For risk and compliance solicitors across the country COVID-19 has put even the best laid contingency plans to the test. However, the need to comply with the SRA’s standards and other professional and legislative requirements must be balanced with pragmatism. We outline some of the key risks that risk and compliance lawyers should be aware of how they should be addressing them.
Money laundering and terrorist financing
Whilst COVID-19 may have stopped many businesses in their tracks, it has not deterred criminals who are exploiting the situation. The inability to conduct face-to-face identity checks is an obvious risk area. Despite the challenges, practitioners who come within the scope of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended) must continue to comply with their statutory requirements.
You should ensure robust, risk-based, solutions are in place. This may include electronic verification, the use of verification codes to validate personal information or utilising video technology to verify clients and their identification. These and other methods can be used independently or in combination. If you are relying on a third party to conduct identity checks and due diligence, you must ensure that any changes to their procedures give you the assurance you need.
Policies and guidance may need to be updated and additional messaging required to inform and support colleagues in fulfilling their obligations. This may include how to stay GDPR compliant when sending or receiving personal data online. Any deviation from normal protocols should be documented. Crucially, if you cannot satisfy your obligations, particularly in matters requiring enhanced due diligence, do not continue with a transaction.
The SRA provides extensive guidance in this area – see the SRA’s website here.
For further information on using digital verification technology, see the Financial Action Task Force (FATF) guidance on Digital Identity.
Absence of the compliance officer
Illness or the need to self-isolate may mean prolong absences. If you are an in-house compliance officer, ensure that your contingency measures are up to date in the event of long term absence. This may include nominating someone to deputise, on a temporary basis, and providing them with guidance as to important matters and key responsibilities.
In private practice it’s important to remember that the role of compliance officer for legal practice (COLP) is person specific and it is not possible to formally deputise the role. If an absence is short term, or it’s possible that the COLP will be capable of working from home, it’s likely that no steps will need to be taken. However, if the absence is long term firms have 28 days to apply to the SRA to either replace the COLP or register an emergency COLP. Remember that when the original COLP returns, you will have to apply to the SRA to return them to their role.
Remote working can present a myriad of challenges when it comes confidentiality obligations. Many employees who are working from home as a result of the pandemic will be doing so on personal devices. Weak security settings on their device or home wifi network provide ample opportunities for hackers to access information. Similarly, the increase in phishing emails in which criminals are encouraging recipients to click on links (for example, to access further information on the disease), can lead to malware being downloaded onto a device, compromising the security of confidential information and passwords.
For employees living in shared accommodation, there is a heightened risk of confidentiality breaches. This could be the result of overheard client calls, or simply by an employee leaving their computer, on which there is confidential information, unattended. More recently, video conferencing platforms have been targeted by cyber criminals who have been hijacking meetings to obtain confidential information. Some law firms have also requested that employees turn off their smart listening devices, such as Alexa, when working from home.
Make sure that colleagues know how to identify phishing emails and report security breaches. Policies should be updated and guidance published on how to use remote working systems safely. When using any third party conferencing platforms, ensure meetings are set to private and are password protected. For those in private practice, the SRA also recommends documenting the arrangements that have been put in place to protect clients’ confidential information.
For more advice on cyber security whilst working from home, see the SRA’s report on Technology and Legal Services.
The National Cyber Security Centre is also a useful source of information and provides practical guidance on controlling the risks of employees working on personal devices.
Lastly, the Information Commissioner’s Office has produced guidance on data protection and the coronavirus.