Risk Management

Desk with coffee, glasses a pen and an assessment book

What are matter based risk assessments?

Matter-based risk assessments were introduced in the 2017 Money Laundering Regulations (MLR). Fundamentally, the idea is you’re supposed to look at the client and matter, and decide how risky it is for money laundering or terrorist financing. You can then decide on the amount of client due diligence (CDD) you need to do. This is what the matter-based risk assessments are for.

There has been some high-level feedback on the struggles that lawyers are having with the introduction, given that they were all doing CDD before. Firms already had processes and procedures in place which didn’t include this step, and it’s been difficult to try and include it. Nevertheless, this is now the law.

By now, you’ll no doubt have a new process in place that includes matter-based risk assessments. However, this article will help you determine whether your new process is compliant and is going to work.

What does the law say about matter-based risk assessments?

The matter-based risk assessments regulation sits at Regulation 28(12)(a) of the MLR. It states:

“The ways in which a person complies with the requirements to take CDD measures must reflect:

  • The firm’s risk assessment
  • Its assessment of the level of risk arising in any particular case”

The first thing you should be aware of when you look at this is that it was primarily written for banks. When banks talk about commencing a business relationship, that means someone opening a bank account. When someone has an account they can make what constitutes as regulated transactions whenever they want through their bank account.

In the legal sector, this is slightly different. People can’t do transactions using lawyers without them knowing about it. So, the approach taken by banks would be to do a client-based risk assessment when an account is first opened, take the information they have, and set up something called ‘transaction monitoring’. Transaction monitoring is where they would use software to monitor certain behaviours and when something looks odd, this would trigger an alert of possible fraud and may block the account.

When the Regulation talks about ‘the level of risk arising in any particular case’, it’s talking about an account facet of the business relationship. For lawyers, although it doesn’t actually say the word ‘matters’ it means matters.

CDD is a matter-based activity, and the ‘CDD measures’ mentioned in the Regulation come in five parts:

  1. Matter risk assessment
  2. Identify the client
  3. Verify the client
  4. Purpose and nature checks (this is where the source of funds and source of wealth lives)
  5. Ongoing monitoring

So, to complete your CDD measures, you need to make sure that you’re approaching your purpose and nature checks on a matter-by-matter basis. You can return to the same client risk assessment, but you also have to add the particular factors of each matter, if there are any, into the risk assessment.

What does the SRA say about matter-based risk assessments?

The SRA did some work reviewing a number of files in 2019/2020. From that, they commented on the Regulation involving matter-based risk assessments, which included:

 

  • 29% of the files didn’t have a written matter risk assessment: Although the Regulation doesn’t specifically say it has to be written down, it’s clear that the Regulators are looking to see a written record.
  • There was no conclusion following the risk assessment: This is something we see quite a lot. Although it’s unclear why this is the case.
  • Conflict with the firm’s risk assessment: Remember, it states in the Regulation that it must reflect ‘the firm’s risk assessment’. Therefore, if your firm’s risk assessment states that a particular department is high-risk, and you determine that a matter for that department is low-risk, it’s not consistent and they’ll pick up on this.
  • Assumption the E-ID system did it for them: There are systems that incorporate this as part of the process, but one of the things that the regulator is aware of is the over-reliance on technology.

The SRA has expectations that fee earners should know how to do matter-based risk assessments properly and they must reflect the firm’s risk assessment, as there shouldn’t be a conflict between the two documents.

 

What part of matter-based risk assessments are causing lawyers to struggle?

One of the biggest issues we’ve seen is many lawyers are not sure of the purpose of completing a matter-based risk assessment. Although we’ve found that many law firms do have policies in place confirming that matter-based risk assessments are mandatory, there are still blank and incomplete forms on the files.

There are instances when risk assessments have been completed at the start of the matter. However, as further information is gathered, such as the source of funds and source of wealth, or further CDD, the risk assessments aren’t revisited and updated.

Another issue we’ve come across relates to risk assessments being completed to an extent, and the risks are rated low, medium, or high. However, there’s no narrative behind the risk rating, so it’s impossible to see how they’ve come to this conclusion.

Overall, many lawyers tend to carry out risk assessments, but the information they’ve gathered is all in their heads, and in many cases, there’s a failure to write anything down, and this is essential.

Carrying out risk assessments correctly is extremely important as if the SRA carry out an audit on your files, they need to see that you’ve actually considered the risks, recognised any red flags, and identified what level of due diligence should be done for that client.

 

Considering practice or firm-wide risk assessments

There can’t be a conflict between your matter-based risk assessment and your practice or firm-wide risk assessment. It’s therefore important that you get your firm’s risk assessment right.

Your practice or firm-wide risk assessment needs to reflect the National Risk Assessment. This has the following as high-risk:

  • Trust and company service provision: Creation of trust, creation of companies, company secretarial work, and trust administration work are considered high-risk
  • Conveyancing: Both residential conveyancing and commercial property are considered high-risk
  • Misuse of client account: Anything going through the client account is considered high-risk
  • Sham litigation: Although generally litigation is low-risk, sham litigation is an arrangement that’s considered high-risk

As well as reflecting the National Risk Assessment, your firm risk assessment also has to reflect the Regulator Sectoral Risk Assessment.

Considering client risk

The Regulation itself gives you an indication of what high-risk sectors are, such as oil, arms, precious metals, tobacco products, cultural artefacts, ivory. If a client operates in these sectors, they would be considered high-risk clients.

Clients who operate in cash-intensive businesses are also high-risk. These include businesses such as nail bars, car washes, barbers, fast food, and any businesses where people would legitimately pay in cash. Baddies often open businesses like these to launder their dirty money together with the legitimate cash earned.

Politically exposed people (PEPs) are also considered high-risk. The law doesn’t give you much wriggle room in this area. If a client is a politically exposed person and does a certain job, this is high-risk.

The financial Action Task Force (FATF) issues a list of jurisdictions where there’s a particular concern with their ability to handle anti-money laundering. This list is the high-risk third countries list. As FATF can’t take on face value that money from those jurisdictions is genuine, everyone dealing with that money has to check. This is why enhanced due diligence is required on high-risk third countries.

 

Considering matter risk

There has been a recent change in the MLR relating to matter risk. Regulation 19(4)(a)(i)(aa) did state:

“a transaction is complex or unusually large, and there is an unusual pattern of transactions, and…”

This has now changed to:

“a transaction is complex or unusually large, or there is an unusual pattern of transactions, or…”

You’ll note that the words ‘and’ have changed to ‘or’. When the word ‘and’ was included, it suggested that there would need to be a combination of things for it to trigger. However, this is not the case.

We’ve noticed that many firms still have the word ‘and’ in their policies and therefore their matter risk assessment process is looking for a combination rather than any individual factor. So, when lawyers are doing a matter risk assessment which is complex, unusually large, has an unusual pattern of transactions or no economic or legal purpose, these need to be triggered individually.

So, make sure you check your policies and make any necessary changes.

What does LSAG say about matter-based risk assessments?

Each regulator used to publish their own guidance. However, in 2017 the regulators got together and formed the Legal Sector Affinity Group (LASG). LASG then produced one set of guidance, the LASG guidance, to be used across the sector. 

The LASG guidance confirms that matter-based risk assessments should not be a tick-box exercise but suggests you follow the below criteria:

  • Talks about risk ratings
  • Can have a template for similar cases, but it must not become a tick-box exercise
  • Should assess and have regard to negative news results
  • Suggest review of matter-based risk assessments on long-running matters – however, they don’t give an interval of how regular that should be
  • Focus on recording reasoning for assessment
  • Record why you’ve picked the CDD approach

When should you revisit matter-based risk assessments?

We know that there are things you simply can’t answer at the beginning of a case when completing a matter-based risk assessment. That’s why the matter-based risk assessment should be for the life of the file and not just a file-opening exercise.

Therefore, you need to consider all the stages where a matter-based risk assessment is needed. There are three particular stages when we believe this needs to be considered.

  1. When you’ve had an initial conversation with the client. You’ll have as much information as possible and are deciding whether there are any factors from the conversation that are causes for concern. This will determine what level of CDD we should do.
  2. When you’re undertaking CDD. Once you’ve received the documents from the client to undertake CDD, what you receive will either change your initial risk assessment or back it up. In reality, it’s only at this stage that you can do a proper risk assessment as you’ll now have all the CDD information.
  3. Before you potentially launder money. The last point in which to undertake a risk assessment is just before you do anything which could be laundering money. You should stop, revisit your risk assessment and update it before you potentially launder money.

It’s extremely important that you write everything down on your file. If it’s not written down, how are you going to prove that you’ve done it if something goes wrong? Regulators need to see that you’ve covered everything.

What help can be given to lawyers on matter-based risk assessments?

One way of ensuring lawyers complete a risk assessment in the first place is to make it mandatory in order for the file to be opened. However, although this helps ensure they complete one initially, they may only partially complete it or may not revisit and update it at key points of the case. We therefore suggest a three-step approach.

  1. Training: Training is key. Lawyers need to understand the importance of risk assessments and ensuring they receive good quality training can help significantly to drill down that point.
  2. File Reviews: A good way for firms to determine how lawyers are doing with their matter-based risk assessments is through file reviews. You’ll have a chance to discuss any specific issues and identify if there are specific departments that are struggling. This will allow you to revisit the training with them when it’s needed.
  3. Firm-wide risk assessment: If you’ve not already shared your firm-wide risk assessment, this may help. Lawyers will be able to see your thought process towards risk in different departments, and this will help them when completing their matter-based risk assessments.

Following this approach should help lawyers complete their matter-based risk assessments moving forward.

Get in touch

If you need any assistance with policy drafting and reviews, AML audits, or training, simply contact us and one of our experts will be in touch.

Managing Risk and Learning from Mistakes

As legal professionals, it is crucial to manage the risks we face daily and learn from our mistakes. The common goal of most professionals is to prevent messes in the first place. Building Compliance That Works is fundamental to being able to demonstrate resilience and self-reflection on internal policies and procedures.

In the legal sector, professional identity insurance has seen a significant increase, with some firms experiencing a minimum increase of 20% in their annual premiums. To combat the increase or limit it, it is essential to prepare early, not treat it as a tick box exercise, utilize a specialist broker, demonstrate that the taint has been removed, put in the work and time to the process, demonstrate your firm’s value on the proposal form, and have a standalone document.

 

We all have problems, things which haven’t gone to plan, so how do we explain them?

If a problem is identified, Root Cause Analysis should be conducted for each instance. The purpose of this is not to blame a person but to investigate the different factors that enabled the incident to occur. In doing so, effective changes and prevention can be implemented to limit recurrence.

It is essential not to merely scratch the surface and dig down below to find the root cause. If the root cause is missed, the incident is likely to occur again, increasing the risk exposure. Human error is never the ultimate root cause, and firms or individuals should not feel ashamed in near misses. Instead, they should feel confident and empowered to share these experiences with others.

 

We worry people will fear it is a witch hunt if we dig too much into the issue.

Creating a positive environment to have these chats and building a safe environment where staff are confident that they will not be judged or penalised for asking for help or alerting a person to an underlying issue is crucial. Ensuring that the culture is embedded throughout the firm sets the right undertones for all staff, regardless of level or position.

Risk is there, through firms at all levels, and risks may change, but they are still present. Consider reporting lines or lines of support, whether internal or external. In most firms, the line manager automatically handles reporting lines, which can make people bury their heads and not speak out for fear of repercussions, insecurity, stress, and compromised decisions.

It’s important we face these causes, because without it people suffer. In many parts of the legal sector, (for example Conveyancing in 2022), there can be real risks that are exacerbated due to several factors outside the staff member’s control and, in some instances, the firm’s. Even if those risks do not transpire into meritorious claims, it is inevitable that there will be claims and complaints arising out of these risks, which will have a considerable impact on staff and firms.

Everyone, at one time or another, will make mistakes within their careers, and it is how we deal with them that helps shape our careers and share the firms we work within.

 

How can we mitigate the consequences of issues arising?

Make it easier to find out what actually went on – Recording file notes is essential, documenting what is done at each stage, what has been found, what the client has been informed of, when they were informed, and by what means, and why the matter cannot proceed further.

Supervise properly – In the remote world we currently operate within, identifying signs in others is crucial. If you are a supervisor, think about how to monitor, motivate, and supervise daily. Remote working adds another layer of complexity, making identifying a gut feeling a lot harder. Make a conscious effort not to focus solely on the work and be visible and personable, building trust and relationships.

Use your data – Data collection and analysis can help fill gaps and identify where and who requires support. Data that could be considered includes low WIP or alternative high WIP, money held on the file, inactive client records, average case length, non-billing for a period, what happens when the file gets to 75% of the fee estimate, and retainer profitability and written off time.

Taking action if you think there might be a problem – doing more file reviews, and stacking the odds in your favour is invaluable regarding risk exposure and learning. Get curious, ask why, and continue learning about your team and how they operate.

Mindful policies

“Failure to close the photocopier lid is a disciplinary offence.” “No more than 1 person in the kitchen at any one time.” “The toilet roll is kept in the managing partners office and must be returned after use.”

This morning I was looking at a post on LinkedIn which generated a lot of comments and interest. The post is about a mobile phone policy which a content marketing business has felt it needed to implement, apparently written, according to the managing director, by the younger staff, and not by management.

Here is the policy.

Now, reading the comments, it’s suggested by some that this is a clever piece of content marketing to demonstrate the businesses ability to get engagement, but whether it is or not, I’ve seen that policy before, often, in law firms.

The policies in the opening paragraph of this blog are not made up for clickbait. They are policies which were in place in the first law firm I worked in. Now we’re talking 22 years ago, but just last year someone sent me a picture of a sign on the back of a bathroom door (which clients can use) which said in red capitals – DO NOT LEAVE THIS TOILET WITHOUT CHECKING IT HAS FLUSHED PROPERLY. IF NECESSARY, FLUSH AGAIN.

I find myself reflecting on what is happening in these businesses to motivate people to write such things, what are their frustrations, concerns, worries? Worries about productivity, wasted costs, cleanliness, and in respect of the mobile phone policy, possibly security. These are absolutely legitimate issues which need to be addressed, but I would suggest that sometimes the ways these policies are written is counterproductive.

Whilst the policy or notice itself may have the desired effect – we never left the photocopier lid up for example, what does this do for morale, and culture. Now this isn’t my area, I know people much better placed to talk about culture, but I do know about policies, and I would urge anyone writing them to think about the unintended consequences. Whenever we introduce controls, unless people properly understand the rationale, there is a risk they won’t comply. That they’ll dismiss it and will work around it.

Also consider how the policy might be interpreted. Avoid writing them when you’re frustrated! In one of the comments the MD of the company with the mobile policy was asked did it apply to him, and he said, he needed his mobile phone on the desk, and he could “restrain himself” from getting drawn into social interaction during the day.

I recently caught a Simon Sinek (who I love!) video about allowing our children access to mobile phones is damaging them and ultimately causing a problem for managers in the work place as people are addicted to them. I don’t disagree with him, but dismissing this as – they can’t restrain themselves, so I am going to threaten them with a ban – doesn’t seem to me to be the best way of tackling this.

Communication, explaining the impact, understanding why it is an issue, and arriving at a negotiated solution is going to be much better than issuing policies which can alienate people, breed resentment, and cause exactly the lack of productivity you were afraid of in the first place.

Be mindful when writing your policies, leave aside for a moment what your intention is, and put your self in the mind of the reader. Am I saying what I mean, will they understand why we need it to be this way, will they feel talked down to by the language? The more engaged the reader is, the more likely they are to comply.

Latest Cybercrime risks to the legal sector and how to manage them

[vc_row][vc_column][vc_single_image image=”372″ img_size=”full” alignment=”center”][vc_column_text]

A recent report produced by the National Cyber Security Centre (NCSC) highlights the need for even the smallest firms to undertake a cyber threat risk assessment and implement effective controls. The report cites a 2017 PricewaterhouseCoopers Law Firm survey, in which 60% of law firms reported an information security incident in the last year, up from 42% in 2014.  The report also cites SRA reports that over £11 million of client money was stolen due to cyber related crime in 2016.

The report ‘Cyber threat to the UK Legal Sector’ sets out, through case studies, the latest cyber security threats that are of particular relevance to the legal sector. The report also identifies practical steps firms can take to reduce the likelihood of them falling victim to such threats.

The report is the work of the NCSC and its sponsored Industry 100 scheme, with input from the Law Society, the SRA, Action Fraud and the National Crime Agency (NCA). The mission of the team is to increase the resilience of UK law firms who are particularly vulnerable to this type of threat as a result of the sensitive client information and significant funds they hold. These risks can disproportionately impact smaller firms who may have a small number of staff but may still be processing large volumes of data or handling significant client funds.

While firms may have taken action to secure personal information as a result of the General Data Protection Regulation (GDPR), this report identifies cyber security as a wider issue impacting commercially sensitive information, supply chain risks and financial controls that could make firms vulnerable to fraud and bribery. The 4 key current risks identified in the report are:

  • Phishing attacks where attackers influence users into disclosing information or clicking a bad link which compromises the payment of invoices and money transfers;

  • Accidental and deliberate data breaches as a result of insiders such as disgruntled employees looking to gain financially or ‘get back at a firm’ for perceived grievances;

  • Ransomware – a type of malware that prevents firms from accessing files or data on their computer or network until a ransom has been paid to fraudsters.

  • Third party suppliers failing to adequately secure their systems that hold your firm’s sensitive data or money transfer arrangements leading to loss of data or money. State actors can also target a law firm in order to gain access to corporate clients and their information.

The report also raises concerns that future increased use of online delivery methods; outsourcing of services; blockchain and Artificial Intelligence will increase the risks going forward. As Christina Blacklaws, President, The Law Society states;

“As data controllers, law firms handle significant volumes of confidential and sensitive information and client monies as part of their daily work. In the post-GDPR world and as the sector delivers and transacts more online, it’s vital that we get a common view and understanding of cyber threats and their impact.”

As well as understanding and assessing the risks, firms need to consider the adequacy of their existing controls and then strengthen them where necessary. The report identifies a number of simple key controls for firms to consider including:

  • Implementing processes to verify (via independent means) invoices and account details for money transfers;

  • Using ‘cooling off’ periods for changing account details for high value transactions;

  • Encouraging a culture where suspicious transactions are queried;

  • Educating clients about your firm’s invoice and money transfer processes to help them avoid falling victim to a phishing attack;

  • Monitoring user access of systems;

  • Keeping software, and especially operating system (OS), up to date;

  • Control what software and applications you choose to allow into your firm; and

  • Verify that third party suppliers, particularly those that hold their sensitive data, have basic cyber security controls in place.

All of the above controls are relatively cost effective for any firm but other controls may be disproportionate for smaller firms. To this end the NCSC’s ‘Small Business Guide’ offers simple practical technical tips for smaller firms. The NCSC also points firms to the government-backed ‘Cyber Essentials’ scheme. As well as providing simple but effective controls, certification under the scheme demonstrates a firm’s commitment to cyber security which can provide a competitive advantage.

UK-based law firms can also access cyber security expertise by signing up to the Cyber Security Information Sharing Partnership (CiSP), a joint industry and government initiative. There is a private CiSP group tailored to law firms which is free to join. Full details on the membership benefits and joining instructions can be found here: https://www.ncsc.gov.uk/cisp. The NCSC or the Law Society can sponsor your organisation, as appropriate.

The NCSC report also recommends the NCSC ‘10 Steps to Cyber Security’, a guide to help board members and auditors ask the right questions about cyber security.

As with most frauds these losses occur not because of the absence of controls but rather that the controls in place are not applied consistently.  According to the latest KPMG ‘Global Profile of a Fraudster’ report, weak internal controls were a factor in 61% of frauds.

A firm’s assessment should therefore also consider at a high level how likely it is that controls are adequately performed in each business area. Control systems should be reviewed at regular intervals to ensure that these remain current, relevant and appropriate to the needs of your firm. Risk models have to be regularly revisited and reconsidered in order to have assurance that the risk profile continues to be valid and in particular after:

  • restructuring,

  • downsizing,

  • changes in business processes,

  • when major new policies are being developed, changed or implemented differently,

  • following identification of weaknesses,

  • the introduction of new computer systems, and

  • after an incident of fraud.

Firms wishing to obtain further information about conducting a risk assessment, raising awareness amongst staff or auditing the adequacy of their existing controls can contact us at hello@tealcompliance.com to find out more.  An initial call is always free.

Technology for compliance

[vc_row][vc_column][vc_single_image image=”424″ img_size=”full” alignment=”center”][vc_column_text]

At the recent Teal Annual Conference, I spoke to the delegates about Technology in Compliance. I’d like to pose some of the questions we talked about during the session. How would your firm answer?

  1. How do your current systems and processes work for you?

  2. As a firm, are you all working on the same system or is it a mix?

  3. Are you confident that all your employees are using the same versions of documents such as your Client care letters and Terms of Business?

  4. How often do you review your systems and processes?

The answers to the above questions are fairly self explanatory when it comes to assessing how effectively a firm is using technology to support their compliance function.

There are common themes for the majority of firms I meet. Firstly, there are still many firms that do not have a case management system (actually there are a lot) and who operate with a “S – Drive” where everyone can access and save documents. Secondly, there are those that have a mixture of different systems, and different levels of take up of those systems depending on the department.  There are of course some firms that use their CMS to the best of their advantage. This takes a significant amount of work, but the firms that make the effort, reap the rewards. Personally, I would like to see compliance embedded into the IT systems and processes within all firms.

By investing in people, processes and systems it allows compliance to become second nature, providing an additional layer to internal risk management, and an audit trail if something were to happen.

In addition, it can also help increase profitability – so what is there not to like?

With so many different systems on the market, if you do not have a system, or are looking to change, how do you choose the right one for your firm? Here are some pointers:

  1. Select the project team in-house – have a mix of staff covering support staff, fee earners, IT, management. You need to have a complete overview from all perspectives. Also ensure you include different disciplines, as each will have their own requirements.

  2. Scope the list of features you must have, should have and would like to have. A project cannot always be completed in one hit, and taking a phased implementation approach is often more successful.

  3. Do your research into providers or bring in an independent consultant who can assist. It is not a case of one size fits all.

  4. Know your budget – there is a vast difference between “out the box” and custom built.

  5. Shortlist the systems that you consider will assist you in your business and arrange a beauty parade.

  6. Have a selection of staff at demonstrations.

  7. Take your time to work through the pros and cons.

  8. Consider the change management that will be needed within the firm to implement the new system.

As a starter for ten, here are some of the features which you should consider embedding into your systems:

I am strongly of the view that we can effectively use technology within our compliance systems to minimise the risks involved of running a law firm.  Why make things more difficult for yourselves, your firm, your staff, and your clients than they need to be!

Teal Compliance regularly advises law firms with reviews of their IT system requirements.  If we can help your firm, we are always happy to have a free initial chat.  Contact us at hello@tealcompliance.com

What’s your goal?

[vc_row][vc_column][vc_single_image image=”471″ img_size=”full” alignment=”center”][vc_column_text]

At the start of 2018 most us will have sat down and set personal new year resolutions.     There are two questions I would ask:

  1. How many of those resolutions are you maintaining?

  2. Out of those resolutions, were any of them business focused?

Whether you are the decision maker in the firm or an employee it is always good to have goals to focus on.  Compliance underpins both the individual and firm wide goals, without it you are almost certainly not going to succeed.

At the very least whilst you may think you are succeeding without compliance, it will only take one complaint that leads to a negligence action or a rogue fee earner that will bring the walls tumbling down.  The foundation of any law firm is Compliance – how good would it be to achieve all your goals and sleep at night without the worry of “what if”?

Even in the most compliant firms partners will still at one time or another have that feeling of something going wrong, usually in the middle of the night.  At Teal we are here to make sure that those 3.00am wake up calls are few and far between.

Prevention is better than cure and sometimes the not knowing how to deal with something is far worse than the issue itself.

If you were building a house or a block of flats, you would not do so without the appropriate planning permission or foundations.  Building a block of flats on the same foundations as a single or double story house is a risk that we can all see.

You may not be able to see the risks in your own firm, which is where Teal can assist.  We know what to look for, how to deal with the warning signs and put systems in place.  We will set goals for you which we know you will be able to achieve.

Compliance is not about setting people up to fail, it’s about being realistic in training your staff, so they know what to look out for and question.  It’s about being preventative and having the knowledge of what is truly happening in your firm.  Not turning a blind eye because that fee earner bills a higher amount.  It’s about the culture and fit of the employees within your firm.  It’s your integrity, ethics and your reputation.

So, if we were to look at your goals – what would they be?