Risk Update

Law Firm Risk Trends — Perspectives on AML, Data Security, Reputation Risk, Compliance & More

In this Law Gazette feature, “Joanna Goodman looks at the everyday perils that give compliance officers sleepless nights.” — “The watchful hours”

  • “Law firms need to manage risk and compliance effectively to meet their legal, financial and professional obligations, to keep their – and their clients’ – money and data secure and protected from fraud. Achieving that will safeguard their reputation and professional status.”
  • “As legal processes and resources have moved online, not least with the introduction of government portals, the compliance burden has grown more complex…The key message from the SRA conference, and from compliance officers across the sector, is that compliance is a shared responsibility across the firm and all its stakeholders. Good policies, systems and processes, which are the domain of compliance officers, need to be supported by awareness and action across the legal services supply chain.”
  • “Cybercrime is the top threat keeping compliance officers, partners and managers awake at night, attendees at the SRA conference heard. Law firms are targeted by cybercriminals because they manage the financial element of transactions and hold valuable corporate and financial data.”
  • “COLPs are worried about loss of data through hacking, phishing and ransomware, and even the biggest firms are not immune. DLA Piper’s high-profile ransomware attack in 2017 was down to third-party vulnerability, underlining the significance of managing supplier risk.”
  • “While the SRA does not take enforcement action against firms which report incidents, it emphasises the need for firms to assess and manage transactional risks and avoid breaches that are distressing to victims and damage the reputation of firms and their clients.”
  • “Chun Wong, partner and COLP at consumer litigation firm Hodge Jones & Allen, deems cybersecurity even more important in today’s hybrid world, as lawyers and clients working from home may be more exposed to risk. As cybercriminals are becoming increasingly sophisticated, it is impossible to eliminate risk entirely. ‘When you get so many emails every day, you need external help: investment in IT and third parties supports seamless hybrid working, systems security and compliance.'”
  • “To some extent, anxiety around risk and compliance is holding back digital transformation. While some regulations have been relaxed temporarily to allow for online identity checking and electronic witnessing and signature, firms are evaluating how much to digitise from a risk management perspective. ‘We accept electronic signatures for some legal documents, such as client care letters, but we decided the risk was too high to witness wills over Zoom, because we are not prepared to take the risk when large estates are involved,’ explains Wong.”
  • “For larger firms, risk and compliance can be integrated into core policies, processes and systems. Weightmans, which handles both volume and bespoke work, has incorporated compliance and risk into the firm’s governance model.”
  • “Partner and business services and innovation director Stuart Whittle heads the risk and compliance team. He explains that over the past two years, the audit risk committee chaired by one of the firm’s executive directors has developed a risk register to evaluate the severity and potential impact of different risks. Whittle’s team then decides on a course of action: to accept the risk, to insure against it, or to take mitigating action. The biggest consequence of risk is professional indemnity insurance, where premiums have increased significantly over the past year. ‘In a hardening insurance market, insurers want to understand your policies and processes for managing risks,’ he adds.”
  • “Additionally, Weightmans’ quality standards team remotely audits a selection of files across all teams against criteria including statutory and regulatory requirements, AML, KYC and so on, and reports back to each team manager with recommendations for corrective action if this is needed. Whittle’s IT and innovation teams follow a detailed procurement process, which includes a data protection impact assessment (DPIA).”
  • “Reputation risk is becoming a higher priority. ‘Solicitors trade on their professional reputation for honesty, integrity and client confidentiality, and compliance measures that protect client data and funds are critical to that,’ observes Whittle.”
  • “The fallout of investigations into the Pandora Papers highlighted the need for firms to balance protecting the right of individuals and organisations to legal representation against their own risk of being associated with certain people and industries.”
  • “Law firm risk management is starting to reflect the flipside of ethical consumerism, in that a firm might have to decide whether to represent particular clients on the grounds of its own reputational consequences, in terms of its ability to attract clients and talent.”