Speaking at the recent Legal Eye Annual Risk & Compliance Conference in Birmingham, Sean Hankin, Head of Forensic Investigation and Intelligence at the Solicitors Regulation Authority (SRA), laid bare the powers and practices of the regulator when it comes to inspecting firms.
Types of visit
AML proactive
Hankin ran through the types of visit that can be conducted by the SRA, beginning with AML Proactive.
This sees the SRA proactively assess compliance with money laundering regulations, engaging with firms to improve their compliance. Minimal disruption occurs through the process. Outcomes include a substantive feedback letter and, if required, a compliance plan. “Serious or systemic breaches” can result in internal referrals.
In selecting who to visit, the regulator uses data from the questionnaires sent out to SRA-regulated firms, assessing the data with a risk-based approach to determine who is in need of a visit. “Risk”, Hankin said, comes from the type of work a firm does, the type of clients they have, and whether they have clients in high-risk jurisdictions. On whether the questionnaire will be repeated each year, he said it “could well be an annual request with the way [AML] is going – but it won’t be the same request”.
Thematic
The SRA’s Thematic team assesses how different parts of the legal sector are working. They look at parts of the sector based on a theme such as access to justice, compliance, or reputation of the sector. They then pick firms to assess based on factors such as the type of work they do and where the firm is based.
Though firms cannot opt out, there is a flexible online booking system. The SRA will also engage with firms to explain the purpose of their visit and the theme, and may request information in advance, perhaps via a questionnaire. Kee fey earners and documents must be available on the day. Following the visit, the SRA will provide a summary of their findings to the firm.
Forensic investigation (FI)
“Of all the visits – I’ll be honest – this is the one you don’t want to be on the receiving end of”, said Hankin.
A forensic investigation can come about for a number of reasons, such as a whistle blower or a qualified accounts report. Hankin added that “it becomes fairly apparent what the regulator is looking at when we get to the site”.
There is usually a short notice period, though the regulator may sometimes turn up unannounced. However, Hankin said the SRA looks to avoid this as it “makes things more difficult for us”, conceding that the “we don’t have the ability to knock down doors or force people to speak to us”.
The investigation is mainly conducted on site and begins with discussions with the COLP/COFA, potentially followed by managers and fee earners. Accounting information will be reviewed.
On potential outcomes of an investigation, Hankin said:
“About 50% don’t result in any outcome. The rest result in a disciplinary report which then goes to desk-based regulators for them to further engage with the firm and give the firm additional opportunities to discuss.”
Desk-based investigation
The SRA may conduct a desk-based investigation around a specific issue. It is capable of being resolved solely by correspondence, though production of client files is sometimes required.
There will often be a complainant client involved. On this, Hankin said:
“The difficult part is there’s a complainant on one side and a firm on the other. It’s difficult to make sense of what’s gone on. It’s useful to bear this in mind and that we can’t please everyone.”
Further tips and things to consider
Haskin concluded by offering a series of further tips to firms on how best to deal with a visit from the SRA, as well as answering the questions of those in attendance.
“Don’t wait for the knock”
“When you receive a report or something that might spark off an investigation, one of the first things we think is: ‘did the firm tell us themselves?’. It always, always, always looks better if the firm told us and if they’re trying to proactively look at things themselves. The main thing is don’t wait. While you might have a protracted internal investigation, make a report early on and work with us.”
The benefits of engagement
“All we want to do is close the investigation as soon as possible with the right outcome. No one gets any bonuses for keeping a case open for six or twelve months. All we want to do is get as much info as possible and get the right outcome, which is in most cases no further action.
We have firms who stick their head in the sand and don’t engage. We’ll get it in the end – it just makes it far more difficult.”
Things to be on high alert for
“Client money, cyber-attacks… these are things that definitely need to be reported to us. Even if [somebody breaches rules and they are] not a solicitor, we can prevent them working in other firms should we need to.”
“Pick the phone up”
“In the letter there will be a lot of detail of what you need to do to prepare in advance, but don’t be afraid to pick the phone up. A visit is something we very rarely postpone, though we can adjust – [for example] just do the visit, look at the accounts, then come back whenever it’s convenient for you.”
Other tips
“Think: ‘how can we prevent this happening again and what can we do to control our environment?’. If you can show you’ve taken things onboard from mistakes, that will stand you in good stead.
Also, ensure there’s someone [present who is] familiar with the case if it happened a few years back.”
How much notice will firms usually be given?
“Aside from forensic, all investigations are a month or two of notice. But the SRA are receptive and understanding that there may be reasons to move this.”
When should a firm self-report?
Hankin was asked whether there is a threshold with self-reporting. When a firm knows it’s probably serious but is on the fence regarding whether to self-report, would the SRA look at this favourably if reporting was considered, and would the SRA’s advice be to self-report if in any doubt?
“Probably yes – you should report. But you’re right. It’s never clear cut. The safest thing is to show the processes you’ve gone through if you’ve not reported it.”
Document correspondence with third parties
Paul Sanders, Managing Director of Legal Eye, advised firms to document correspondence with third parties.
“If you go to a third party for advice, document it and put it in the risk register. This goes a long way as far as the regulator is concerned.”
Is AML going away?
“We’ve had AML on the Thematics, it’s really important, but it’s been going on for a long time – is there anything else on the horizon? There are other areas of risk and compliance”, asked Sanders. Haskin replied:
“I don’t think AML is going away. There are other things, but this is really important to us looking forwards. There will be more of an emphasis if anything.”
