Risk Management | Teal Compliance

Image of laptop on a desk, with the Teal Tracker on the screen

Why we built the Teal Tracker compliance technology

Anti-Money Laundering, Blogs, Legal Compliance, Risk Management / Joanne

The Teal Tracker compliance technology platform is the solution for all law firms’ compliance needs. Here, we explain why we built the Teal Tracker, and how it’s benefiting law firms.

What is the purpose of the Teal Tracker?

The Teal Tracker compliance technology has two core purposes.

1. Keeping track of all your records

The Teal Tracker’s first core purpose is to make the activity of collating law firm compliance information easier.

Firms know when there are issues, and there’s usually a procedure for notifying someone. However, it’s often done via email, or by filling in a form and then emailing it to someone. This is how control can be lost and it becomes just another email stuck in someone’s inbox. This makes such records extremely hard to demonstrate to a regulator.

Examples might be a list of complaints, where somebody then has to sit down for hours, scrolling through emails and trying to find the relevant ones.

In practice, and in reality, there are still examples of printing off documents and putting them in paper files. However, this is inefficient, lacks security and could compromise confidentiality.

So, this is the primary reason the Teal Tracker was built.

2. Analysing the data to help you make informed decisions

The second core reason we built the Teal Tracker compliance technology is because there’s a lot of beneficial information contained within the data that you collect as a result of breaches, file reviews or training records. This data holds the answers to enable you to start to identify when there are problems with a particular person, or a particular area within the firm.

Because the data is fragmented, normally across the firm in emails, folders or on bits of paper, it usually can’t be analysed. As a result, firms don’t really have a good handle on whether their compliance is working or not.

The Teal Tracker is the solution. Once the data is collected in the Teal Tracker, it can then start to analyse and report on it. This will enable you to identify issues and let you know where the areas of focus need to be.

For example, if there’s a spike in complaints as a result of somebody not getting back to people, that may be a capacity issue. Through the Teal Tracker, we can let you know that a particular department appears to be quite busy, needs more people, or needs less work.

With the methods law firms currently use, this can be guesswork to a degree. The Teal Tracker provides evidence for these things, so that you can make informed decisions.

How do law firms benefit from the Teal Tracker?

Law firms can benefit from the Teal Tracker in a number of ways. However, here are the top 5 benefits of the Teal Tracker:

1. Collecting all information in one place, without duplication

First of all, the activity of collecting information from the business in relation to their compliance can be streamlined. A really simple example of that is what we collect through our ‘Incident Management’ module, called ‘what’s happened?’.

The ‘what’s happened’ form is what you’d usually call an ‘incident reporting form’. We’ve named it ‘what’s happened’ on purpose, to engage people, so that they use it more freely.

We’re curious about why things are happening and encourage everyone in the business to use it for anything they see that’s not going to plan, without any inherent blame attached. In the ‘what’s happened?’ form, you select the category of what’s happened, for example, a complaint, a potential claim, a breach, or a near miss. It then automatically populates a register. If you’re currently collecting that information by email from people within your firm, you’ll have to copy it onto a register.

2. Easy access to reports and analytics

Once that information is properly captured within the Teal Tracker, it can start to easily analyse the data and reflect that back to you to let you know. On the first page of the Teal Tracker, you’ll find the ‘heat map’. The heat map is designed so that you have access to instant and continuous visibility of the situation. You’ll instantly be able to recognise if you have any emerging issues that you need to start dealing with, and you can run various reports which you can also tailor.

The reports will show up on your desktop enabling you to know what to prioritise, as we understand that budgets and compliance resources are always really tight.

3. Helps prioritise your budget

Firms spend a lot of money on compliance interventions. If you’re looking for solutions, training, writing a new policy or rolling out a new procedure, you might not feel confident that it’s actually working. The Teal Tracker solves this problem.

It shows you what is and what isn’t working, both systemically and individually. As the Teal Tracker is reflecting back into the business, you can then make informed decisions as to where to put your money to derive the highest impact and benefit, reduce the highest risks, and affect your highest priorities.

4. Protecting sensitive compliance information

When we collect compliance information, it’s sensitive by its very nature. You need to ensure access rights are robust, as it could be training records, training plans, staff development needs, suspicious circumstances, or reports that the business is surfacing. You need to control who has access to that information and where it sits.

If a suspicious circumstances report is sent via a paper form or an email to the MLRO, it can end up setting in an inbox or being filed on the client file. This means other staff may have access to it.

If a suspicious circumstances report is submitted, it’s likely that you’ll stop working on that file for a period of time. If the client gets frustrated and makes a complaint, there’s a number of potential serious consequences that can occur if the report is on the client file.

For example, if you’ve made a report out to the police, the tipping off events under the Proceeds of Crime Act could kick in. If the client calls to ask why is nobody ringing them back, and one of your staff sees on the file that you’re waiting to hear from the National Crime Agency, they could accidentally reveal this to the client. This is something that’s so easily done in innocence.

When building the Teal Tracker, we thought about how can we give firms a safe place to put that information, where they can limit and control the access to who can see it, and prevent it from accidentally be filed anywhere it shouldn’t.

5. Access to a wealth of compliance training

If you choose the Teal Tracker compliance technology for your law firm, you’ll also have access to Teal College.

Teal College has a vast amount of training courses in AML, GDPR and Regulatory Compliance in addition to Teal TV, which hosts webinars and videos to help your law firm stay compliant and protected.

Get in touch

The Teal Tracker is here to revolutionise the way compliance works in law firms, keeping you, your firm and your clients safe. For more information or to book a demo, simply get in touch with our experts today.

Why we built the Teal Tracker compliance technology Read More »

Image of laptop on a desk, with the Teal College on the screen

Launch of our brand new compliance training technology, Teal College

Anti-Money Laundering, Blogs, Legal Compliance, Risk Management / Joanne

At Teal, we’re thrilled to launch our brand new compliance training technology, Teal College! Find out what Teal College is, and how it can benefit your law firm.

What is Teal College?

Teal College is home to all the compliance training courses that we write and deliver.

From new starter training and staff needing to update their knowledge, to specialist training for those wishing to become a compliance officer, there’s a full curriculum for everyone in a compliance year to get the training they need.

Teal College is available for anyone with the Teal Tracker, or can be subscribed to as a stand-alone product.

What compliance disciplines does Teal College cover?

Teal College is home for all of our compliance courses, which are split into three disciplines:

AML Compliance
Regulatory Compliance
Data Protection Compliance

You’ll never need to worry about staff falling behind in these areas with our courses, as you’ll have all the training you need at your fingertips.

What other courses are available on Teal College?

Teal College doesn’t just have training courses in the three compliance disciplines. Users of Teal College can access learning on a wide variety of subjects not just compliance, but other risk management tools, services, theories and practices.

What is Teal TV?

Teal College is also the home of Teal TV. Teal TV provides a wide range of education videos on areas such as AML, regulatory compliance, data protection and risk management. These are all contained in one place on Teal TV, so your staff have easy access all year round.

We also have guests on Teal TV, talking about related subjects that we think are going to be interesting for law firms.

Who are the courses in Teal College for?

Teal College has courses available for everyone, so you can feel rest assured that each person in your business is up-to-date on their compliance responsibilities. These include:

1. Courses to update all staff

Teal College is home to a range of courses for all staff, to ensure they’re fully up-to-date with regulations and are fully compliant.

2. Courses for new starters

We’ve made the onboarding process for new starters as easy as possible when it comes to training, and provide essential courses for all of your new starters.

3. Courses for specialist roles

Teal College also keeps your compliance specialists up-to-date, such as compliance officers, MLROs, MLCOs, etc. We even provide training courses for staff who want to become compliance officers.

How can you access Teal College?

Teal College is accessed via the Teal Tracker. However, you don’t have to subscribe to Teal Tracker to benefit from Teal College.

That being said, if you do subscribe to the Teal Tracker, the two work together seamlessly.

The unique courses delivered on Teal College have interactive test functions to ensure the training has hit home. Passing the tests will automatically update the training records of the staff who’ve undertaken them.

You’ll have total control over who takes what course and when, and this all syncs perfectly with the Training Needs Questionnaire, Individual Training Plan and Records on the Teal Tracker.

Are Teal College Courses up-to-date?

There’s no need to worry that Teal College courses are out-of-date. We’re continuing to develop new courses all the time, and refresh existing courses whenever the landscape requires us to. This means your staff will always have the most up-to-date training available.

Get in touch

Teal College is here to revolutionise the way compliance training works in law firms. Keeping everyone up-to-date and compliance safe. For more information or to book a demo, simply get in touch with our experts today.

Launch of our brand new compliance training technology, Teal College Read More »

Desk with coffee, glasses a pen and an assessment book

What are matter based risk assessments?

Anti-Money Laundering, Blogs, Legal Compliance, Risk Management / Joanne

Matter-based risk assessments were introduced in the 2017 Money Laundering Regulations (MLR). Fundamentally, the idea is you’re supposed to look at the client and matter, and decide how risky it is for money laundering or terrorist financing. You can then decide on the amount of client due diligence (CDD) you need to do. This is what the matter-based risk assessments are for.

There has been some high-level feedback on the struggles that lawyers are having with the introduction, given that they were all doing CDD before. Firms already had processes and procedures in place which didn’t include this step, and it’s been difficult to try and include it. Nevertheless, this is now the law.

By now, you’ll no doubt have a new process in place that includes matter-based risk assessments. However, this article will help you determine whether your new process is compliant and is going to work.

What does the law say about matter-based risk assessments?

The matter-based risk assessments regulation sits at Regulation 28(12)(a) of the MLR. It states:

“The ways in which a person complies with the requirements to take CDD measures must reflect:

The firm’s risk assessment
Its assessment of the level of risk arising in any particular case”

The first thing you should be aware of when you look at this is that it was primarily written for banks. When banks talk about commencing a business relationship, that means someone opening a bank account. When someone has an account they can make what constitutes as regulated transactions whenever they want through their bank account.

In the legal sector, this is slightly different. People can’t do transactions using lawyers without them knowing about it. So, the approach taken by banks would be to do a client-based risk assessment when an account is first opened, take the information they have, and set up something called ‘transaction monitoring’. Transaction monitoring is where they would use software to monitor certain behaviours and when something looks odd, this would trigger an alert of possible fraud and may block the account.

When the Regulation talks about ‘the level of risk arising in any particular case’, it’s talking about an account facet of the business relationship. For lawyers, although it doesn’t actually say the word ‘matters’ it means matters.

CDD is a matter-based activity, and the ‘CDD measures’ mentioned in the Regulation come in five parts:

Matter risk assessment
Identify the client
Verify the client
Purpose and nature checks (this is where the source of funds and source of wealth lives)
Ongoing monitoring

So, to complete your CDD measures, you need to make sure that you’re approaching your purpose and nature checks on a matter-by-matter basis. You can return to the same client risk assessment, but you also have to add the particular factors of each matter, if there are any, into the risk assessment.

What does the SRA say about matter-based risk assessments?

The SRA did some work reviewing a number of files in 2019/2020. From that, they commented on the Regulation involving matter-based risk assessments, which included:

29% of the files didn’t have a written matter risk assessment: Although the Regulation doesn’t specifically say it has to be written down, it’s clear that the Regulators are looking to see a written record.
There was no conclusion following the risk assessment: This is something we see quite a lot. Although it’s unclear why this is the case.
Conflict with the firm’s risk assessment: Remember, it states in the Regulation that it must reflect ‘the firm’s risk assessment’. Therefore, if your firm’s risk assessment states that a particular department is high-risk, and you determine that a matter for that department is low-risk, it’s not consistent and they’ll pick up on this.
Assumption the E-ID system did it for them: There are systems that incorporate this as part of the process, but one of the things that the regulator is aware of is the over-reliance on technology.

The SRA has expectations that fee earners should know how to do matter-based risk assessments properly and they must reflect the firm’s risk assessment, as there shouldn’t be a conflict between the two documents.

What part of matter-based risk assessments are causing lawyers to struggle?

One of the biggest issues we’ve seen is many lawyers are not sure of the purpose of completing a matter-based risk assessment. Although we’ve found that many law firms do have policies in place confirming that matter-based risk assessments are mandatory, there are still blank and incomplete forms on the files.

There are instances when risk assessments have been completed at the start of the matter. However, as further information is gathered, such as the source of funds and source of wealth, or further CDD, the risk assessments aren’t revisited and updated.

Another issue we’ve come across relates to risk assessments being completed to an extent, and the risks are rated low, medium, or high. However, there’s no narrative behind the risk rating, so it’s impossible to see how they’ve come to this conclusion.

Overall, many lawyers tend to carry out risk assessments, but the information they’ve gathered is all in their heads, and in many cases, there’s a failure to write anything down, and this is essential.

Carrying out risk assessments correctly is extremely important as if the SRA carry out an audit on your files, they need to see that you’ve actually considered the risks, recognised any red flags, and identified what level of due diligence should be done for that client.

Considering practice or firm-wide risk assessments

There can’t be a conflict between your matter-based risk assessment and your practice or firm-wide risk assessment. It’s therefore important that you get your firm’s risk assessment right.

Your practice or firm-wide risk assessment needs to reflect the National Risk Assessment. This has the following as high-risk:

Trust and company service provision: Creation of trust, creation of companies, company secretarial work, and trust administration work are considered high-risk
Conveyancing: Both residential conveyancing and commercial property are considered high-risk
Misuse of client account: Anything going through the client account is considered high-risk
Sham litigation: Although generally litigation is low-risk, sham litigation is an arrangement that’s considered high-risk

As well as reflecting the National Risk Assessment, your firm risk assessment also has to reflect the Regulator Sectoral Risk Assessment.

Considering client risk

The Regulation itself gives you an indication of what high-risk sectors are, such as oil, arms, precious metals, tobacco products, cultural artefacts, ivory. If a client operates in these sectors, they would be considered high-risk clients.

Clients who operate in cash-intensive businesses are also high-risk. These include businesses such as nail bars, car washes, barbers, fast food, and any businesses where people would legitimately pay in cash. Baddies often open businesses like these to launder their dirty money together with the legitimate cash earned.

Politically exposed people (PEPs) are also considered high-risk. The law doesn’t give you much wriggle room in this area. If a client is a politically exposed person and does a certain job, this is high-risk.

The financial Action Task Force (FATF) issues a list of jurisdictions where there’s a particular concern with their ability to handle anti-money laundering. This list is the high-risk third countries list. As FATF can’t take on face value that money from those jurisdictions is genuine, everyone dealing with that money has to check. This is why enhanced due diligence is required on high-risk third countries.

Considering matter risk

There has been a recent change in the MLR relating to matter risk. Regulation 19(4)(a)(i)(aa) did state:

“a transaction is complex or unusually large, and there is an unusual pattern of transactions, and…”

This has now changed to:

“a transaction is complex or unusually large, or there is an unusual pattern of transactions, or…”

You’ll note that the words ‘and’ have changed to ‘or’. When the word ‘and’ was included, it suggested that there would need to be a combination of things for it to trigger. However, this is not the case.

We’ve noticed that many firms still have the word ‘and’ in their policies and therefore their matter risk assessment process is looking for a combination rather than any individual factor. So, when lawyers are doing a matter risk assessment which is complex, unusually large, has an unusual pattern of transactions or no economic or legal purpose, these need to be triggered individually.

So, make sure you check your policies and make any necessary changes.

What does LSAG say about matter-based risk assessments?

Each regulator used to publish their own guidance. However, in 2017 the regulators got together and formed the Legal Sector Affinity Group (LASG). LASG then produced one set of guidance, the LASG guidance, to be used across the sector.

The LASG guidance confirms that matter-based risk assessments should not be a tick-box exercise but suggests you follow the below criteria:

Talks about risk ratings
Can have a template for similar cases, but it must not become a tick-box exercise
Should assess and have regard to negative news results
Suggest review of matter-based risk assessments on long-running matters – however, they don’t give an interval of how regular that should be
Focus on recording reasoning for assessment
Record why you’ve picked the CDD approach

When should you revisit matter-based risk assessments?

We know that there are things you simply can’t answer at the beginning of a case when completing a matter-based risk assessment. That’s why the matter-based risk assessment should be for the life of the file and not just a file-opening exercise.

Therefore, you need to consider all the stages where a matter-based risk assessment is needed. There are three particular stages when we believe this needs to be considered.

When you’ve had an initial conversation with the client. You’ll have as much information as possible and are deciding whether there are any factors from the conversation that are causes for concern. This will determine what level of CDD we should do.
When you’re undertaking CDD. Once you’ve received the documents from the client to undertake CDD, what you receive will either change your initial risk assessment or back it up. In reality, it’s only at this stage that you can do a proper risk assessment as you’ll now have all the CDD information.
Before you potentially launder money. The last point in which to undertake a risk assessment is just before you do anything which could be laundering money. You should stop, revisit your risk assessment and update it before you potentially launder money.

It’s extremely important that you write everything down on your file. If it’s not written down, how are you going to prove that you’ve done it if something goes wrong? Regulators need to see that you’ve covered everything.

What help can be given to lawyers on matter-based risk assessments?

One way of ensuring lawyers complete a risk assessment in the first place is to make it mandatory in order for the file to be opened. However, although this helps ensure they complete one initially, they may only partially complete it or may not revisit and update it at key points of the case. We therefore suggest a three-step approach.

Training: Training is key. Lawyers need to understand the importance of risk assessments and ensuring they receive good quality training can help significantly to drill down that point.
File Reviews: A good way for firms to determine how lawyers are doing with their matter-based risk assessments is through file reviews. You’ll have a chance to discuss any specific issues and identify if there are specific departments that are struggling. This will allow you to revisit the training with them when it’s needed.
Firm-wide risk assessment: If you’ve not already shared your firm-wide risk assessment, this may help. Lawyers will be able to see your thought process towards risk in different departments, and this will help them when completing their matter-based risk assessments.

Following this approach should help lawyers complete their matter-based risk assessments moving forward.

Get in touch

If you need any assistance with policy drafting and reviews, AML audits, or training, simply contact us and one of our experts will be in touch.

What are matter based risk assessments? Read More »

digital screen with man clicking on risk management

Managing risk and learning from mistakes

Anti-Money Laundering, Blogs, Risk Management / Amy Bell

As legal professionals, it is crucial to manage the risks we face daily and learn from our mistakes. The common goal of most professionals is to prevent messes in the first place. Building Compliance That Works is fundamental to being able to demonstrate resilience and self-reflection on internal policies and procedures.

In the legal sector, professional identity insurance has seen a significant increase, with some firms experiencing a minimum increase of 20% in their annual premiums. To combat the increase or limit it, it is essential to prepare early, not treat it as a tick box exercise, utilize a specialist broker, demonstrate that the taint has been removed, put in the work and time to the process, demonstrate your firm’s value on the proposal form, and have a standalone document.

We all have problems, things which haven’t gone to plan, so how do we explain them?

If a problem is identified, Root Cause Analysis should be conducted for each instance. The purpose of this is not to blame a person but to investigate the different factors that enabled the incident to occur. In doing so, effective changes and prevention can be implemented to limit recurrence.

It is essential not to merely scratch the surface and dig down below to find the root cause. If the root cause is missed, the incident is likely to occur again, increasing the risk exposure. Human error is never the ultimate root cause, and firms or individuals should not feel ashamed in near misses. Instead, they should feel confident and empowered to share these experiences with others.

We worry people will fear it is a witch hunt if we dig too much into the issue.

Creating a positive environment to have these chats and building a safe environment where staff are confident that they will not be judged or penalised for asking for help or alerting a person to an underlying issue is crucial. Ensuring that the culture is embedded throughout the firm sets the right undertones for all staff, regardless of level or position.

Risk is there, through firms at all levels, and risks may change, but they are still present. Consider reporting lines or lines of support, whether internal or external. In most firms, the line manager automatically handles reporting lines, which can make people bury their heads and not speak out for fear of repercussions, insecurity, stress, and compromised decisions.

It’s important we face these causes, because without it people suffer. In many parts of the legal sector, (for example Conveyancing in 2022), there can be real risks that are exacerbated due to several factors outside the staff member’s control and, in some instances, the firm’s. Even if those risks do not transpire into meritorious claims, it is inevitable that there will be claims and complaints arising out of these risks, which will have a considerable impact on staff and firms.

Everyone, at one time or another, will make mistakes within their careers, and it is how we deal with them that helps shape our careers and share the firms we work within.

How can we mitigate the consequences of issues arising?

Make it easier to find out what actually went on – Recording file notes is essential, documenting what is done at each stage, what has been found, what the client has been informed of, when they were informed, and by what means, and why the matter cannot proceed further.

Supervise properly – In the remote world we currently operate within, identifying signs in others is crucial. If you are a supervisor, think about how to monitor, motivate, and supervise daily. Remote working adds another layer of complexity, making identifying a gut feeling a lot harder. Make a conscious effort not to focus solely on the work and be visible and personable, building trust and relationships.

Use your data – Data collection and analysis can help fill gaps and identify where and who requires support. Data that could be considered includes low WIP or alternative high WIP, money held on the file, inactive client records, average case length, non-billing for a period, what happens when the file gets to 75% of the fee estimate, and retainer profitability and written off time.

Taking action if you think there might be a problem – doing more file reviews, and stacking the odds in your favour is invaluable regarding risk exposure and learning. Get curious, ask why, and continue learning about your team and how they operate.

Get in touch

For more information about our risk management services, get in touch with our experts.

Managing risk and learning from mistakes Read More »

Manager talking to colleague on video call

Managing Risks When Supervising Remotely

Blogs, Legal Compliance, Risk Management / Amy Bell

Effective supervision has always been important from a risk management perspective but never more so than now, when it comes to managing risks when working remotely. Especially if you’re having to grapple with new technology and processes.

SRA Code of Conduct

As it is a requirement of the SRA Code of Conduct for firms to have in place an effective system for supervising client matters, most firms will already have policies and processes in place. However, these processes will need to be reviewed to ensure that they are still workable and effective in light of the remote working and different hours that some staff may be working to fit in around childcare and home schooling.

Supervision process

When reviewing supervision processes, consideration should be given to the following key areas:

Experience of Staff: The staff that are being supervised and their qualifications and level of experience. For example, qualified experienced Solicitors will not need as much day to day supervision or quality checking as a Paralegal or Trainee Solicitor.

Communication: Good clear communication is key as, in the office, some supervision happens informally as Supervisors can overhear a telephone conversation when someone is struggling or can be approached for a quick sense check of a matter that a member of their team is unsure about or they need clarification about a query they have received from a client.

It is important that good communication continues between a supervisor and their team to ensure a high level of work and effectiveness is maintained as well as staff morale.

Consideration should be given to weekly team meetings and one on one meetings being held via Skype or Zoom. Dates and times for these meetings should be agreed in advance and put in everyone’s diaries so staff can plan their work and appointments around them. An agenda should be prepared in advance so all staff know what is going to be discussed and what they need to bring and prepare. This will ensure that these meetings are as productive as possible and valuable time is not wasted.

File Surgeries: Allocating a file surgery day each week can also be an efficient and effective way of ensuring that matters can be supervised and allow both the supervisor and team members to plan and manage their time and work effectively. Staff should be informed of a timeline by which they need to email and confirm to their supervisor the issues they wish to discuss at the file surgery meeting together with the name and file number of the matter if applicable. The supervisor should then acknowledge receipt and allocate a time slot to their team member on the allocated file surgery day for the matter to be discussed over the telephone.

File Reviews: It is important that these reviews continue as these are a very effective way of supervising and of being able to identify any potential issues that could turn into a claim or a complaint if not dealt with. Consideration should be given as to whether the number of file reviews undertaken needs to be increased for some staff. It should be noted that file reviews can also help identify any other office processes and policies which may need to be reviewed and amended as a result of people working remotely.

Checking of Work: Supervisors should inform their team on the process for the checking of work before it is sent to clients. Confirmation should be given to each team member of the process that needs to be followed and when the supervisor will need to receive the work by together with the timescale for them reviewing the work and returning it. This will help staff be able to effectively manage key dates and timelines as well as client’s expectations.

Get in touch

If you would like any help reviewing or preparing a Supervision Policy, please get in touch with our experts today.

Managing Risks When Supervising Remotely Read More »

Mindful policies

Blogs, Legal Compliance, Risk Management / Amy Bell

This morning I was looking at a post on LinkedIn which generated a lot of comments and interest. The post is about a mobile phone policy which a content marketing business felt it needed to implement, apparently written, according to the managing director, by the younger staff, and not by management.

Now, reading the comments, it’s suggested by some that this is a clever piece of content marketing to demonstrate the businesses ability to get engagement, but whether it is or not, I’ve seen that policy before, often, in law firms.

“Failure to close the photocopier lid is a disciplinary offence.” “No more than 1 person in the kitchen at any one time.” “The toilet roll is kept in the managing partners office and must be returned after use.”

These examples of policies are not made up for clickbait. They are policies which were in place in the first law firm I worked in. Now we’re talking 22 years ago, but just last year someone sent me a picture of a sign on the back of a bathroom door (which clients can use) which said in red capitals – DO NOT LEAVE THIS TOILET WITHOUT CHECKING IT HAS FLUSHED PROPERLY. IF NECESSARY, FLUSH AGAIN.

I find myself reflecting on what is happening in these businesses to motivate people to write such things, what are their frustrations, concerns, worries? Worries about productivity, wasted costs, cleanliness, and in respect of the mobile phone policy, possibly security. These are absolutely legitimate issues which need to be addressed, but I would suggest that sometimes the ways these policies are written is counterproductive.

Whilst the policy or notice itself may have the desired effect – we never left the photocopier lid up for example, what does this do for morale, and culture. Now this isn’t my area, I know people much better placed to talk about culture, but I do know about policies, and I would urge anyone writing them to think about the unintended consequences. Whenever we introduce controls, unless people properly understand the rationale, there is a risk they won’t comply. That they’ll dismiss it and will work around it.

Also consider how the policy might be interpreted. Avoid writing them when you’re frustrated! In one of the comments the MD of the company with the mobile policy was asked did it apply to him, and he said, he needed his mobile phone on the desk, and he could “restrain himself” from getting drawn into social interaction during the day.

I recently caught a Simon Sinek (who I love!) video about allowing our children access to mobile phones is damaging them and ultimately causing a problem for managers in the work place as people are addicted to them. I don’t disagree with him, but dismissing this as – they can’t restrain themselves, so I am going to threaten them with a ban – doesn’t seem to me to be the best way of tackling this.

Communication, explaining the impact, understanding why it is an issue, and arriving at a negotiated solution is going to be much better than issuing policies which can alienate people, breed resentment, and cause exactly the lack of productivity you were afraid of in the first place.

Be mindful when writing your policies, leave aside for a moment what your intention is, and put your self in the mind of the reader. Am I saying what I mean, will they understand why we need it to be this way, will they feel talked down to by the language? The more engaged the reader is, the more likely they are to comply.

Get in touch

If you’d like help with your policies and procedures, simply get in touch with one of our helpful experts today.

Mindful policies Read More »

The new transparency rules: what you need to know

Blogs, Legal Compliance, Regulatory Compliance, Risk Management / Amy Bell

The Legal Services Board have approved the SRA’s proposed change to the transparency rules. But, what does this mean for your law firm and how are you going to ensure you comply with the new rules by the December 2018 deadline?

What’s the aim of the transparency rules?

The aim of the changes is to assist clients by providing clarity in relation to their legal fees.

The rationale came from the recent Competition and Market Authority report, where it was apparent that consumers wanted more information to enable them to make informed decisions about the range of services available to them when accessing legal services. The report found that the prices charged and the services offered were unclear, descriptions were ambiguous and that the client was not always getting what they expected.

What are the changes?

Under the rules, law firms will be required to publish on their website, their price and service information for specified legal services which include:

Debt recovery (up to £100,000)
Employee and employer tribunal claims (unfair/wrongful dismissal)
Immigration
Licensing applications for business premises
Probate
Residential conveyancing
Road traffic offences

The rules do not apply for publicly funded work.

In addition, firms will be required to display the new SRA digital badge which essentially provides a layer of protection against fraudulent activities,

Other changes include the requirement to publish the firm’s complaints procedures, including how and when complaints may be made.

As a firm, you will be required to publish:

A full description of services offered, which also should be included in your Client Care Letter/Terms of Engagement
The costs of services: These must be clear, no more hidden additional fees. If it is not possible to provide the total costs, you should provide details of the costs in stages, and what each stage entails.
Hourly rates -v- fixed fee: If the firm is charging on an hourly rate basis these will need to be published. Consider placing these on the profiles of the fee earners on the service pages, so potential clients can see the information sooner rather than later. Firms may also want to consider an hourly rates table on their website. If you are offering fixed fees, ensure that you clearly set out what is and isn’t included in the fee.
Disbursements: Provide clarity and certainty (where possible) as to what the disbursements will be during the matter. For example, for conveyancing transactions firms may want to consider providing a full list on the website of possible disbursements. In other matters, the firm may want to consider listing the types of disbursements that may need to be funded, so that it does not come as a surprise to the client.
VAT: Be clear as to what will have VAT added.
Referral Arrangements: You will need to disclosure any referral agreement you have in place, including how much you will receive. This information should also be in the Client Care letter/Terms of Business.

How can you make this work on your website?

Firms will be considering how to achieve this. You should consider the “user experience” how will your clients find out this information. The draft guidance to support these rules suggests the information should be easily navigable if it is not on your home page. Some firms are creating specific pages, others are building this into an online quote tool, or are considering connecting to price comparison sites. There is an increasing number of firms that are white labelled under other organisations and they will all need to align, particularly in relation to conveyancing where clients can obtain online quotes.

Complaints information must also be published and should include your complaints handling procedure as well as details about how and when a complaint can be made to the Legal Ombudsman.

Firms must also display in a prominent place its SRA number and digital badge.

What if I don’t have a website?

If a firm does not have a website the firm must make the information available on request. Firms are not expected to create a website simply to comply with these rules.

Get in touch

If you require any help or assistance in navigating the new rules, or wish to speak to us about risk management, or find out more about our website auditing service, then feel free to get in touch with our experts today. An initial chat is always free.

The new transparency rules: what you need to know Read More »

Someone typing on laptop with a credit card in hand

Latest cybercrime risks to the legal sector and how to manage them

Blogs, Legal Compliance, Risk Management / Dora

A recent report produced by the National Cyber Security Centre (NCSC) highlights the need for even the smallest firms to undertake a cyber threat risk assessment and implement effective controls. The report cites a 2017 PricewaterhouseCoopers Law Firm survey, in which 60% of law firms reported an information security incident in the last year, up from 42% in 2014. The report also cites SRA reports that over £11 million of client money was stolen due to cyber related crime in 2016.

The report ‘Cyber threat to the UK Legal Sector’ sets out, through case studies, the latest cyber security threats that are of particular relevance to the legal sector. The report also identifies practical steps firms can take to reduce the likelihood of them falling victim to such threats.

The report is the work of the NCSC and its sponsored Industry 100 scheme, with input from the Law Society, the SRA, Action Fraud and the National Crime Agency (NCA). The mission of the team is to increase the resilience of UK law firms who are particularly vulnerable to this type of threat as a result of the sensitive client information and significant funds they hold. These risks can disproportionately impact smaller firms who may have a small number of staff but may still be processing large volumes of data or handling significant client funds.

While firms may have taken action to secure personal information as a result of the General Data Protection Regulation (GDPR), this report identifies cyber security as a wider issue impacting commercially sensitive information, supply chain risks and financial controls that could make firms vulnerable to fraud and bribery. The 4 key current risks identified in the report are:

Phishing attacks where attackers influence users into disclosing information or clicking a bad link which compromises the payment of invoices and money transfers;
Accidental and deliberate data breaches as a result of insiders such as disgruntled employees looking to gain financially or ‘get back at a firm’ for perceived grievances;
Ransomware – a type of malware that prevents firms from accessing files or data on their computer or network until a ransom has been paid to fraudsters.
Third party suppliers failing to adequately secure their systems that hold your firm’s sensitive data or money transfer arrangements leading to loss of data or money. State actors can also target a law firm in order to gain access to corporate clients and their information.

The report also raises concerns that future increased use of online delivery methods; outsourcing of services; blockchain and Artificial Intelligence will increase the risks going forward. As Christina Blacklaws, President, The Law Society states;

“As data controllers, law firms handle significant volumes of confidential and sensitive information and client monies as part of their daily work. In the post-GDPR world and as the sector delivers and transacts more online, it’s vital that we get a common view and understanding of cyber threats and their impact.”

As well as understanding and assessing the risks, firms need to consider the adequacy of their existing controls and then strengthen them where necessary. The report identifies a number of simple key controls for firms to consider including:

Implementing processes to verify (via independent means) invoices and account details for money transfers;
Using ‘cooling off’ periods for changing account details for high value transactions;
Encouraging a culture where suspicious transactions are queried;
Educating clients about your firm’s invoice and money transfer processes to help them avoid falling victim to a phishing attack;
Monitoring user access of systems;
Keeping software, and especially operating system (OS), up to date;
Control what software and applications you choose to allow into your firm; and
Verify that third party suppliers, particularly those that hold their sensitive data, have basic cyber security controls in place.

All of the above controls are relatively cost effective for any firm but other controls may be disproportionate for smaller firms. To this end the NCSC’s ‘Small Business Guide’ offers simple practical technical tips for smaller firms. The NCSC also points firms to the government-backed ‘Cyber Essentials’ scheme. As well as providing simple but effective controls, certification under the scheme demonstrates a firm’s commitment to cyber security which can provide a competitive advantage.

UK-based law firms can also access cyber security expertise by signing up to the Cyber Security Information Sharing Partnership (CiSP), a joint industry and government initiative. There is a private CiSP group tailored to law firms which is free to join. Full details on the membership benefits and joining instructions can be found here. The NCSC or the Law Society can sponsor your organisation, as appropriate.

The NCSC report also recommends the NCSC ‘10 Steps to Cyber Security’, a guide to help board members and auditors ask the right questions about cyber security.

As with most frauds these losses occur not because of the absence of controls but rather that the controls in place are not applied consistently. According to the latest KPMG ‘Global Profile of a Fraudster’ report, weak internal controls were a factor in 61% of frauds.

A firm’s assessment should therefore also consider at a high level how likely it is that controls are adequately performed in each business area. Control systems should be reviewed at regular intervals to ensure that these remain current, relevant and appropriate to the needs of your firm. Risk models have to be regularly revisited and reconsidered in order to have assurance that the risk profile continues to be valid and in particular after:

Restructuring
Downsizing
Changes in business processes
When major new policies are being developed, changed or implemented differently
Following identification of weaknesses
The introduction of new computer systems
After an incident of fraud

Get in touch

Firms wishing to obtain further information about conducting a risk assessment, raising awareness amongst staff or auditing the adequacy of their existing controls, please feel free to get in touch.

Latest cybercrime risks to the legal sector and how to manage them Read More »

Revised Lexcel Standard: Be prepared!

Blogs, Legal Compliance, Regulatory Compliance, Risk Management / Dora

The Lexcel Legal Practice Quality Mark has been revised and expanded. Lexcel accredited practices will be assessed against the revised standard from 1st November which means there is plenty for you to be working on. The Law Society Lexcel website gives you more information.

Broadly, these changes align the standard with recent new and revised legislative requirements in relation to data protection and financial crime.

The SRA Code of Conduct 2011 mandatory outcome 7.5 applies whether or not you are Lexcel accredited… ‘you comply with legislation applicable to your business, including anti-money laundering and data protection legislation’.

1. Start planning

There is a lot here to risk assess, develop, train, implement and test before your next Lexcel assessment … and of course to communicate to clients, as appropriate, and to your staff.

With regard to data protection, look at all the Lexcel requirements and you will soon realise that data protection touches all areas of the Standard.

2. Risk assess

You will need to look at the wider picture to assess and manage the risk of breaches and other offences. A thorough review will include your compliance plan, risk register, policies and procedures, record keeping, monitoring and training. Are you, for example, maintaining appropriate records of data processing activities, information asset registers, money laundering risk assessments and records? Remember it is important to keep records of your decision making to evidence compliance and to have robust breach reporting procedures. You need to understand your vulnerabilities and risks and address these accordingly.

3. Develop documentation

For all these new requirements off the shelf template policies or procedures may be helpful but are not always likely to be sufficient as every practice is different. One size does not fit all. Examine the profile of your own practice, undertake thorough risk assessments and gap analyses. Bespoke policies and procedures in plain language and applicable to your business are best practice, and likely to be more robust and easily understood by everyone.

4. Train, implement and test

Ensure your policies and procedures are effective. Undertake audits and spot checks.

Be prepared for assessors (and potentially other bodies), to review your central documentation, follow the audit trails, check your matter files and interview staff for evidence that they understand their responsibilities relevant to their role and have received appropriate training. Importantly too, are your staff able to identify potential breaches or compliance failures and do they know how to go about reporting this?

A wealth of information and guidance is available on the ICO, Law Society and SRA websites. As always, Teal blogs are a great resource for practical guidance.

Make sure you check out the Cyber Essentials scheme which, for Lexcel accreditation, firms are now encouraged to achieve.

Take a deep breath, consider your risks, raise awareness in your business, and start your reviews and preparation now.

Get in touch

Most of all, don’t lose sleep! To find out more about our risk management services, simply contact one of our experts today to chat about how we can help.

Revised Lexcel Standard: Be prepared! Read More »

Technology for compliance

Blogs, Legal Compliance, Risk Management / Amy Bell

At the recent Teal Annual Conference, I spoke to the delegates about Technology in Compliance. I’d like to pose some of the questions we talked about during the session. How would your firm answer?

How do your current systems and processes work for you?
As a firm, are you all working on the same system or is it a mix?
Are you confident that all your employees are using the same versions of documents such as your Client care letters and Terms of Business?
How often do you review your systems and processes?

The answers to the above questions are fairly self explanatory when it comes to assessing how effectively a firm is using technology to support their compliance function.

There are common themes for the majority of firms I meet. Firstly, there are still many firms that do not have a case management system (actually there are a lot) and who operate with a “S – Drive” where everyone can access and save documents. Secondly, there are those that have a mixture of different systems, and different levels of take up of those systems depending on the department. There are of course some firms that use their CMS to the best of their advantage. This takes a significant amount of work, but the firms that make the effort, reap the rewards. Personally, I would like to see compliance embedded into the IT systems and processes within all firms.

By investing in people, processes and systems it allows compliance to become second nature, providing an additional layer to internal risk management, and an audit trail if something were to happen.

In addition, it can also help increase profitability – so what is there not to like?

With so many different systems on the market, if you do not have a system, or are looking to change, how do you choose the right one for your firm? Here are some pointers:

Select the project team in-house – have a mix of staff covering support staff, fee earners, IT, management. You need to have a complete overview from all perspectives. Also ensure you include different disciplines, as each will have their own requirements.
Scope the list of features you must have, should have and would like to have. A project cannot always be completed in one hit, and taking a phased implementation approach is often more successful.
Do your research into providers or bring in an independent consultant who can assist. It is not a case of one size fits all.
Know your budget – there is a vast difference between “out the box” and custom built.
Shortlist the systems that you consider will assist you in your business and arrange a beauty parade.
Have a selection of staff at demonstrations.
Take your time to work through the pros and cons.
Consider the change management that will be needed within the firm to implement the new system.

As a starter for ten, here are some of the features which you should consider embedding into your systems:

Conflict checks
AML – check the integration with AML providers
Streamline your systems and have mandatory workflows to embed compliance
Versioning control
Workflows
File reviews
KPIs
Key dates
Client feedback
Risk assessments
Outlook functionality
HR plugins
Office manual
Training and development
Risk register

I am strongly of the view that we can effectively use technology within our compliance systems to minimise the risks involved in running a law firm. Why make things more difficult for yourselves, your firm, your staff, and your clients than they need to be!

Get in touch

Teal Compliance offers a compliance technology platform which is built specifically for law firms. Find out more about Teal Tracker, or alternatively contact one of our helpful advisers.

Technology for compliance Read More »