Five challenges keeping compliance professionals awake at night
Regulatory compliance, ransomware and reputational damage – compliance officers have a lot on their plates. Here’s how to alleviate some of that pressure.
Compliance Officers for full service legal firms never have a straightforward time of it, but the past two years have been particularly challenging. As colleagues moved to work from home during the pandemic and legal processes have been digitised, compliance and risk management have only become more complex.
Compliance should be a shared responsibility across a law firm and its stakeholders, who commit to the necessary systems and processes that have been put in place. In reality, it can often feel like a lonely role, where the consequences of making a mistake are high. For some, it’s holding back digital transformation, particularly because indemnity insurance costs increased up to 23% last year. In response, a spokesperson from the Law Society said: “It’s essential that members take steps to review their risk management practices and ensure these are adequate to avoid all but the most improbable claims.”
Alongside rising insurance premiums, here are the other top five challenges keeping compliance professionals awake at night, and how to address them:
Compliance Officers are officially responsible for ensuring a legal firm has the systems and processes in place to demonstrate compliance in accordance with guidance from the SRA, the GDPR and its anti-money laundering (AML) obligations. The SRA has stepped up its AML enforcement action, is now checking an average of seven firms per month, and looking to increase the level of fines it can impose (from £2,000 to £25,000).
The SRA have acknowledged the growing burden of AML checks and recommended firms introduce deputy money laundering reporting officers to share the workload. AML should be incorporated into case management systems and workflows, using digital platforms, such as Thirdfort, which combine digital ID verification, automated AML and source of funds checks to streamline compliance. That’s become even more important recently, with the sanctions imposed by the UK government on some Russian nationals and entities.
Law firms are targeted by cybercriminals because they often manage financial transactions and hold valuable corporate data. In the first half of 2021, just under £1m was reported to the SRA as having been stolen. Hackers will look to exploit a vulnerability in software, intercept communication to divert money into a fake account, or steal confidential information and demand a ransom for its release. In 2022 criminal defence firm Tuckers Solicitors were fined £98,000 after failing to secure sensitive court bundles that were later published on the dark web.
Compliance officers should work with IT to make sure systems are up to date and patched with the latest security fixes, and be prepared to assess the security credentials of third-party suppliers. Forsters partner and compliance officer Stuart Hatcher, says security is a key priority for the firm: “Losing our clients’ data or having systems locked down by ransomware could shut down our business, so we are sharply focused on data security and regularly run penetration testing.”
Beyond ransomware, phishing and spoofing emails are another threat, particularly for those working in conveyancing and probate. According to figures from the SRA’s compensation fund, the source of the most successful claims in 2019/20 were due to issues with sales proceeds, return of deposits and probate. Confidential client data is also at risk.
According to IBM, human error is a contributing factor in 95% of all data breaches. Training is needed around email security so that colleagues can spot suspicious messages and report them. Those that claim to be from senior management or suppliers requesting money be transferred to different accounts, provide passwords or systems access should all be red flags, especially if the sender wants it in a hurry. Good password hygiene is important – employees should be encouraged to regularly change passwords and not use the same one across multiple systems. The National Cyber Security Centre (NCSC) recommends using three random words, as opposed to a complex variation of letters, numbers and symbols. Multi-factor authentication, where a code is sent via text message or email, is also increasingly being used to validate financial transactions.
Remote working staff are harder for compliance officers to keep an eye on, and people are more likely to fall for scams when they’re in a more relaxed environment. Deloitte found that 47% of individuals fall for phishing scams while working from home. The shift to video calling has also given cyber criminals more opportunities – between February and May 2020, more than half a million people globally were affected by breaches in which the personal data of video conference users was stolen and sold on the dark web.
Compliance officers need to make sure that robust policies and procedures are maintained, that staff remain vigilant, are up to date with training and feel comfortable reporting potential scams – and that’s difficult when everyone is working from different locations. Chun Wong, partner and compliance officer at consumer litigation firm Hodge Jones & Allen, says they’ve shifted the firm’s culture to empower everyone in the team to do their bit: “We have to give people sufficient support and training to spot risks and resort back when they are in doubt. This requires a culture of responsibility rather than blame.”
Financial penalties are one thing, but the reputational damage for a law firm that experiences a data breach, fails to abide by its AML regulatory responsibilities, or aligns itself with unsavoury characters can resonate for many years. After the release of the Pandora Papers, law firms were criticised for advising on matters that were technically legal but ethically dubious. And with the Russian sanctions, in response to the war on Ukraine, law firms are having to ask questions to balance the right of some clients to legal representation, against their own risk of being associated with certain people.
At Weightmans, partner and business services and innovation director Stuart Whittle heads up a risk and compliance team. Over the past two years, the firm has developed a risk register to evaluate the severity and impact of various risks. “Solicitors trade on their professional reputation for honesty, integrity and client confidentiality and compliance measures that protect client data and funds are critical to that,” he adds.
Forward thinking legal firms are embracing change and their businesses are benefiting greatly.
By bringing in simple, user-friendly solutions like Thirdfort for compliance management, these firms are successfully navigating the evolving regulatory landscape with the tech they now need to stay compliant and speed up client onboarding times.
If you’d like to learn more about how your firm can automate AML and ID verification using Thirdfort, book a demo with one of our team here.