SRA COFA Conference 14th October 2015
The Team from Financial Eye attended the SRA COLP/COFA Conference on 14th October 2015 and we are pleased to bring you some of the highlights from the day. There were approximately 800 attendees and a wide variety of subjects were covered, both in the main conference hall and in workshops.
We hope that you find the following to be of interest, especially the section on cybercrime which is becoming more and more of a threat.
If you have any comments or queries or wish to discuss any of the following, please do not hesitate to get in touch with me or any member of our Team. We would be delighted to chat to you about how Financial Eye can help your Firm, as well as giving you some insight into how to better protect your Firm against cybercrime.
1) Question of Trust
The SRA gave a detailed explanation of their new initiative “A Question of Trust”. The purpose of this new initiative is to explore solicitors’ professional values and standards and to understand what that means in practice.
This wide reaching campaign will help the SRA identify where there is a common ground between the profession and the public, identifying what are considered minor issues and what are not. Feedback from this will form part of the development of a future SRA reference framework. The campaign runs until the end of January 2016.
They are inviting the profession to complete their professional standards survey which is available to complete via their website. This will tell them what you think they should be doing when things go wrong. There are a wide variety of scenarios to consider, including solicitors drinking and driving, losing or having files stolen, and misusing client money. They want to know how serious you think cases like these are.
At the Conference they ran through some example scenarios and asked the audience to vote (on a scale of 1 to 6) how serious they rated the scenarios. The range of different ratings were enlightening to say the least. One example was where a solicitor had used client money to pay wages. 71% of the audience voted to strike off the solicitor, but there were some who said that no action should be taken on the basis that it was a one off occurrence! A further example was in the area of weak IT systems allowing data to be hacked. (This was basically failing to protect against cybercrime). 64% of audience saw this as mid-range offence whilst some said take no action and some said strike the solicitor off.
The more professionals that complete the survey the better for the SRA so have a look at it and see how you get on.
2) Small Firms
The SRA summarised some of their initiatives that relate to Small Firms and Sole Practitioners:
- There is a dedicated section within the SRA Website for small firms and Sole Practitioners
- The SRA have a dedicated Supervision Team who offer practical help for small firms with regulatory issues and compliance
- They have set up a virtual reference group for small firms and Sole Practitioners
They have identified some trends:
- They have been asked for advice on client care, confidentiality, publicity and the SRA Accounts Rules
- The main issues raised are around managing the closure of a firm and the restructuring of firms.
They explained that recent interventions grounds have included suspected dishonesty, bankruptcy and disorderly closure due to illness or incapacity of sole practitioners. Guidance on how to avoid these grounds is available from the Ethics and Guidance helpline.
They stated that 80% of the 11000 regulated Firms had an annual turnover of up to £400,000 and had maximum of 4 Partners. In addition, there will be focused regulation for SMEs.
There will be changes in the following areas with effect from 1st Nov 15:
- “Deemed approval” of a COLP/COFA where the individual is a lawyer manager in a Firm that has an annual turnover of less that £600,000.
- Authorisation of sole practices
- Changes in recording Non-material breaches (providing further clarification and guidance on the current requirements)
- AR changes
- New Apprenticeship scheme
Looking ahead, from 2017 onwards, they are intending to carry out:
- Review of SRA Handbook
- Review of the SRA Accounts Rules, as there are too many rules which are too easy to breach
- P. I. I. requirement and how the Compensation Fund operates.
Operational Reform is coming. This will include:
- Online forms and applications (many forms are going to be reduced in size and will be “smarter” in design)
- Shorter process times
- Easy access to web guidance and material.
Key Issues for SRA:
- Applying to be RSP after loss of Partner
- Appointing COFA
- PII – run off cover “trap”. Big problem for SRA
There were several questions from the audience including one about Lenders and small firms being excluded from panels. On this occasion, SRA had no answer and even admitted that they were not aware of any issues in this area.
3a) AML
There have been 700 reports of bogus firms in the last 12 months. The Financial Action Task Force are due to carry out an Inspection in the UK in Spring 2017.There is a concern over SARS as only 1% of SARS received come from Solicitor Firms.
SRA visited 250 Firms from October 2014 – May 2015 re AML compliance. Their Report is due to be published in late Autumn. Key findings are:
- 30% of MLROs have not received any training
- AML Policies & Procedures and not easily accessible in some cases and some are not kept up to date.
- Training is varied and training records are not being kept up to date
- There is a large amount of people offering AML Training and it is of varying quality.
3b) Cybercrime
Solicitors are the 4th most frequent subjects of investigations into data breaches as Law firms are being targeted by cyber criminals. The SRA do not want to deter firms from using technology to assist them in their defence, e.g. Cloud, and stress that risks can be managed. They revealed that cybercrime is becoming more sophisticated with funds lost ranging from £50k to £2m. There is a huge impact on the victim including reputational damage and financial instability. There are 6 key areas:
Malware:
- Downloaded via websites or e-mails
- Ransomware – “cryptolocker”. This is where a firm is requested to pay a fine before being able to access files. SRA believe that a lot of ransomware incidents go unreported.
Phishing:
- An e-mail is sent to you asking you to do something
- Could purport to be from a Bank, the Police, the Regulator etc.
- They are extremely convincing
- They replicate genuine individuals. For example, an e-mail received from a bank asking the Firm to transfer money to a designated safe Account as their own Account is under threat and is the subject of an investigation.
Spear Phishing:
- An e-mail purporting to come from a senior person within a Firm, for example, the CEO telling the recipient to pay funds to a Bank Account. The e-mail is fraudulent and did not come from the CEO – his e-mail address had been hacked.
E-mail re-direction:
- This is when an e-mail (that appears to be from a client) is received by a Firm close to completion of a transaction asking them to pay the funds to a different Bank and Account.
- The SRA have been made aware of 24 attempts so far in 2015 where the attempt has been successful and Firms have lost money.
- Clients can also receive such e-mails asking them to pay money to the law Firm but with a last minute change of Bank and Account.
- These usually involve property transactions.
Vishing:
- This is a telephone scam where a Firm receives a call purporting to be from a Bank, the Police, the Regulator etc. advising the Firm that their funds are under attack.
- The caller attempts to get passwords etc.
- They can use numerous stooges, for example, “let me pass you on to my Manager who will explain the situation in more detail”
- The fraudsters search an individual within the Firm on social media to find out personal details so that they appear to be more plausible.
- They may suggest that the individual calls them back for peace of mind, but they keep the line open so in fact you are calling the fraudster back
- They can even replicate genuine caller numbers on the Firm’s telephone display.
Standing Order/Mandate Fraud
- This involves setting up a new standing order or amending an existing one so that funds are sent elsewhere by a Firm
- They can purport to come from an existing supplier or a new one
- These often go undetected for a period of time, especially in larger Firms with a large Accounts Department as such amendments often are not checked by a supervisor.
Controls against cybercrime
- Keep passwords secure and not guessable, e.g. do not use “password”
- Keep software security updated
- Train staff (including non fee-earners, including those in the Finance Department)
- Be aware that no Bank, Police or Regulator would ever ask for passwords or ask you to transfer money
- Never doubt how sophisticated and clever these fraudsters are
- If in doubt – terminate the call. Do not be afraid to hang up!
- Do not use phone numbers that have been provided by the caller to call them back on
- Use a separate telephone line to make a verification call and make sure to call an independently verified telephone number
- If a client wishes to change the bank account details, a Firm should:
- Include ID verification
- Never take shortcuts
- Never accept an e-mail or a telephone call that changes these details
- Each Firm should advise their clients of the above three steps at the outset
- Check standing orders and mandates regularly and have amendments independently checked to ensure that they are genuine
- Carry out a regular web search to check that your Firm is not being copied (e.g. bogus law Firms)
- If you have any suspicions about your Firm being cloned, report this to Action Fraud and the Regulator
- If in doubt – STOP and CHECK.
4) Client Money
The SRA explained that there were around 4000 qualified reports per annum with Regulatory action being taken on 10% of those reports. There will be new guidance for AR on breaches and reporting – gives an indication that SRA are looking to focus more on circumstances where client money is really at risk, not the 14 day transfer rule.
There are no market alternatives currently to holding client money other than the BarCo system which is not a transactional facility.
In respect of Charitable donations on residual balances, it appears that this is not a big concern for SRA if these are dealt with properly by Firms.
For information, the SRA Compensation Fund paid out £23.8m in the year to 31/10/14, compared to £13.8 in the previous year.
There are changes that are due to be implemented from 1st November 2015:
- There will be a removal of the prescriptive approach to the work needed to be undertaken to prepare the annual Accounts
- The SRA will provide guidance to the Reporting Accountant
- Reports will only have to be qualified if there are real risks to client money
- Low risk/low impact Firms will not need an Accountant’s Report
- Firms with under £10k average client Account balance and a maximum client balance of no more than £250k won’t need to obtain an Accountant’s Report
- The above will benefit circa 13% of Firms.
- New guidance will be posted on the SRA Website including details of what the SRA considers to be good and bad practice.
- A webinar covering the above will be available to view on the SRA Website after 15th October 2015.
5) Getting Authorised
The SRA provided an update on the subject of getting authorised:
Now 1.8 months for new applications to be processed
Simplified forms are now in use
For Sole Practitioners, they are looking at a lifetime license (instead of annual renewals)
No approval is required for managers in Corp member of ABS
SBR – less prescriptive, seeking more clarity in the relationship
Have workaround for Unions and Local Authorities
6) Practice Structures
A subtle message for Practitioners in the opening and closing sessions with the many changes which have and are taking place and in particular context to look at ‘future financial viability’. Consider partnerships with non-lawyer interests and a strong future was seen with ABS structures.
7) Training and CPD
The new approach to continuing competence is to be implemented by all Solicitors by 1st November 2016:
- Based on the ability to perform the roles and tasks required by one’s job to the expected standard.
- In future personal responsibility for learning, development and application for those with special roles which would include COLP’s and COFA’s.
- Much comment about days no longer being lost from actually earning money.
- How to evidence learning for completion of the new self-certified competence statement.
The SRA reiterated their Contact Centre can be contacted by phone on 0370 606 2555.
John Graham
Financial Eye