Embed Size (px)
Citation preview
www.cpm21.co.uk
AUTUMN 2015
Welcome to the ninthedition of The Brief
THE BRIEFESSENTIAL NEWS FOR LEGAL PROFESSIONALS
IN THIS ISSUE:
02 A Structured approach to building your Digital Defences
04 06 0703 Lexcel 6 – Requirements around Risk
Money Laundering: a thriving analogue crime in a digital criminal world
Digital Fortress
Sign-up for a chance to win an iPad Air2
www.cpm21.co.uk
THE BRIEF - AUTUMN 201502
Welcome to the ninth edition of the Brief.Our last edition took the theme “green shoots”, to reflect the economic recovery. In a buoyant market there are more legal transactions with more money changing hands. This makes solicitors firms a prime target for fraudsters and money launderers. The threat can come from clients or via email, phone or the internet. The risk to legal practices from cyber-crime has never been greater.
The SRA Risk Outlook for 2015-2016 highlights the significant and increasing risk to legal firms in these areas. The bank manager calling may not actually be the bank manager and “client account” of the other conveyancer may not actually be a real solicitors firm’s client account.
We have therefore adopted the theme “Digital Fortress” for this edition. It explores how firms should be protecting themselves from fraud and digital attack.
The first article, by Paul Jones, looks at how the LEXCEL 6 Standard shifts the responsibility for risk management to the COLP and the Supervisors.
Our new Associate, Tom Horrocks then explores the increasing risks from Money Laundering and Bogus Firms.
The profession is already feeling besieged by all the regulatory and legal aid changes. Firms however should not be distracted from protecting their brand identity and their financial assets. Some firms that have done so, no longer exist, particularly where perhaps they have failed to adequately check the identity and bank account details of a firm on the other side of the transaction.
In the final article of this edition I look at a systematic way of building and reinforcing the battlements.
Hope you find this edition practical and useful. As ever, your feedback is welcome.
Wayne Williams
Meet the team:Wayne Williams LLB MBA – Principal Adviser Was Managing Partner of a 3 Office Solicitors Practice. Over 10 years experience at Senior Management level with the Legal Services Commission. 4 years as Head of Legal Services for multi national Business Consultancy. Member of Wales Law Society Committee 2004 -2010
Paul Jones – Senior Associate Adviser Over 12 years experience at Senior Management level for multi national corporations. 10 years experience as Business Performance Improvement Consultant across diverse industries and professions. 4 years as Senior Management Advisor in Legal Services Team for multi national Business Consultancy. Frequent author of articles for Legal News, New Law Journal etc.
Hannah Ménard - Associate Consultant, SolicitorA practising solicitor with over 10 years experience of working in the legal sector. An experienced Departmental Manager, which has included managing a telephone advice team of over 20 Fee Earners, experience of implementing quality procedures and processes to ensure compliance with Quality Management Systems and a fluent welsh speaker.
Tom Horrocks BA MBA - Associate Consultant, SolicitorNearly 30 years PQE as a solicitor, the last 17 at senior management level. Experience covers: Partner in a high street practice, Senior Lecturer on the Legal Practice Course, Council Member then CEO of the regulator Council for Licensed Conveyancers, Director Compliance & Risk Management for two distance volume conveyancing companies.
Firms should be protecting themselves from fraud and digital attack.
cpm21, Ty Menter (Venture House) Navigation Park, Abercynon, CF45 4SN
Office 01443 742895
Wayne Williams 07970 99 41 80
Paul Jones 07796 36 32 69
wwcpm21www.twitter.com/
cpm21professionalwww.facebook.com/
cpm210175www.pinterest.com/
cpm21www.linkedin.com/company/
Meet the team:
Lexcel 6 – Requirements around Risk
In particular section 5.1 requires practices to have the following;
Practices must have a risk management policy which must include:a. a compliance planb. a risk registerc. definedriskmanagement rolesand
responsibilitiesd. arrangements for communicating
risk information
Those firms who were accredited with Lexcel Version 5 and previous versions will recall that the Risk Management section named a “Risk Manager” who would receive risk assessments from fee earners outlining where they had identified high risk at any stage in a matter. The emphasis has changed in the current version and is placed on the Supervisor for this, in conjunction with the Compliance Officers - COLP and COFA - depending on the type of risk identified.
For firms who have yet to be audited, Lexcel auditors will be looking for a management structure outlining roles and responsibilities including those of Supervisors and Compliance Officers for risk, and procedures for reporting it and dealing with it.
To assist with understanding risk, firms are now also required to maintain a risk register. To develop a risk register, firms should consider at least the following categories of risk;
� Strategic � Financial � Operational � Compliance � Breaches
Where these categories are considered, it is good practice to rate the probability of their occurrence and what the severity of their impact would be on the firm, its
clients or third parties. Also for each of these, it is prudent to identify whether any systems, processes or procedures are already in place to mitigate, remove or transfer them, and identify who is responsible for them.
If there are no systems, processes or procedures in place to mitigate remove or transfer risks, and the probability of occurrence and severity of impact is rated as “HIGH”, then the firm will need to take action, which leads to point a. in the table above, the Compliance Plan.
For a lot of firms, even if they are not Lexcel accredited, the COLP and COFA should have a Compliance Plan in place as part of their duties under the SRA 2011 Handbook (although it was never made explicit in that publication but was noted as a recommendation).
The Compliance Plan should be a document that outlines the overall risks to the firm from an Outcomes Focused Regulations perspective, and include the reporting requirements to the Compliance Officers, as well as any actions needed to be taken from the Risk Register. It should also include any gap in regulatory Compliance identified from a fundamental review of systems processes and procedures by the COLP and COFA.
The document should be reviewed every year, and take into account the firm’s responses to new and emerging risks as they become known from various sources such as SRA updates, Law Society Practice Notes, Legal Ombudsman or Legal Services Board reports and updates.
It is also best practice to include any actions taken as the result of the annual risk review required under the standard, which is now much wider than it was previously. In older versions of Lexcel, risk reviews focused on Indemnity Claims/Notifications, Complaints and data generated by File Reviews. While these are still contained in the current version, they are now accompanied by;
5.16d any matters notified to theCOLP and/or COFA
5.16e anymaterial breaches notifiedto the SRA
5.16f any non-material breaches recorded
5.16g situations where the practice actedwhereaconflictexisted
5.16h the identification of remedialaction
As can be seen from the above, Version 6 of the standard is far more integrated and as we have already noted, much more in line with Outcomes Focused Regulation.
So, if your practice hasn’t had its first Lexcel 6 audit yet, you should be considering this much stronger integration and ensuring that all Supervisors are aware of their responsibilities under the standard, as do the Compliance Officers, as under the previous versions their contributions to an audit may have been considerably less, but going forward that will not be the case…
Paul Jones Senior Associate Advisercpm21 Ltd
For a lot of firms, even if they are not Lexcel accredited, the COLP and COFA should have a Compliance Plan in place as part of their duties under the SRA 2011 Handbook
While other articles in this edition deal with newer types of risk such as Cybercrime which is covered within the Lexcel Legal Practice Quality Mark, the Law Society have not removed focus from more traditional areas of operational risk, and Version 6 of the standard moves closer to the SRA approach than previously.
for lawyers
THE BRIEF - AUTUMN 201504
Crime which generates large amounts of cash is a problem for criminals. Wealth without an obvious legitimate source of income draws unwelcome attention from law enforcement agencies. Criminals solve this problem by money laundering. The money is ‘cleaned’ by giving it a legitimate source with no obvious links to its criminal origins. A solicitor’s client account is almost perfect for money laundering purposes. The integrity of the solicitors’ profession means that money paid to a person from a solicitor’s client account will usually be treated as beyond reproach.
Identifying money laundering requires a multi-faceted approach. Law firms must carry out a risk assessment of their vulnerability to exploitation by money launderers. From this assessment, a policy statement and procedures must be developed which reduces the identified risks, and is then implemented through appropriately trained staff.
A core foundation of anti-money laundering procedures is customer due diligence. Put simply, asking the client to produce ID evidence to prove they are who they say they are, and they live where they say they live. Often the production of the original of a valid passport, valid photo driving licence or firearms certificate together with a recent bank statement or utility bill is treated as enough. There are however two potential problems with this approach.
Firstly, the increased availability of good quality forgeries as high specification colour photocopiers and document production software become more common. Secondly, customer due diligence must match the degree of risk presented by this type of customer, business relationship and the nature of the transaction. Enhanced customer due diligence must be carried out if:
� the customer is not physically present for identification face to face � purchase money for a property transaction is being contributed by a third party foreign national � the customer is a politically exposed person, or an immediate family member or close associate of a politically exposed person
A weapon from the digital fortress, which can form part of the further measures needed for enhanced due diligence, is the online ID check. By cross-referencing information held in databases covering: driver’s licence and passport numbers, electoral register name and address, Royal Mail redirection instructions, mortality details in the Halo register, NI number and date of birth, mobile phone number, together with names on the sanctions lists of the Bank of England, Office of Foreign Assets Control and Politically Exposed Persons, it is more likely that the incompetent money launderer, who has not worked hard enough to create their back-story and the documents to support it, will be spotted.
Online AML checks have been further developed to counteract the problem where the ID documents produced are genuine (rather than being mocked-up fakes) but have been stolen. In this scenario, the data in the registers will correlate with the information contained
Cybercrime attacks against law firms usually involve criminals attempting to extract money. The long firm fraud of the bogus solicitor’s office. The authentic looking website with functioning email, telephone number and postbox address. The patient conduct of conveyancing matters over several months before the dénouement when in return for the buyer’s and lender’s money from your client account, no property title will ever be transferred. The hostage hacker inserting the virus via an email which locks down the firm’s computer systems preventing you from doing any work until a ransom is paid in return for a release code. The criminal hacking into your client’s personal email account with its flimsy security. Then patiently intercepting emails between the firm and the customer asking for balance of sale proceeds, or the balance to complete, to be sent to a given account number and sort code. After a few keystrokes changing the account number and sort code to the criminal’s own bank account, the email is sent on its way with no-one the wiser until the money is never received.
In this context it’s startling to think of a criminal attack on your firm where the criminal gives you money (in the form of your legal fees for services rendered) rather than trying to take it away. But this is what happens when money laundering takes place.
A solicitor’s client account is almost perfect for money laundering purposes
Email and the internet have profoundly changed our professional lives. Their impact can be seen in how law firms communicate with each other, and how clients expect us to communicate with them. From the internet information about how solicitor firms describe themselves and the services they offer is readily available. Boon times for criminals who no longer have to steam open letters, or take a lease on a shop and wear a suit, in order to inveigle themselves into the work of solicitors.
Law firms must carry out a risk assessment of their vulnerability to exploitation by money launderers
Money Laundering: a thriving analogue crime in a digital criminal world
for lawyers
customer due diligence must match the degree of risk presented by this type of customer, business relationship and the nature of the transaction
It is a mistake to think that AML checks can be ‘done’ at the beginning ... and then forgotten about
Money Laundering: a thriving analogue crime in a digital criminal world
Finally, it is important to remember that carrying out ID checks, even using the latest AML online checks with credit reference questions, is not by itself enough to show due diligence on the part of a solicitor to minimize the risk of their business being exploited by money launderers. It is a mistake to think that AML checks can be ‘done’ at the beginning of the retainer and then forgotten about. Customer due diligence requires vigilance throughout the whole transaction for circumstances which should give rise to a reasonable suspicion of money laundering, and the need to decide whether or not a National Crime Agency report should be made.
At CPM21 we can assist you to put in place the policy and procedures which demonstrate to the regulator how your firm combats money laundering, and provide the training so that your business and your staff are not vulnerable to money launderers.
Tom HorrocksAssociate ConsultantCPM 21 Ltd
in the documents, but the person presenting them as ID evidence is an imposter. To overcome this, online AML check providers now offer a service which draws on a person’s credit reference history. By asking questions about bank accounts, credit cards and loans, which an imposter would be unable to answer, or give the wrong answer, this additional check can help identify clients presenting stolen ID documents.
THE BRIEF - AUTUMN 201506
www.cpm21.co.uk
Step 3As far as Network Security is concerned, you need to consider your Internet Access Policy. Can a member of staff access any site or are there restrictions in place which limit access to work related sites? e.g. Land Registry, LAA, Companies House etc. Access to other sites e.g. Social Media can put client confidentiality at risk e.g. a photo taken inside the office that shows a client in the waiting room or a named file on a desk. Such things can be done innocently as staff do not always realise that they are working in an SRA regulated environment.
Step 4 Involves effectively managing User Privileges. Does every member of staff have access to the entire case management and accounts system? If so, do they really need such high level access? Consider setting levels of security so that only partners and senior staff can access all client records and accounts. Try as far as possible to limit access to departmental files. Should the Conveyancing Team have free access to Family Department files? You can always authorise specific access when needed. Legal Aid Agency Data Security Requirements now require firms to limit access to legal aid files and “LAA shared data” like client’s NI Number, Date of Birth and Legal Aid application.
Step 5When did your staff last receive training on cyber risks and data security? Is it part of your induction procedure too? Is your nominated Data Security Director/Supervisor sufficiently trained to enable them to train others and make them aware of the risks?
Step 6When did you last test your Disaster Recovery Plan? When did you last check to see if those data backup disks do actually still work and you can recover your system as it was 1 hour ago/12 hours ago/24 hours ago?
Step 7Is everything received by email, CD, USB data stick etc. automatically scanned for Malware?
Step 8Monitoring – Does your management agenda include a report on potential cyber- attacks? Are they increasing e.g. staff receiving more spam email? Do you know? Do you receive and review reports from your IT provider?
Step 9Is Removable Media (e.g. CDs) used to import data to your system or indeed export data from your system? If so, what controls do you have in place to protect your system and the exported data?
Step 10Home and Mobile Working is becoming the norm in the 21st century legal practice. With this development data becomes less secure. For example, when your staff log on to your system remotely via an open internet access point, is there a VPN in place to protect the firm’s and the client’s confidential information?
Hopefully this framework will enable you to assess your Data Security Risks and develop a more robust “digital fortress” strategy and management process. You can download more information about the Cyber-Essentials Scheme on the following link. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/317480/Cyber_Essentials_Summary.pdf
Wayne Williams LLB MBAManaging Directorcpm21 Ltd
However, even if you do not follow their self-assessment route to accreditation, Cyber Essentials provides a structured framework to help you build a more secure environment to protect your firm from attack.
It sets out 10 steps to Cyber Security:Step 1 - Information Risk
Management RegimeStep 2 - Secure ConfigurationStep 3 - Network SecurityStep 4 - Managing User PrivilegesStep 5 - User Education and AwarenessStep 6 - Incident ManagementStep 7 - Malware PreventionStep 8 - MonitoringStep 9 - Removable Media ControlsStep 10 - Home & Mobile Working
It is essential that the Partners or Directors carry out a proper risk assessment in relation to all its Information Assets. Information Security needs to be on the Agenda of the Partners/Board Meeting. Solicitors continually assess risk in relation to client cases. They need to apply the same logical and careful approach to assess the risk to all its information assets and hence to the firm’s survival following a cyber-attack.
Step 1Involves carefully documenting the firm’s assets e.g. client details and database and case management system, precedents, digital media, wills, deeds, banking information, passwords, physical case files etc. A policy should then be agreed at Board level to minimise the risk of loss or theft of these assets. A director/partner or senior manager should have delegated responsibility to ensure adherence to this policy across the firm. This in turn pre-supposes good communication of the policy to all staff across the firm. It may also include active engagement with your IT provider and external suppliers e.g. archiving company, confidential waste etc.
Step 2Can staff use their own laptop, desktop or mobile to access protected data? Are they configured in a consistently secure way? Are passwords shared or recorded in an insecure way?
A Structured approach to building your Digital DefencesCESG is the Information Security arm of GCHQ. They have developed a scheme called Cyber-Essentials. If you wish you can apply for certification of your firm under this scheme and then display the logo on your website etc. This will assure clients and others that you take data security seriously.
Is your nominated Data Security Director/Supervisor sufficiently trained to enable them to train others and make them aware of the Risks?
CPM21, Wales’ leading supplier of Management and Compliance Services to the Legal Profession is now providing the SRA Mandatory Professional Skills Course (PSC)
What we do �Provide dynamic trainers who are passionate about their subject areas
�Ensure Training is provided by 21st Century Lawyers for 21st Century Lawyers
�Ensure the Finance Module is delivered by practicing Accountants
�Provide interesting, interactive Course exercises, including role play in a former Court room
�Provide social interaction and group learning with other trainees
�Provide topical, current case scenarios to illustrate learning points and reflect contemporary procedure
�Provide courses in the South Wales area
�Help you Develop the skills required for you to be a valued fee earning asset to your firm
Sign up and see why we are Wales’ biggest and fastest growing legal management and compliance business. Courses start in September, so hurry now and reserve your place…
Client Care & Professional Standards 22nd & 23rd September 2015
Advocacy & Communication Skills 15th, 22nd & 23rd October 2015
Financial & Business Skills 16th, 17th & 18th November 2015 (Examination 23rd November 2015)
Client Care & Professional Standards 19th & 20th April 2016
Advocacy & Communication Skills 19th, 26th & 27th May 2016
Financial & Business Skills 7th, 8th & 9th March 2016 (Examination 14th March 2016)
To book your place call CPM21 on 01443 742895
Sign-up for a chance to win an iPad Air2** The iPad Air2 (or equivalent) will be a prize drawn at random from the booking forms received which will take place in the last week of September. Winners will be notified by email.
£999+VATAND FREEELECTIVES
www.cpm21.co.uk
21st Century Professional Management
The material in this edition of The Brief is intended as a guide only and does not necessarily stand on its own nor is it intended to be relied upon for giving specific advice. Whilst every effort has been made to ensure the accuracy of the material, no liability can be accepted for any error or omission. Readers are advised to refer to the source material quoted in the material for full information. To the fullest extent permitted by law cpm21 will not be liable by reason of breach of contract, negligence or otherwise for any loss or damage (whether direct, indirect or consequential) occasioned to any person acting or omitting to act or refraining from acting upon the material. Nothing in this paragraph shall be deemed to exclude or limit cpm21’s liability for death or personal injury caused by negligence or for fraud or fraudulent misrepresentation. Loss and damage as referred to above shall be deemed to include, but is not limited to, any loss of profits or anticipated profits, damage to reputation or goodwill, loss of business or anticipated business, damages, costs, expenses incurred or payable to any third party (in all cases whether direct, indirect or consequential) or any other direct, indirect or consequential loss or damage. No part of the handout material may be reproduced in any form or for any purpose without the prior permission of cpm21. www.cpm21.co.uk
cpm21 Ty Menter (Venture House)
Navigation Park Abercynon CF45 4SN
Money Laundering for Legal Professionals - The Latest Picture 3 Hours
COLP & Deputy COLP Refresher 2 Hours
Legal Aid Supervision – All You Need To Know All Day
SRA Competency Statement – What does it mean for you and your practice? 2 Hours
Cyber Security and the SRA Risk Outlook 2 Hours
Introduction to Private Client Work 3 Hours
COFA Refresher & Update 2 Hours
Complaints Prevention & Management All Day
Networking Skills for Legal Professionals All Day
An Introduction to Practice Finance All Day
Published by: cpm21, Ty Menter (Venture House) Navigation Park Abercynon CF45 4SN
cpm21 (21st Century Professional Management) is a trading name of cpm21 Ltd. Registered office: Ty Menter (Venture House) Navigation Park Abercynon CF45 4SN
Registered company number 7988356 (England and Wales)
© August 2014
COURSE TITLE
For further information, including venues, dates, prices and how to book, see our website www.cpm21.co.uk
CPD HOURS
CPM21 Training CoursesCPM21 have a range of courses for everyone at local venues in England & Wales and delivered by specialists in their fields
