£2.5m in client money lost in early 2020 – good policies and procedures essential say regulators

£2.5m in client money lost in early 2020 – good policies and procedures essential say regulators

With the housing market booming and mortgage applications at the highest levels since 2007, regulators are calling on conveyancers and law firms to ensure they, their staff and their clients are informed and vigilant.

Speaking at a webinar organised by Minerva ,Twindig’s housing analyst Anthony Codling joined regulators Sean Hankin of the SRA and CLC’s Stephen Ward to discuss the impact of the SDLT holiday, the pandemic and how avoiding fraud in conveyancing is even more important than ever before.

In an excellent overview Twindig’s CEO explained that on average purchasers are saving around £2,500 with the SDLT freeze. It was clear from Codling’s figures that the pressure on property teams across the country will be dealing with a massive strain on resources with 820,000 mortgages approved in 2020, higher than both in 2018 and 2019. With an estimated loss of 185,000 transactions in lockdown and then a gain upon the reopening of the property market of 51,000 it is clear to see why desks are groaning under the strain of matter files stacking up with impatient clients wanting to complete before 31st March. Find out more about Anthony’s in-depth analysis here.

Cyber-crime increased threat during pandemic?

All of which creates easy gaps for fraudsters to take advantage of, of course. The SRA’s Sean Hankin explained that whilst the regulator has been seeking to have a more proactive role in ensuring a firm’s compliance, the pandemic has not made this easy.

He said;

‘With the increased risk caused by remote working, solicitors and conveyancers using their own devices, own wi-fi, a lack of secure storage and basic things like not knowing who is actually in the office or not, the legal community is having to be even more vigilant than ever.’

Key to ensuring that, if subject to an attack, a firm gets the recourse it needs from its insurer, the SRA suggest that as a minimum the requirements of the Code of Conduct and the Accounts Rules are observed for every transaction. Working closely with the National Cyber Security Centre (NCSC), the SRA have seen that at the start of the pandemic the NCSC reported an increase of 400% in coronavirus related fraud last year. The SRA have publish various resources for firms including this Q&A on cyber security and the Cybercrime Thematic review.

Hankin explained that all the resources are there for lawyers on the SRA website with the Risk Outlook 20202/21 being the most recent addition.

Highlighting that, as mentioned in the Risk Outlook, conveyancers and those involved in property transactions are the most susceptible to frauds such as email modifications, phishing scams and ransomware. Notably, when coupled with remote working, CEO fraud is seeing a rise – ‘being able to check an email with a colleague across a desk is not something people are able to do right now.’

Key observations and tips from the SRA’s Head of Forensic Investigations and Intelligence were:

  • Make test payments with a £1 pathfinder – ensure that the recipient is who they say they are
  • Tell clients that you will NEVER change the firm’s bank account details
  • Speak with clients directly and then ask for written confirmation of what has been spoken about
  • Train all staff on the red flags and dangers that surround cyber fraud activities
  • Ensure your firm has up to date cyber cover as part of your insurance – does it cover cyber-attacks? Make sure that it does
  • When there are issues, make liaising with the SRA your first port of call – the sooner a firm engages the better

Increased risk caused by SDLT deadline

CLC Director Stephen Ward agreed that there is a plethora of instances where a cyber attack may occur; ‘Remote working has of course brought new risks – at the beginning of the 1st lockdown, a lot of firms were scrambling to get everything set up and even the most digitally forward firms struggled. Doing something at haste and speed can often mean that mistakes happen.’

Managing client expectations is always of course at the top of the agenda when dealing with a transaction, but coupling this with the SDLT deadline too, it is important to ensure clients are as well informed about Cybercrime as the legal professional.

‘It is worth saying that we have seen that after a peak over the past three or four years, where fraudsters have impersonated clients successfully or impersonated a colleague in your firms, that very often it is the client who has been a victim. Often this is in the form of a redirection, particularly deposit monies in conveyancing.’

As with the SRA, the CLC too has a wealth of toolkits and help for the industry that are easy to access. Keeping both colleagues and clients armed and informed is certainly key.

Keen to assist firms in helping getting the message across, the CLC have joined forces with the ‘Take Five to Stop Fraud’ campaign which provides some fantastic tips and tools to help educate clients and colleagues alike.

Protection of data key

A key takeaway that all lawyers need to take heed of was that cyber security is not just around protecting your clients’ money, it is imperative that data is secure too.

Sean Hankin explained to the audience;

‘Reporting an attack to the ICO is imperative when personal information has been compromised, ensuring a strong reporting process and lots of engagement with regulators can help create better outcomes. Firms may well have lost data in an attack, but with a good, safe and secure storage provision where data is backed up firms can often demonstrate to an insurer good practice and the insurer will pay out.’

Awareness around investment schemes – buyer funded developments

A newish fraud perhaps, but one that the regulators want the industry to pretty much steer clear of. Sean Hankin explains that at best – ‘Buyers may be unwittingly financing high risk or fraudulent property development’ with Stephen Ward giving a sage warning that ‘In one case we saw an actual fraud where the intention was simply to run off with the deposit money.’

Along with investment schemes, these are not necessarily conveyancing transactions, so both regulators were in agreement to approach such transactions with extreme caution and in the majority of cases to ‘turn the work away’.

Stephen Ward said;

‘Taking on that kind of work is risky for your practice, and will cause concern to your regulator and likely also your PI insurer.’

Regulators more proactive when it comes to AML adherence

As well as fraud and cybercrime, the webinar had its presenters discuss the latest surrounding AML risks. With the recent compiled guidance on AML from the LSAG, this is a hot topic for all lawyers.

Sean Hankin explained to attendees;

‘We now have a dedicated AML team which has a proactive function. We go on site to firms and look at how they are handling the AML risk, what policies controls and procedures are in place, alongside a firm wide risk assessment looking at how a firm does their client onboarding. The team will look at files, so where we may have been more reactive, it is fair to say that the AML team now do proactive systematic reviews.

‘The CLC too take all the obligations under AML very seriously of course, with director Stephen Ward saying; ‘As we know, money laundering is still a huge issue in the UK. And as frontline providers of services that are really tempting for money launderers, we have a significant part to play in tackling that particular type of crime.’

With the legal industry having traditionally being seen as the ‘weak link’, the SRA and CLC have a vested interest in making sure robust AML frameworks are in place and this of course has been strengthened by the creation of the Office for Professional Body AML Supervision (OPBAS).

Hankin said;

‘The SRA are regulated themselves by OPBAS and we are visited to ensure that we ourselves are complying with all obligations. There is a perceived low number of SARs (Suspicious Activity Reports), this is a rapidly changing environment with the 5AMLD regulations coming into force last month and the LSAG guidance which is awaiting HM Treasury sign off. Particularly of note is the stronger requirements for source of funds and firm wide risk assessments.’

Appropriate response to SARs

Responding to SARs reports in a timely fashion with adequate information is key when dealing with a defence. All parties involved need to ensure that they have the policies and procedures in place to appropriately respond.

‘The forensic team have investigated a number of matters over the last two or three years where there’s been poor quality or inappropriate use of defence SARs. So that will often happen when we see that firms haven’t done the appropriate level of due diligence and then later on in the transaction when monies are received they realise what those shortfalls have been and in order to complete the transaction, they then submit a defence SAR.‘

With criticism levied at the legal industry it is important that firms know that the regulators are there to support not to fear Ward said:

‘Now, I would also just say that the CLC prides itself on being an approachable regulator. And we’re always here to help you because that helps protect the consumer. We’d much rather hear from you as you become aware of potential problems, instead of later on when they have snowballed into actual problems that might well be very much more difficult to unpick. It’s also important to say that if you are the victim of fraud, or you suspect you might have been, tell us, tell your regulatory supervision manager, tell your bank, tell the insurer and tell Action Fraud’

The SRA spokesman noted to those listening that;

‘It’s worth recognising here that the law firms are in a unique position where they can often see the whole transaction. So they can see the money coming in from the banks, they can see who are parties to the transaction, who the beneficial owners are, when and where the monies go to. So it is incumbent upon law firms to take their obligations really seriously and submit intelligence or defence SARs, when appropriate. We urge you to do that. And obviously, what happens sometimes is that banks or law firm on the other side have submitted SARs and they know other firm involved. That firm may not have submitted a SAR when they clearly should have done. And again, that’s something we may have to go out on site and look at the conduct of that particular firm.’

Attendees were welcomed to ask questions at the end of the webinar and Minerva’s very own Richard Mathias was keen to ask Sean Hankin;

You’ve seen a number of cyber-attacks on firms which is worrying, can you give the delegates an idea of what the impact of having a cyber-attack is like?

The worst impacts have been when firms have absorbed trying to deal with everything themselves and not engaged with the regulator, not informed bodies like the ICO when a firm has known that personal information as has been compromised.

That made things worse if firms have tried to get into paying the ransom for the ransomware? Doing things like that only exacerbates the problem. It becomes worse not better and the disruption becomes worse and the reputational damage becomes worse and the potential problems for issues with the regulator down the line as well. Better outcomes are when there are strong reporting procedures in place, robust policies and timely reactions.’

Third party managed accounts are now permitted by both regulators – are you seeing firms go down that route?

Stephen Ward answered with ‘The take up has been slower than the CLC expected, but this does not mean it will not happen. The adoption of digital ID has been driven by necessity during lockdown and we expect this will extend to other digital tools now. At the moment, conveyancers are very busy and firms are telling us there are other tools they want to implement but that they don’t have the headspace at the moment. Perhaps after the end of March we will see more uptake. We actually ran a pilot of TPMA and it was concluded that there was an increase in not only security and confidence, but also a significant speeding up of transactions too. ‘

The SRAs Sean Hankin stated; ‘I echo all that Stephen says, our latest figures are that 58 firms have gone down the route, which is not many out 7,000, but it is early days. We formalised the ability for firms to use third party providers in the new rules. There are two more providers who are looking at coming into the market. I think we need an increase in competition so that people have more choice.’

Should you report a cyber-attack to the SRA or CLC even if client losses have been reimbursed by insurers?

Sean Hankin: ‘Yes it must be reported to the ICO within 72 hours, any attack that has accessed emails has breached personal data. Definitely something to discuss early doors.

In relation to CDD and obtaining AML reports can we make a charge to the client for undertaking this work? We already quote our clients at the outset for checking and verifying  ID, however we charge slightly more than the actual cost for the online checks to cover time and effort involved in this procedure. We understand these can no longer be considered disbursements, but equally do not want to be accused of hidden profits.

Sean – So it used to be the case that firms could not charge and we provided guidance to that effect. From the work we have done with the thematic team in particular though and looking at how the onboarding works– we have said it can be charged now as there is a risk that those who need a lot of CDD onboarding are subsidised by everybody else. We have stated that whilst there can be a charge, it must be transparent and part of the retainer.

Stephen Ward agrees – ‘Key point is that transparency one, be very, very clear what you are charging and whether you are charging cost or above. The client needs to be able to make an informed choice. ‘

How do we level the playing field to ensure we do not lose work because other firms do not take a similarly strict approach to AML and KYC?

Sean Hankin – So we often have this where firms say – ‘we took this client on as if we did not they would go elsewhere.’ Personally this is the wrong attitude to take. Firms who are not conducting those stringent checks are being found out. I can confirm that as part of the work we are doing. In particular the FI teams.

Stephen Ward – There is a compliance issue but is also about protecting your firm and reputation – why would you put yourself at risk? If firms are being cavalier about about AML and KYC then they are putting themselves at risk in ways that I would suggest you probably don’t want to.

How can you best satisfy your AML obligations when the funds for the property purchase are coming from crowdfunding?

Sean Hankin – it probably touches on the investment scheme views held by Stephen – be very cautious, we have taken firms to Tribunal over things such as this. Where there is fractional ownership it is very tricky, we have seen car parks and even storage pods as part of those schemes. It is very difficult – in terms of the CDD and EDD needs to be done on an individual basis – easier where there are verifiable businesses; it makes it easier rather than individuals or foreign investors and foreign jurisdictions.

Will the CLC or SRA be regulating digital ID providers?

Stephen Ward – short answer is no – we tend to describe the features and outcomes that a firm will want to achieve, by using a particular tool to deliver compliance. These are those that are required of you as a professional in this field. You need to decide whether they cover off your needs in your practice and whether they meet the compliance requirements that we set out. There are moves afoot to have an independent scheme to accredit digital ID providers and develop a single ID check for the conveyancing process, but that is some way off.

Sean Hankin – The SRA is the same and no we will not be approving providers. I would say that the new guidance from the LSAG has a section on EIDV which would be helpful. There is also FATF guidance around ID providers which would be useful.

Should the SRA or CLC be regulating the software used by firms such as case management systems?

Richard extended this question – would you provide a kitemark for software providers?

Sean Hankin – No, someone like the Law Society might, but we would not be able to regulate it.

If the CLC and SRA will not be endorsing digital ID providers will they be endorsing 3rd party accounts providers?

Stephen Ward – well it is the same answer really, I think what we went through with the guidance we issued on TPMAs is as I described just now in relation to digital ID, set out what a conveyancer or probate practitioner will need to achieve in terms of the security of client money, and if you believe that the tool that you are considering does that, then very good.

Could regulators issue a risk assessment checklist for a firm to use when onboarding a client?

Sean Hankin – we have moved away from things like checklists as we want firms to properly consider what the transaction is and what the risk are around that. We’d advise firms to really look at your obligations and what you have got when you are onboarding particular clients as it is very specific to the firm, to the client and to the transaction itself.

Stephen Ward – We don’t provide checklists or templates for precisely the same reason, we want you to think about how the risks ‘bite’ on your firm and what are the sensible steps for you to take? That said, there is a lot of advice out there to help you find your way towards developing using these tools for yourselves. So we have made it as easy as possible, whilst requiring you to do the work to really think about how to protect your practice and your client.

Have you considered how the use of open banking will impact on clients and client verification of funds?

Sean Hankin – Not something we are seeing as an issue at the moment, but we scan for risks, but it can certainly be part of your checks, like the pathfinder, to be sure the money is going to your client.

Interested in seeing the webinar in full? You can find the recording here.

This article was submitted to be published by Law Firm Services as part of their advertising agreement with Today’s Conveyancer. The views expressed in this article are those of the submitter and not those of Today’s Conveyancer.

Want to have your say? Leave a comment

Your email address will not be published. Required fields are marked *

Read more stories

Join nearly 5,000 other practitioners – sign up to our free newsletter

You’ll receive the latest updates, analysis, and best practice straight to your inbox.