New Law Journal – 2023: Challenges & risks ahead

This article was first published in the New Law Journal, 27 January 2023.

See article here.

Cybercrime crackdown & anti-money laundering action: Frank Maher looks to the year ahead & runs through the key risks for law firms to keep in mind.

Many of the common challenges for law firms in 2023 remain similar to those seen in previous years, but two key areas of potential risk—cybercrime and money laundering— are becoming increasingly more significant as we look to the months ahead.

Eyes on cyber

No firm is too small to be targeted: the client data we hold is valuable, and there is an increased risk of ransomware attacks since the invasion of Ukraine. The Solicitors Regulation Authority (SRA) reported a reduction in client losses from cybercrime at the COLP & COFA conference in November 2022, but that is not a reason for complacency. Numbers of attacks have increased in the business world generally, and Miller Insurance noted in their Review of the 1 October Renewal Season that there has been a number of payment diversion fraud and invoice manipulation losses. Meanwhile Howden Insurance Brokers’ Solicitors’ Market Report (January 2023) noted that insurers were requiring that law firms had safeguards such as multifactor authentication (MFA) and virtual private networks in place—though even that is merely for starters.

All firms should be considering the National Cyber Security Centre (NCSC) Cyber Essentials, and preferably Cyber Essentials Plus, accreditation: the former involves self-assessment, the latter independently certified and clearly more valuable.

In the unfortunate event that a firm suffers a breach, it may be subject to investigations by the Information Commissioner’s Office (ICO) or the SRA. Being the victim of a cyber attack is not a defence to such an investigation, and fines can be substantial, even for a legal aid practice—the ICO’s £98,000 monetary penalty on one firm in 2022 being an illustration of this. Lessons from this case include the need to keep software patches up to date, and to use MFA and encryption.

Firms should also consider cyber insurance, as professional indemnity policies only cover client claims, not the firm’s own losses. The main practical benefit is that a cyber policy should provide technical and other crisis support, much like AA or RAC cover for cars. Whether it covers fines is a question of law for another day.

Action on anti-money laundering

Again, being small may not diminish the pain in the event of breaches with regard to anti-money laundering (AML) regulation, as demonstrated by the recent SRA fine of £20,000 with £1,350 costs on a two-partner firm.

Every firm undertaking work within the regulated sector under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, SI 2017/692 (MLR 2017) must have a firm-wide risk assessment (FWRA), and, taking account of that, appropriate policies, controls and procedures (PCPs); all must be kept constantly up to date.

The SRA’s AML annual report 2022 identified several common areas of weakness which accord with the writer’s experience from conducting law firm audits, including failures in relation to client due diligence, FWRAs and PCPs. In particular, the SRA said firms need to do more work on source of funds.

The report identifies that 6,408 firms (as of 5 April 2022) fall within the scope of the money laundering regulations. This represents around two-thirds of the total number of firms the SRA authorise (9,782). It may reasonably be asked whether some have not recognised, and hence not declared, that they are doing work within the scope of the regulations. Tax advice is a risk area, as it can creep into many areas of practice such as employment, personal injury and family, particularly following the changes introduced by the Money Laundering and Terrorist Financing (Amendment) Regulations 2019, SI 2019/1511.

Firms which have assumed that they do not do regulated sector work would do well to check. The writer has encountered firms undertaking contentious employment work who believe they can avoid tax work by not advising on the £30,000 exemption for termination payments. However, there may be many other instances where tax law is engaged, such as payment for restrictive covenants, PAYE and benefits in kind, to name but a few. Personal injury claims may also engage questions of tax law, such as whether loss of earnings should be claimed gross or net.

Simply failing to advise on tax, or excluding it from a retainer (particularly with a lay client) may not be enough, as demonstrated by the case of Hurlingham Estates Ltd v Wilde & Partners [1997] STC 627.

Those who have assumed that they are outside the regulated sector should therefore review their position and, as with anything else which may engage the interest of regulators in future, evidence that review.

Regulation 21 of the MLR 2017 requires that: ‘Where appropriate with regard to the size and nature of its business, a relevant person must… establish an independent audit function.’ The requirement is discussed in chapter 9 of the Legal Sector Affinity Group guidance, but does not provide clarity on what size firm is meant by ‘size and nature’ and it would probably be unwise to do so. It is clear that it does not require an external provider, provided those undertaking it are not ‘marking their own homework’. However, the SRA’s regulatory settlement agreement giving rise to the £20,000 fine and £1,350 costs referred to above—included an allegation that the two-partner firm had breached the requirement to have an independent audit. Firms should therefore review their decision-making process on whether to have an audit, who will do it, and with what frequency, and document it. Those appointing external auditors should consider whether the report will be subject to legal professional privilege.

Under review

There is much to address on an ongoing basis, and these are but two of the many topics which firms all need to keep under review.

Frank Maher is a practising solicitor and partner in Legal Risk LLP specialising in legal advice to law firm on professional regulation and professional indemnity insurance (www.legalrisk.co.uk).