Financial Eye attended the 5th Annual COLP/COFA conference in Birmingham last month. The event was well attended as usual with over 1,000 delegates hoping to learn more about what risks firms could anticipate during 2018 and what the SRA was doing to assist firms meet these challenges.
SRA Chief Executive, Paul Phillip outlined a 3-year plan that has now been approved by the Board of the regulator. The SRA engaged with some 6,000 firms over the past 9 months to help them develop a regulatory strategy that would help to bolster public confidence in the profession. This has now been published and is available on the SRA website. In summary, strategic aim one is to maintain high standards including the introduction of a new code of conduct and a new enforcement strategy.
Strategic aim two will deliver regulation for all types of firms ensuring proportionate regulation and will include a further review of the SRA Handbook. Strategic aim three hopes to increase consumer choice and protection and amongst other things could lead to firms being required to publish pricing information for certain services as well as complaints data. Delegates were also advised that the SRA operating budget continues to be reduced and the new SQE should be in place by 2020.
Cyber Crime was also a topic of much discussion on the day. Law firms continue to be a target for cyber criminals because of the size of the industry i.e. it is worth some £30 billion, involves 10,300 regulated firms and employs 140,000 regulated individuals. Other statistics reveal that 1 in 10 people are falling victim to cyber incidents. There were only 132 reports of cyber-crime made to the SRA last year and yet 1 in 4 firms admitted to being targeted. The 4 main crimes are still email modification, CEO fraud, hacking and ransomware
Solicitors and compliance officers were reminded that they must report a loss of client money to the SRA. They must also remedy the loss immediately and make changes to internal processes and training. Failure to do so will result in fines and other disciplinary action. Michelle Rosen of Brightstone Law spoke to delegates about her own experience in this area. She carried out her own cyber risk assessment but recognized that she had little IT knowledge. She arranged to put processes in place so that all suspicious emails requesting changes to client account details are sent to her. Spam emails are photo-copied and circulated to all staff to help them remain alert to future attacks.
Debra Malpass of the SRA advised firms to tell clients at start of the transaction to beef up their own personal email passwords and to always use a “no change of bank account” warning on all email footers.
Sian John of Microsoft stressed the need for anti-malware on all end-point devices and regular patching and changing passwords to stronger ones. Firms need to be able to detect what’s going on in their IT infrastructure. She advised that firms should get somebody in to check your IT that knows what they are looking at.
Juliet Oliver General Counsel SRA opened a discussion on data and the new GDPR regulations due to come into effect in May 2018. Safeguarding client data is not new, and we already have the Data Protection Act. There has been a steady rise in the number of breaches reported to the SRA. The biggest fine imposed to date is £250k. The SRA did confirm that they will be factoring the new rules into minimum terms discussions with PI insurers next year. Karen Round from the ICO also addressed delegates about getting your firm ready for 25th May 2018. She explained that the ICO work with various government departments. Other reforms include a new law enforcement directive and a new data protection bill to replace the 1998 DPA. She reminded delegates that there was already a duty to report all breaches to ICO including loss of data and unauthorized access to data.
You only have 72 hours to report to ICO. If there is a high risk to individuals affected by the breach, you must notify them as well.
The best thing to do is to start by looking at your own systems and processes and your hard and soft data, and then decide what might constitute risk. For firms with less than 250 people, there are different sets of rules and tests. Ask yourself, do you need a DPO? Each firm will have to read the guidelines and will have to decide for themselves. The lowest tier maximum fine is 2% of turnover up to £2m. Fines will be applied proportionately. If you are already complying with DPA you are well on the way.
Mobile devices are particularly vulnerable if not properly protected. Firms were recommended to visit the ICO website for more information on GDPR and to complete their 12- step risk assessment. They also have a SME self-assessment you can take. The ICO confirmed they would be publishing some more guidance soon. It was acknowledged that law firms are required to retain certain documentation. If those reasons are valid, you can still retain them and there is no need to report. If you have documentation that you do not need to retain, the ICO advises firms to destroy it. Most importantly, firms need a data protection policy in place that includes training, especially for home workers and when an employee leaves the firm. The data must not go with them!
The final session was on managing financial risk. Delegates were advised that driving all the recent developments in anti-money laundering regulation was about keeping the public safe and helping catch terrorists, drug traffickers, people traffickers and preventing tax evasion. The new regulations were published this year and more changes are set to come. The SRA are going to be more active in this area and the Information gathered will be passed on to the relevant authorities. The legal sector continues to be a high-risk sector and conveyancing is particularly high risk. Small firms are being targeted by criminals for high value property. The advice to firms was – really get to know your clients. The SRA has an ethics helpline that you should contact if you have any concerns in this area. Not enough firms are reporting concerns to the NCA – particularly concerns about the source of funds.[/vc_column_text][/vc_column][/vc_row]