Investigation and Supervision of the Solicitors Regulatory Authority (SRA) delivered a risk outlook at a Legal Eye seminar in Birmingham on 1 March 2017.
With cybercrime top of the SRA agenda, attendances were high and included directors from the top three conveyancers as well as many members of the Conveyancing Association – a clear indicator of the worry which exists within law firms.
Cybercrime
Cybercrime is now the most frequently reported category of crime in the UK. Nearly a third of all offences against individuals reported to the Crime Survey for England and Wales are reported to be cybercrimes.
In December 2016 the SRA released their new report on IT security: “keeping information and money safe”.
The SRA tells us that there is no doubt that law firms are targets for cybercriminals. Law firms hold sensitive information that can be valuable for identity thieves, insider traders and other criminals.
In addition, the large sums of money passing through the client accounts of conveyancers in terms of client monies and mortgage funds make them a prime target. Half of all cybercrime reports the SRA receive involve the theft of conveyancing proceeds through email modification scams.
It is no surprise that cybercrime can cause serious losses. Across the economy, cybercrimes cost UK businesses £1 billion between March 2015 and March 2016.
Email modification fraud regularly involves thefts of £100,000 or more from conveyancing proceeds. While insurance may cover the loss, money stolen may not be available for the client when it is needed, which can, and has, caused disruption and delay to transactions.
Areas where law firms fall down
The SRA thematic review of anti-money laundering found that overall solicitors generally had effective procedures, processes and practices for dealing with money laundering and counter terrorist financing. The areas where firms are falling down are in poor implementation of the processes and procedures and keeping these procedures up to date.
Legal Eye has seven years of experience carrying out desk top reviews, and more importantly, field visits in law firms, primarily conveyancers. We have found that 95% of client care packs reviewed were not compliant, 81% of firms did not have robust file review processes in place, including some Lexcel and CQS accredited firms.
Overall, we know that within the legal sector, most cybercrimes actually target people, not technology. For example, phishing depends on deceiving a staff member. Malware most commonly arrives as a fake attachment to an email, tricking staff into opening it. Email modification fraud depends on staff not querying emailed requests to change bank details.
Lender panels
So knowing this, what can lenders do to manage their panels and protect their mortgage funds and those of their customers?
Lenders need to prioritise the protection of their funds, their customers and most importantly their reputation. Any adverse publicity in this area can be seriously damaging.
Our reviews identify non-compliance with CQS as a regular occurrence. Given that this is the vehicle many lenders rely on to effectively “manage” their panel this is concerning and also identifies that simply being accredited by CQS is not enough to protect lenders and their customers. There should be an audit process conducted by lenders to ensure they can confidently report internally to their risk teams that they are satisfied the firms on their panels are managing their risk appropriately.
Panel managers understand and can identify the risks first hand, both from a desk top risk-based analysis through to a substantial sample of field visits to law firms. They are then able to ensure that the correct steps are taken to lock down systems, helping to prevent law firms on lender panels from being “soft targets” whilst also protecting individual firms from attack.
ULS has invested significantly to ensure that we remain at the forefront of technology and work closely with our panel firms to assist with their compliance and service delivery needs. We achieve an equitable relationship with law firms in a way that is not possible for lenders without significant investment.
Panel managers can, for example, on the lenders behalf, ensure that the government’s cyber essentials scheme is followed; and that systems and processes are in place to ensure firms are protecting themselves; and crucially, staff are trained to recognise common scams. Panel managers are uniquely placed to develop these relationships and ULS particularly hold a 360-degree perspective between all related parties.
Whilst the current market is relatively level in terms of growth, lenders need to be ready for the potential growth curve that will follow in the remortgage market with possible rate rises or when the market responds to the housing crisis.
These market changes will inevitably coincide with the increasing risk of cybercrime attacks on firms and the need for better support for those firms to ensure that the lenders’ funds and reputation remain intact.
