Last week, the SRA held its annual Compliance Officers Conference in true 2020 style: as a virtual series. With 10 sessions held throughout the week, experts from across the organisation and wider industry shared best practices, updates and answered questions from attendees.
We were among the many watching the simulcast from YouTube, and bring you our top highlights of the week. If you missed the live event, the SRA have published all sessions to their website, and can be viewed on-demand.
What does Brexit mean for AML regulations?
[The SRA] won’t be implementing the 6th Anti-Money Laundering Directive from Europe . . . That’s primarily because the UK legislation already covers the necessary provisions in the directive.”
Brexit will likely have minimal impact to anti-money laundering regulations, according to Colette Best, Director of Anti-Money Laundering at the SRA. “The underlying money laundering regulations will still remain the same,” she confirmed.
Though the 5th AML Directive made a splash this year, new directives may be less applicable in the post-Brexit world, “We won’t be implementing the 6th Anti-Money Laundering Directive from Europe,” explained Best. “That’s primarily because the UK legislation already covers the necessary provisions in the directive, so no changes directly from that.”
This confirmation may elicit a sigh of relief for firms only recently coming to grips with last year’s guidance as Covid added complications to many firms’ day-to-day operations; however, Best did caution firms to be aware of shifts in financial sanctions legislation, “The underlying legislation there is changing,” she said, highlighting two points of importance: “Make sure that you’re checking the correct sanctions lists post Brexit,” and secondly, if firms use electronic due diligence services, “Make sure your provider is shifting over to the correct lists.”
Electronic CDD is A-OK with the SRA — but remain vigilant
With the nearly overnight shift to remote operations, firms have had to make technological leaps this year. One of the primary areas of change has been in conducting adequate and appropriate client due diligence checks where in-person meeting isn’t possible – or safe.
Many firms now use electronic CDD checking technology, so what does the SRA advise firms to ensure they’re conducting these checks safely?
Zoe Allen-Robinson, AML Proactive Supervision Manager, Anti-Money Laundering for the SRA, discussed the importance of really understanding the solution you’re buying into. “We strongly suggest you’re aware of the limitations and the extent to which you can use electronic due diligence and their sources of information,” she said. Additionally, correctly implementing this technology into your onboarding flow, firms should “also be mindful of any manual overrides and where you set potential tolerances” to ensure information is accurate.
Can clients be charged for due diligence costs? Best confirmed the SRA’s position is now yes, you can pass these costs onto clients – so long as it’s clear in your terms and conditions and the client is aware that it will be happening.
Delving further into the risks of incorrect information, SRA Director of Anti-money Laundering, Colette Best, highlighted that technology may help improve quality of information, as “the human interaction can actually be where the error is introduced.” Conducting remote client onboarding for many firms still means manual data entry as part of the verification process. “So, if you’re using electronic verification, make sure you’re spelling names right and getting the answers you expect.” This risk further drives home the need for more automatic onboarding processes which reduce likelihood of human error.
While technology can offer both better client and firm experience in the CDD process, adopters can’t just implement solutions without understanding the nuts and bolts. Clarifying the responsibilities for firms, Amasis Saba, Chair, Law Society’s AML Taskforce said, “The key is that using electronic verification is not a requirement,” but for firms opting to take advantage of this technology, “You need to be able to understand it . . . It is not good enough to just point to a website and say ‘this said it was okay for me to take on this client’.”
One of the most asked questions of the past few months has been around the new costs associated with conducting electronic CDD.
So, can clients be charged for due diligence costs? Best confirmed the SRA’s position is now yes, you can pass these costs onto clients – so long as it’s clear in your terms and conditions and the client is aware that it will be happening.
Bringing compliance together with tech adoption creates firm-wide success
With the accelerated adoption of technology throughout 2020, balancing what may feel like competing priorities of compliance and client needs has been tricky for many.
In their session discussing technology, the SRA made it clear that one does not negate the other.
In fact, bringing in a compliance focus (and your compliance team) early in the process of implementing tech actually makes adoption quicker, more secure and enables a more considered thought process around what solutions may be better for your particular firm.
As April Brousseau, Global Lead, Create & Innovation at Clifford Chance said, “I’ve seen in the different firms I’ve worked at, the different functions operating as silos and the perception that you don’t call compliance until you need to complete your data privacy impact assessment or you need someone to review the contract.
And that’s not very effective because compliance then can’t do their job well because they don’t have the context of the problem that needs to be solved, and it feels very much like ‘I’m passing the ball to you now you run for a little while but you don’t get to make any decisions’.”
It all comes back to developing a firm-wide compliance culture – something we discuss in our guide with former SRA Executive Director, Crispin Passmore – and making compliance central to decision-making in the organisation.
Overcome tech adopt-aphobia in your organisation by bringing it back to simplicity
We use very sophisticated technology all the time, so if we’re coming across solutions at work that look and feel like other solutions that we may have, it’s not a massive change.
Of course, just because the world demands remote operations doesn’t mean it’s suddenly effortless to bring solutions into your organisation with 100% uptake. But with the right motivations, users from across the firm can find it improves their day-to-day and client satisfaction.
Tahlia Woollatt, Partner at fully-digital firm Parkinson Woollatt, discussed how they made the choice to be a totally remote firm. “Once you can get that initial buy-in from people, it doesn’t seem to be over-complicated.” She encouraged upskilling firms and users within them on the use of remote technology.
Amy Bell, Managing Director at Teal Compliance and Teal Legal reiterated this point, highlighting three key ways to position integrating tech into the firm. First, “It’s really got to be about the clients,” she said. “How are you using the technology to improve the clients’ experience? Everything we do will be driven by client demand, we just need to be in a position to respond to that effectively.”
Where clients now expect the same experience they receive when shopping, joining a new bank or booking a holiday, “It’s about matching expectations,” she said.
Second, for the user at the firm, it’s important to make it clear what’s in it for them. “Sometimes the way we experience legal services, onboarding for example, where we’re still getting a big pile of paper to look at and digest, it just seems out of step from buying a brand new car.” Show users throughout the firm how it can improve their day-to-day and job satisfaction.
And third, the most immediate way to get tech embedded in the firm is sponsorship within the firm from the top. Bell noted, “A common feature of successful adoption of tech is the backing by leadership in a firm.”
Acknowledging how difficult it’s been for the legal sector to adopt technology until it became necessity, Bell discussed how, as COVID-19 forced the industry into tech’s arms, it wasn’t actually a massive leap for most individuals: “In our day to day lives, we use technology all the time,” she said. “We use very sophisticated technology all the time, so if we’re coming across solutions at work that look and feel like other solutions that we may have, it’s not a massive change.”
The key was keeping it simple – not overcomplicating the technology. Thinking about what it is you want to do, and finding the most simple route to doing that.
So where to start?
Putting together a technology and implementation strategy and evaluating your vendor based on your needs and expectations, and striving to understand what the features can actually deliver and enable for the firm – rather than getting distracted by shiny promises.
As Shak Ashraf, Managing Director at Forte Markets suggested, “Get a quick win.” When thinking about putting together a technology or modernisation strategy, “It’s not all innovation – it’s about renovating at first.”
Bringing it all back to basics, “Legal tech seemed to be this really big, complicated thing,” Woollatt insightfully explained. “The key was keeping it simple – not overcomplicating the technology. Thinking about what it is you want to do, and finding the most simple route to doing that.”
Security has become even more critical as risks become higher and more difficult to spot
Cybersecurity is about your whole business, and you need to make sure that you make your own assessment of the risks in order to have those really robust policies and controls. You could say that good governance is probably as important as good tech.
Karen J, of the National Cyber Security Centre, was cautiously optimistic about the way the sector has handled the shift to home working, “Firms have done a great job, and many firms have had to very quickly to get their staff working remotely, and ensure that their systems are resilient and able to cope with the new environment that we will find ourselves in.”
However, this considered effort hasn’t put cyber criminals off trying to exploit the new way of legal working, “Inevitably, some of the cyber risks have increased,” J said. “People are exploiting the fear and uncertainty caused by the unstable social and economic position created by COVID-19.”
In fact, J explained that over the course of 2020, the NCSC has seen a 300% increase in phishing attacks.
It’s not enough to do one training session or expect a common sense-based approach to security. While many in the sector have spotted and reported phishing, ransomware and other cyber scams, fraudsters and scammers are getting even craftier.
Use of good, secure technology can help arm firms against these threats, but the risk needs to be handled as a central tenet of operations, “Cybersecurity is about your whole business, and you need to make sure that you make your own assessment of the risks in order to have those really robust policies and controls.” Said Rachel Clements, Regulatory Manager at the SRA. “You could say that good governance is probably as important as good tech.”
The discussion included topics like dealing with and preventing phishing scams, ransomware attacks and in-person threats to equipment and privacy. They also touched on the risks inherent in transferring client funds, and as J warned, “Reliance on using the cloud, cloud services, and office 365 in particular are becoming an increasingly common target for a range of threat actors.”
How to combat the constant threat? J offered some simple advice: “This all comes down to knowing your customers – how safe is everyone’s data as it flows through the supply chain?”
It’s really easy to slip out of good habits when our office environment changes.
One core area of advice focused on the critical use of video conferencing services.
While we’re used to a high level of vigilance in-person, “It’s really easy to slip out of good habits when our office environment changes.” J said, “We’ve more staff now working remotely, video conferencing has an obvious role to play.”
The NCSC has produced and guidance that helps organisations to select configure, and securely implement video conferencing services and choosing a service.
J offered advice on making sure your video conferencing is as secure as possible: “You will want to ensure that the video calls themselves, and only other data such as messages shared files video transcriptions and any recordings are protected.”
Some key takeaways to protect yourself from the most common type of cyber incidents were:
- Make sure you use a really strong password – the NCSC recommend you use three random words, “for example, ‘toffee aeroplane bottle’.”
- It’s okay to store passwords and password managers but make sure that your password manager also has a good password.
- Make sure you keep up to date with your software updates, and keep regular backups and store them offline, so should you be a victim of a ransomware attack, you can get access to your critical information.
- Make staff training a priority, and use the resources available to inform this training. “Top Tips for Staff” is a free training package available on the NCSC website, for example.
With five days of sessions, these five summations only scratch the surface, so for more information, be sure to watch the recorded sessions.
If you’d like to delve deeper into topics like compliance, how tech can improve your client journey, ways to improve your cash flow or general tips from the industry – take a look at our resources page. Interested already in adopting a tech solution for your firm?AMLComplianceCOVID-19RegulationsSRA