don’t get me started on 5MLD (which does not currently exist!).

Yesterday I was invited to speak at the Internet of Agreements conference on Identity. I was giving the legal perspective, specifically around AML/KYC.

The audience was, in the main, people working on blockchain solutions. It was absolutely fascinating to be in a room with people trying to solve issues with technology, and this group specifically were concerned with ensuring people involved in a blockchain contract could trust the other person was who they said they were.

Most of the technical content went over my head if I’m honest, I don’t know one end of code from another!

Of course identity from an AML perspective has a very specific meaning and purpose, and it became clear to me that having been immersed in this regulated world for 13 years, that perhaps other people don’t appreciate the nuances of it. If people are looking to create solutions, then they need to understand the problem.

The terms CDD/KYC/AML are used interchangeably by non AML people, to mean the same thing, that one approach to identity will work for all three, but I hope I explained yesterday that it’s not that straightforward, and on reflection, I think we should all be mindful of the difference.

AML – Anti money laundering, does what it says on the tin, an AML policy is a policy which sets out how you are going to prevent money laundering. An AML procedure will be something you have in place to prevent money laundering.
KYC – Know your client, this is understanding who your client is, what their goals are, so you can advise them properly.
CDD – this is a combination of identity verification and understanding the purpose and nature of the business relationship you have with the client, both at the beginning of the matter and ongoing.
CID – Client ID – this is identifying and verifying your client based on documents or information which is independent of the client.

The reason I think it is important to break this down into these 4 parts is that CID does not prevent money laundering. It might prevent identity fraud, but not money laundering. Baddies live somewhere. CDD does not necessarily prevent money laundering. Sure, if you are carrying out source of funds enquiries you might see something which might make you suspicious and withdraw from acting, but we don’t always, when conducting CDD ask for or have the full picture of the client’s affairs.

KYC is more likely to prevent money laundering. Getting to know your client, understanding how they have made their money is where you will detect money laundering. Understanding their past transactions and business activities is where you will spot suspicious circumstances.

Therefore, as I said yesterday, CID is important, it’s required by the law (so the Police know which door to knock on to find your client), but if we deploy AML policies which are just designed to comply with CDD requirements we will miss signs of money laundering. We should be looking to understand the client’s source of wealth as well as funds if we want to disrupt money laundering. We should understand how have they got to the position they are in today, and what are their plans for the future. This is not only good businesses sense in terms of ensuring your advice meets properly the clients needs, but will make it more difficult for the criminals to use you to launder money.

There are a lot of very interesting companies trying to provide Client ID solutions for AML, but if you’re one of those clever techy people I would urge you to consider what can be done to prevent money laundering rather than just making compliance easier – although that’s great too!

Get in touch

For more information about AML Compliance, simply contact one of our helpful advisers.

Identification: The differences between AML, KYC, CDD & CID Read More »

Pillars of a Roman style buildilng

Bribery Act: Do you have ‘adequate procedures’?

Anti-Money Laundering, Blogs, Legal Compliance, Regulatory Compliance /

 

Understanding and complying with ‘adequate procedures’ as detailed in the Bribery Act legislation, was highlighted in the recent conviction of London-based Skansen Interiors Limited in March 2018. It is the first time a UK Jury has had to consider what “adequate procedures” should be for the purpose of a defence to the corporate offence of ‘failing to prevent bribery’ under the UK Bribery Act 2010.

The CPS brought proceedings against the Skansen (now dormant) and its senior executive Stephen Banks, Managing Director at the time.  The prosecution claimed Mr Banks had bribed a project manager at a property company to secure a £6 million refurbishment contract.  Mr Banks pleaded guilty to three offences and Graham Deakin, a former project manager at the property company, pleaded guilty to two offences. A date for sentencing is yet to be published by Southwark Crown Court.

The company was successfully prosecuted, despite having self reported to the National Crime Agency. The jury found against the company having adequate procedures in place to prevent bribery. They have heard evidence that Skansen:

  • did not have a policy specifically directed to preventing offences under the Bribery Act;

  • lacked a dedicated compliance officer; and

  • there was no evidence of staff training or confirmation showing employees have read and understood the company’s existing policy.

Under the Bribery Act 2010 a full legal defence can be found where a company has implemented ‘adequate procedures’ prior to an offence. Adherence to the six principles listed below highlights the importance of having these procedures in place to ensure, as a firm you encourage an anti-bribery and corruption culture:

  1. Proportionality – policies and procedures must be in place and be proportionate to the size, nature and complexity of the business activities;

  2. Top-level commitment – top management should show visible support for the company’s compliance policies and activities;

  3. Risk assessment – periodic assessments should be undertaken including internal and external risks;

  4. Due diligence – a risk-based approach should be taken before engaging with a third party to represent your company e.g. agents, consultants, joint ventures;

  5. Communication – policies and procedures should be communicated firmwide;

  6. Monitoring and review – monitor your anti-corruption policies and review these regularly for risks and the effectiveness of your procedures.

Get in touch

Teal compliance can help you achieve the above objectives and guide you through what is required. We work closely with our clients to ensure they meet their obligatory regulatory compliance and AML requirements.  Contact our experts today.

Bribery Act: Do you have ‘adequate procedures’? Read More »

Hands typing on a laptop on a desk

Do I need consent for direct marketing?

Blogs, Data Protection, Legal Compliance /

 

With less than 50 working days until GDPR takes effect on 25th May 2018, many businesses are starting to consider the ‘hot topic’ of whether their marketing lists will still be valid.  But it’s not just GDPR that needs to be considered……

Current Rules (up until 25th May 2018)

Data Protection Act 1998 (DPA98)

Privacy and Electronic Communications Regulations 2003 (PECR)

After 25th May 2018

General Data Protection Regulation (GDPR)

Privacy and Electronic Communications Regulations 2003 (PECR) BUT only until the Regulation on E-Privacy and Electronic Communications (the E-Privacy Regulation) comes into force

General Principles

Under DPA98 “An individual is entitled at any time by notice in writing ……to require the data controller…to cease, or not to begin processing for the purposes of direct marketing….”

Whilst referenced in DPA98, the majority of the rules around direct marketing can actually be found in PECR.  Take a look at the ICO’s current direct marketing guidance, based on PECR.

Direct marketing can currently be carried out following a variety of opt-ins or opt-outs but under GDPR the rules become more challenging because giving consent (or opting in) to direct marketing has specific requirements.

GDPR says:

“Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time….”

“Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”

As we all know, under GDPR, organisations can only process personal data if they have a lawful basis for doing so (GDPR Article 5 clause 1).  The test for ‘lawfulness of processing’ includes that the data subject has given consent for the processing, but this does not automatically mean that you need consent to carry out direct marketing (or any other type of processing).

Legitimate Interests

Recital 47 of the GDPR states “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Even the ICO acknowledge that obtaining valid consent under GDPR (Art 7) will be challenging and they urge businesses to consider whether consent is the correct lawful basis for the processing of any data.

But when deciding whether the sending of direct marketing can be done as a legitimate interest, an organisation still needs to consider the rules under PECR.

Postal marketing – not covered by PECR so as long as the organisation identifies itself, offers an opt-out and screens addresses against the mail preference service then it’s ok to send first party marketing (about your own products and services) as long as the client has not previously opted out.  If they haven’t previously opted out but have registered with the mail preference service then you need to leave them alone.

Email/SMS marketing – you must follow the rules in PECR which require an opt-in unless you have obtained the contact details of the individual during the course of a sale (or negotiations of the sale) of a product or service.  The marketing must be of a similar product or service and the individual must have been given the opportunity to opt-out.

Telephone Marketing – for live marketing calls, the rules say you can contact anyone as long as they have not previously opted out and are not registered with the telephone preference service.  You must not make automated calls to anyone unless they have specifically opted in to receive this type of call from you.

So what do you need to do?

  • Consider whether consent is the most appropriate lawful basis for processing – can you use legitimate interests instead?

  • Make sure your privacy notice covers direct marketing if you will be sending it to clients

  • Ensure that there is an easy way for clients to opt-out of marketing and that your system can record the opt-out

  • Ensure your marketing teams screen all marketing data against both the telephone preference service and mail preference service

  • If you do need (or want to rely on consent) then review your current opt-in’s, if they don’t meet the requirements of Article 7 then you will need to ask your clients to opt-in again

  • Keep an eye out for our updates on the E-Privacy Regulation – it was supposed to be ready for 25th May 2018 but this is looking increasingly unlikely as the text is yet to be finalised

Get in touch

We will be talking about the practicalities of GDPR at our upcoming conference in London on 26th April.  However, if you’d like to discuss data protection and GDPR with one of our experts, simply contact us today.

Do I need consent for direct marketing? Read More »

People sat talking and laughing in a group

Compliance Culture: Communication is key!

Blogs, Compliance Training, Legal Compliance /

The legal industry can be a mixture of things, both good and not so good.   People tend to focus on the things that drive them, whether it’s the bottom line of fee income, helping clients or having to make what some people may see as ruthless decisions for the success of the business. However, I also see leaders in firms who consider people as their biggest asset, whether that is their staff, suppliers or their clients, and who lead by example and deal with making decisions in an ethical way.

There will always be occasions where decision makers in a firm and managers/supervisors must deliver difficult news.   It is often the case that is not the news itself that can leave individuals disappointed or upset, but the way that news was delivered.

Throughout my career I have always tried to put myself in the shoes of the person at the receiving end of the news, good or bad, and consider how that person may be feeling.   And key to that is wherever possible engage in face to face conversations. With the technology we have around us, I do think that we sometimes use it as a barrier to avoid these difficult conversations.  However, emails and instant messages can easily come across in a way that we didn’t intend, and where they have used them to “save time” can be counterproductive, leaving us to deal with the fall out from the miscommunication.   Worse still, I have seen individuals delegate the task to someone else who is clearly not equipped to handle such situations.

The key to successful communication is to have considered the best approach beforehand and considered the best interests of the recipient.   We may not always get it right, but this can be a great starting point.  We all hold the key to effective communication within our firm – have you revisited yours to make sure the key is used in the best way?

 

Get in touch

For more information about our services, simply contact one of our experts today.

Get in touch

Compliance Culture: Communication is key! Read More »

Delegates sat at a conference

Teal Compliance and Lockton Conference 2018

Blogs, Compliance Training, Legal Compliance /

 

The Teal Compliance and Lockton Conference 2018 takes place on the 26th April 2018 in London.  With so much change afoot in the world of compliance, the theme for this year’s conference is ‘Navigating a year of change’.

As a team we have all been working hard to pull together an agenda which covers all the key updates and provides perspectives from industry experts on practical application of the changes to regulations – from AML to GDRP to Code of Conduct.

The agenda

The full agenda has now been released:

  • Chair’s Welcome
  • Opening Comments – Robert Bourns, Chair of the Law Society Board and former President.
  • Session 1 – Anti Money Laundering update – Amy Bell, Chair of Law Society’s AML Taskforce and Mark Heffer, AML Consultant with Teal Compliance.
  • Session 2 – The Importance of Ethics – Sarah Mumford, Interim Director of Risk, Trowers & Hamlins LLP and independent legal risk consultant
  • Session 3 – All Things Data – Emma Willis, GDPR Consultant at Teal Compliance and Edward Whittingham, Business Fraud Prevention Partnership
  • Session 4 – Cyber Risk Mitigation – Dave Williams, TrustedIA and Mark Hawksworth, Cunningham Lindsey
  • Session 5 – Managing Risk: The Insurers View – Panel: Adam Curran, Inter Hannover, Jay Bowey, Pelican, Anthony Judge, Omnyy
  • Session 6 – New Code of Conduct – Ian Johnson, The Institute of Legal Financial Management and Paul Wilkinson, Audit Compliance Ltd
  • Session 7 – Getting it Right! – Amy Bell
  • Session 8 – Technology in Compliance – Vicky Simpson, Teal Compliance, Matt Hodges-Long, CEO TrackMyRisks, Graeme Port, Head of Product at encompass Corporation
  • Closing remarks and drinks reception

In addition the whole of the Teal Team will be available throughout the the day and many of our associates will be leading speaking session, alongside high profile external speakers from the world of risk, compliance, insurance and regulation.

The aim

The aim of the Conference is to prepare you for the year of change and to challenge you in terms of thinking about risk and compliance.   There are firms who are taking unnecessary risks by not having sufficient “know how” or resources.  This is of course something that Team Teal can assist you with.

The speakers on the day will guide you through a series of perspectives from a risk/insurance point of view to GDPR and Cyber Crime. Panel Discussions will take place and will provide you with the opportunity to ask questions and the Team will be available after the Event to follow up on any requirements.

Get in touch

Early Bird tickets are on sale from now until the 18th March and can be found on our events page.

Alternatively, find out more about our training packages or contact our experts today.

Teal Compliance and Lockton Conference 2018 Read More »

Back of two police officers

Do we need to ‘change up’ AML Training?

Anti-Money Laundering, Blogs, Compliance Training, Legal Compliance /

 

I have been training in AML for 13 years. I love it, I love spreading the word, helping staff in law firms understand the risks they face, and what to look out for to try and identify someone trying to use them to launder money.

Sopranos, The Wire, Breaking Bad and McMafia have all played a part in raising the awareness of how the baddies launder money, but we need to make sure that the training is relevant to lawyers, and their staff.

I’ve trained countless numbers of MLROs in those 13 years. I’ve never met any who did not accept and appreciate the need to have their firm understand the anti money laundering legislation and how to apply it in their firm.

That said, I have been talking about the same methods in which the money launderers operate for most of those years, car washes, take-aways, and memorably (if you’ve been on the course you’ll remember) nail bars. All of those are still relevant, but there are new ways in which the criminals are operating and it is critical that we gain an understanding of those in order to protect our firms, the people who work for us and the wider society who are damaged by money laundering and the activities of serious and organised crime.

What about your construction clients who are using sub-contracted labour, who are in turn victims of human trafficking, what about the person who is lucky on fixed odds betting machines, who has really been pumping the machine with the proceeds of selling drugs on bicycles on street corners in your town. It’s on your doorstep, I just want to help you see it.

For that reason, I am delighted to have Mark Heffer join us at Teal Compliance. Mark is a Financial Crime Consultant, Accredited Financial Investigator and former Detective Constable. He served for over 25 years with the Devon and Cornwall Constabulary with the Serious and Organised Crime Branch and specialised in crime such as money laundering, complex fraud, human trafficking, drug trafficking, bribery and corruption.  He is an expert in all aspects of POCA, money laundering, confiscation, restraint, and SARs and has a reputation for bringing a very real world, hands on approach to his consulting work.

He supports law firms with a range of services including:

  • Expert training and investigation in all aspects of Financial Crime, Anti Money Laundering, Compliance and Fraud.

  • Bespoke investigations for Business and Private Clients – managing reputational risk

  • Assisting firms with the perils of Restraint/Production Orders

Together, we have written new AML courses, which focus on these new tactics being deployed by the baddies, and how they target not just you, but manipulate the banks, accountants and estate agents, before they get to you, the lawyers, adding layers of legitimacy which can be difficult to unravel. We’re running a webinar for MLROs on the 8th March which will focus on these tactics, and how to spot and avoid them. Visit our events page for more details.

Mark and I are also taking bookings for our brand new in house course. It is a 90 minute course, fully incorporating the 2017 regulations and full of relevant examples of how firms are targeted. In house training can be incredibly cost effective, with up to 100 people trained a day for £1250 plus VAT (and travel expenses)

Get in touch

If you need help with AML compliance or need compliance training, simply get in touch with one of our experts today.

Do we need to ‘change up’ AML Training? Read More »

Big Ben and the House of Commons

The Data Protection Bill – What do I need to know?

Blogs, Data Protection, Legal Compliance /

 

The draft Data Protection Bill [HL] 2017-19 will get it’s second reading in the House of Commons today, Monday 5th March 2018, moving one step closer to receiving Royal Assent.  In preparation for the second reading, the House of Commons issued a 60-page briefing paper which includes a summary of the Bill and the House of Lords debates[1].

In May 2018, as we all know, there will be some changes to the EU’s data protection framework – the General Data Protection Regulation (GDPR) will apply from 25th May and as it is a Regulation it does not need to be transposed into domestic law.  But prior to that, the Police and Criminal Justice Directive, also known as the Law Enforcement Directive (LED), needs to be transposed into UK law by 6 May.

GDPR

GDPR widens the scope of the previous Data Protection Directive, (which was the EU legislation that unpinned the Data Protection Act 1998), to provide data subjects with greater protection for their personal data and also extends data subject rights.  The Regulation reduces the principles from 8 to 6, but introduces 8 data subject rights, some of which are a continuation of rights under previous legislation, (like subject access requests), but some are new.  Data controllers must be able to demonstrate compliance with all the principles (accountability) and there are new obligations for data processors.

LED

The LED will apply to both the cross-border and domestic processing of personal data for law enforcement purposes and repeals the previous 2008 Framework Decision.  The Directive is designed to protect the personal data of individuals involved in criminal proceedings, whether they are witnesses, victims or suspects.  In addition, it is anticipated that the LED will “facilitate a smoother exchange of information between Member States’ police and judicial authorities, thereby improving cooperation in the fight against terrorism and other serious crime in Europe.[2]

An overview of the LED can be found here.

Council of Europe Convention on Processing Personal Data

The Council of Europe is not an EU institution and the UK will continue to be a member after Brexit.  The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No108) was the first binding instrument on data protection.  The UK ratified the Convention in August 1987 and it entered into force on 1 December 1987:

“[The Convention]…protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the trans frontier flow of personal data.”[3]

The Convention will be modernised and will reflect the same principles as GDPR.  A draft version is available online https://www.coe.int/en/web/data-protection

The Draft Bill

The draft Data Protection Bill (‘the Bill’) has a number of purposes:

  • It sets out how the UK would apply the derogations available under GDPR

  • It will bring the Law Enforcement Directive (LED) into UK law

  • It updates the laws governing personal data processing by the intelligence services

  • It aims to ensure that the UK would be able to freely exchange data with the EU post-Brexit

  • It will repeal the Data Protection Act 1998

The Bill was originally introduced into the House of Lords on 13th September 2017, but it’s passage has been slow due to a number of concerns around the age of consent for children to have access to information society services, immigration control and freedom of expression in journalism.

GDPR allows Member States a limited number of derogations, and following consultations in 2017, the Government confirmed it would exercise those derogations in the following areas:

  • The age of consent for children to access information society services

  • Processing criminal conviction and offence data

  • Automated individual decision-making

  • Freedom of expression in the media

  • Research

The Bill was introduced to the House of Lords on 13th September 2017 and following much debate it was introduced to the House of Commons on 18th January 2018.

The Department for Digital, Culture, Media and Sport (DCMS) factsheet provides a succinct summary of what the Bill will do –

The Bill is split into seven Parts and eighteen schedules:

  • Part 1: Bill overview and definition of key terms
  • Part 2: General data processing in line with GDPR and other general data processing in areas outside the scope of EU law
  • Part 3: LED and law enforcement processing
  • Part 4: Nation Security Processing through a modernised Council of Europe Convention
  • Part 5: Functions and Duties of the Information Commissioner – including requirement to publish codes of practice of data sharing, direct marketing, age appropriate design for online services likely to be accessed by children
  • Part 6: Enforcement regime and ICO Powers
  • Part 7: Various issues including regulation to be made under the Act, penalties for offences and the Act’s territorial application

The Briefing Paper also includes a summary of the House of Lords debates for those who are interested in reading more http://researchbriefings.files.parliament.uk/documents/CBP-8214/CBP-8214.pdf which the full debate transcripts are available of the House of Lords website.

So, for those of you using the 80 days (inc weekends and bank holidays) to prepare for GDPR what does this mean?  Well, if you don’t carry out any national security or law enforcement processing then your GDPR preparations will stand you in good stead, although you may want to glance at the draft Bill and specifically the section around the Information Commissioner and Enforcement.  If you do carry out national security or law enforcement processing, then you have probably already been preparing for the changes under the LED but you will need to familiarise yourself with the Parts of the Act that are relevant to you.  Everyone will need to monitor the Governments Brexit negotiations, as once we leave the EU the UK will be a ‘Third Country’ and there may be additional requirements to enable the transfer of data between the EU and member states.

Get in touch

If you need further advice, find out more about our Ask Teal service, or simply contact one of our helpful experts today.

 

 

[1] https://researchbriefings.parliament.uk/ResearchBriefing/Summary/CBP-8214#fullreport

[2] European Commission, Questions and Answers – Data protection reform packages, 24 May 2017 – http://europa.eu/rapid/press-release_MEMO-17-1441_en.htm

[3] https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108

The Data Protection Bill – What do I need to know? Read More »

two large skyscraper buildings

AML – the size and nature test

Anti-Money Laundering, Blogs, Legal Compliance /

 

Regulation 21 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires that a firm which is regulated, implements internal controls where appropriate to the size and nature of the firm.

These controls are:

  1. Appoint a person to be responsible for compliance with the regulations
  2. Screen relevant employees, both before the appointment is made and ongoing thereafter
  3. Establish an independent audit function

So, what should the ‘controls’ look like and what is the appropriate ‘size and nature’?

Controls

In my experience, in legal services we don’t have many controls in place. Our colleagues in other industries, such as financial services have lots. A control exists to check the efficacy of a policy and procedure. By way of an example, I am betting your firm has a confidential waste policy, “you must not put client information or confidential data in the normal waste paper bin”. You will have a procedure which says “You must put confidential waste in the bin for confidential shredding”. Very few firms however have a control which says “we will check the waste paper bins weekly to ensure that no confidential data has been put in there”.

It’s great to have policies and procedures, but we usually only find out if they are effective when something goes wrong, by which time it’s too late to avoid the damage that the policy and procedure was designed to avoid.

The Regulation 21 controls are designed to make sure you have someone who is tasked with making sure that the regulations are complied with, we have people who know how to comply with them, and that we check that they are working.

Size and Nature

Implementation of these controls depends on the size and nature of the firm. When we were drafting the guidance at the Money Laundering Task Force we grappled with how does a firm decide on the size and nature. It’s not an easy thing to define. The Legal Sector Affinity Group decided on:

Factors you may consider when determining whether it is appropriate to apply those controls include:

  • The number of staff members your practice has

  • The number of offices your practice has and where they are located (including whether your practice has overseas offices)

  • Your client demographic

  • The nature and complexity of work your practice undertakes

  • The level of visibility and control that senior management has over client matters

(taken from the draft Legal Sector Affinity Group Guidance).

Sole practitioners who do not employ any staff are not caught by this by virtue of regulation 21(6).

In practice, I think firms will have appointed their COLP as being responsible for compliance (which is arguably already their job by virtue of the SRA authorisation rules). I think firms will be obtaining references for new staff, at times carrying out more rigorous criminal records type checks, and will be thinking about testing staff understanding after training courses.

I think less straight forward is establishing whether a firm needs an independent audit function. My personal view, (rather than of the Law Society) is that a firm does not have to be very big in order to be required to do this. Take this example, a firm that has about 50 people, across 2 offices, with all the staff collecting and recording their own due diligence, and lawyers making decisions about what sorts of inquiries to make regarding the purpose and nature of the transaction. Does the MLRO know that his policies are adhered to and are effective? If, hand on heart, he would say no, an audit would give him that visibility. The mischief the control is trying to get at is to ensure that the firm knows if the Policies, Controls and Procedures they have in place are working.

So if you decide you are the size and nature to need an independent, who is going to do it?  Do you have staff the with requisite knowledge and capacity to carry out the audit? Are they able to acting independently? I think that resourcing alone would be a struggle for many of the smaller firms, and indeed a fair few of the larger firms, who might have an audit function, but without the necessary experience in AML.

An audit should include review of the policies and procedures, interviewing staff and reviewing files and accounts processes to ensure that the policies and procedures are deployed correctly.

Help

With that in mind, we have put together a package of support for firms who can’t resource their audit internally. We can:

  • Review existing policies and procedures, including firm and matter risk assessments

  • Carry out on site review of systems, policies and procedures

  • Interview staff members to test understanding

  • Provide feedback of observations and recommendations for improvement

In addition we can help

  • Rectify policies and procedures

  • Develop controls to ensure constant visibility as to compliance

  • Provide tailored in-house training to all staff members to embed learning

  • Provide ongoing support and monitoring

Get in touch

If you are still unsure how the AML size and nature test applies to your firm, get in touch with one of our experts today.

AML – the size and nature test Read More »

Pinboard with a note pinned on saying "What's your goal?"

What are your compliance goals?

Blogs, Legal Compliance, Risk Management /

 

At the start of 2018 most us will have sat down and set personal new year resolutions. There are two questions I would ask:

  1. How many of those resolutions are you maintaining?

  2. Out of those resolutions, were any of them business focused?

Whether you are the decision maker in the firm or an employee it is always good to have goals to focus on.  Compliance underpins both the individual and firm wide goals, without it you are almost certainly not going to succeed.

At the very least whilst you may think you are succeeding without compliance, it will only take one complaint that leads to a negligence action or a rogue fee earner that will bring the walls tumbling down.  The foundation of any law firm is Compliance – how good would it be to achieve all your goals and sleep at night without the worry of “what if”?

Even in the most compliant firms partners will still at one time or another have that feeling of something going wrong, usually in the middle of the night.  At Teal we are here to make sure that those 3.00am wake up calls are few and far between.

Prevention is better than cure and sometimes the not knowing how to deal with something is far worse than the issue itself.

If you were building a house or a block of flats, you would not do so without the appropriate planning permission or foundations.  Building a block of flats on the same foundations as a single or double story house is a risk that we can all see.

You may not be able to see the risks in your own firm, which is where Teal can assist.  We know what to look for, how to deal with the warning signs and put systems in place.  We will set goals for you which we know you will be able to achieve.

Compliance is not about setting people up to fail, it’s about being realistic in training your staff, so they know what to look out for and question.  It’s about being preventative and having the knowledge of what is truly happening in your firm.  Not turning a blind eye because that fee earner bills a higher amount.  It’s about the culture and fit of the employees within your firm.  It’s your integrity, ethics and your reputation.

So, if we were to look at your compliance goals – what would they be?

Get in touch

We can help you achieve your compliance goals through a range of services we have to offer. Simply get in touch with one of our experts today to find out more.

What are your compliance goals? Read More »