Risk Update July 2023

On 1 July 2003, before anyone had even dreamt of establishing the Solicitors Regulation Authority (SRA) or Alternative Business Structures (ABSs), and few firms had a General Counsel, we set up as the first firm of practising solicitors specialising in professional regulation and professional indemnity insurance law, mainly for law firms but also other professions, some law societies, and insurers primarily in the UK, but also the USA, Europe, Asia and Australia.

Since then, we have covered extensive ground, including legal advice on overseas-owned ABSs, MeToo and anti-money laundering (AML) disciplinary cases, representing law firms in high value insurance coverage disputes, extensive legal advice on AML issues, and advice to lawyers involved in high profile public enquiries.

A report by Group-IB revealed that hackers leaked over 100,000 ChatGPT credentials on the dark web, meaning that confidentiality of chats was compromised; this, and the widespread reporting of a $5,000 fine on US lawyers whose (mis)use of ChatGPT led to them relying on non-existent cases, are reminders of the need to consider the risks of AI. We identified some issues in our March 2023 Risk Update.

A report by Georgetown University’s Center for Security and Emerging Technology (CSET) identifies further issues. AI’s vulnerabilities may lie not in its algorithms but the data on which it is trained, which may be subjected to malicious inputs. It may be difficult to identify what went wrong when, and how it works may be opaque even to its developers.

Europol reported that AI can be used to commit fraud, impersonation and social engineering, cybercrime, and to spread disinformation, it is an ideal tool for phishing purposes, enabling those with basic English skills to create fraudulent emails that appear highly realistic and convincing.

There are further concerns because in time spoofing with AI may challenge the integrity of biometric client due diligence products used in AML compliance.

Two decades after the landmark decision in Royal Bank of Scotland Plc v Etridge [2001] UKHL 44, an article by Dr Eleanor Rowan in the Conveyancer and Property Lawyer draws on interviews with 28 solicitors who have experience acting for lenders in secured lending transactions to show how, in practice, independent legal advice is not being delivered in accordance with Lord Nicholls’ guidelines. With the value of lenders’ security at risk if market conditions deteriorate, this should be a concern to law firms and their insurers. Etridge is also discussed in a litigation context, in an article on Undue influence, litigation funding and book building in group proceedings, by Prof Simone Degeling and Prof Michael Legg in Civil Justice Quarterly. Both articles are available on Westlaw.

Brokers are reporting slightly improved market conditions, which could mean that some firms will change insurers. Changing insurers carries risks and it is critical that firms question all their staff, not just partners, before submitting proposal forms.

There have been several high profile law firm failures and may be more in the pipeline. Firms considering acquisitions of offices, teams, staff or clients should be cautious about the successor practice risks. Note too, that there are other areas of potential successor liability which may not be covered by insurers. Mistakes cannot be rectified. We have advised on several hundred cases, including many relating to the collapse of US and other international firms.

The UK and US governments have announced a commitment in principle to a ‘data bridge’ to facilitate international transfers between the two countries.

F.F. v Österreichische Datenschutzbehörde, Case C 487/21 is a decision of the Court of Justice of the European Union (‘CJEU’), holding that data subject access rights to copies of personal data include a right to copies of extracts from documents or even entire documents or extracts from databases containing those data. (Link: www.legalrisk.co.uk/News)

The National Cyber Security Centre has a free tool to check email security. On a recent check we did not find any other law firms, or insurance brokers or insurers (including providers of cyber insurance) which passed all five tests.

New and updated guidance since our May 2023 Risk Update includes RUSI’s Institutional Proliferation Finance Risk Assessment Guide, National Crime Agency Guidance on submitting better quality Suspicious Activity Reports (SARs), Companies House Guidance on the Register of Overseas Entities: approach to enforcement and SRA Guidance on Proceeds of Crime (of particular relevance to firms outside the AML regulated sector).

The Money Laundering and Terrorist Financing (High-Risk Countries) (Amendment) Regulations 2023 removed Cambodia and Morocco from the list of countries for the purposes of enhanced customer due diligence requirements in regulation 33(3) of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. No countries were added this time. On a general note, however, failure to pick up additions to the list (as when countries were added twice in 2022) is a point we often encounter when auditing under Regulation 21 of the 2017 Regulations.

The SRA has imposed fines on individuals for failing to comply with their firms’ policies, controls and procedures.

HM Government has published a consultation paper: Reforming anti-money laundering and counter-terrorism financing supervision. This discusses four alternative models –

• Enhancing OPBAS, or ‘OPBAS+’;
• Reducing the number of AML/CTF Professional Body Supervisors (PBSs) – either to two (legal and accountancy), or six (two in each of the three UK jurisdictions);
• Creating a single AML/CTF supervisor for professional services, replacing the current PBSs; or
• Creating a single AML/CTF supervisor for all sectors.

The consultation addresses supervisory effectiveness, leaving the impression that effectiveness is measured in the size of fines, comparing them with the fines levied on large financial institutions which are often many times the size of professional service firms. Successful regulation should mean that firms are compliant, resulting in fewer fines, not more.

Links to the above documents are on www.legalrisk.co.uk/News.

Sticking with the theme of fines, the Government has also published a factsheet on The removal of the statutory cap on financial penalties for the Law Society, as delegated to the Solicitors Regulation Authority, noting that ‘[when] the SRA believe a financial penalty above £25,000 is applicable to a case, the process of referring cases to the [Solicitors Disciplinary Tribunal] is time-consuming and resource intensive due to having to participate in any hearings. One could probably say the same about criminal trials. The point is of concern with the enhanced fining powers of the SRA, acting as prosecutor, judge and jury.

This all emphasises the significance of ensuring compliance before things go wrong. We have been advising on AML law and regulation since before the Money Laundering Regulations 2003 came into force. As well as audits, we advise on risk assessments and policies, controls and procedures, and provide focused training for compliance teams, including new Money Laundering Reporting Officers and Compliance Officers. Firms which have not had an AML audit in the past 18 months should be planning their next audit; a shorter interval may be appropriate if there have been significant changes in the practice.

The Russia (Sanctions) (EU Exit) (Amendment) (No. 3) Regulations 2023, in force from 30 June 2023, introduce a broad prohibition on the provision of non-contentious legal services. The Russia (Sanctions) (EU Exit) Regulations 2019 include consolidated amendments. Links to guidance from HM Government and The Law Society are on www.legalrisk.co.uk/News.