By Legal Futures’ Associates Willis Towers Watson [1]
The evolution of digital technologies and data is creating exciting opportunities for businesses, but it also makes the threat of fraud more complex. Many organisations, including law firms hold sensitive and confidential data and hackers and fraudsters are likely to try and steal this data and firms may find themselves as victims of fraud. It’s important that law firms ensure they have robust systems and stringent controls to ensure the integrity of their businesses and their client’s data.
The impact of fraud to businesses can be significant. CIFAS’ 2019 Fraudscape [2] dedicates an entire section to Internal Fraud and in their Fraudtrack report in 2018 BDO advises that in 2017 the cost to UK businesses from employee fraud was nearly £500 million [3].
Employee fraud can be an issue as staff regularly have access to data, systems and processes to commit crime. Examples of employee fraud include transferring monies to pay stamp duty or the publication or sale of large amounts of data as seen in the Morrisons data breach a couple of years ago. In 2014 the payroll information of nearly 100,000 staff employed by the supermarket was leaked and posted on the internet by a former employee Andrew Skelton, who was considered to be a trusted and reliable employee by the supermarket. The significant reputational damage to Morrisons was not the only issue in this case; in excess of 5,500 existing and former staff then issued proceedings against Morrisons for failing to protect their personal data in the first group litigation case involving a breach of data. Morrisons were subsequently held vicariously liable for the actions of Andrew Skelton.
Employee Fraud across the legal profession
We have also seen employee fraud take place in law firms. For example, Eastham law firm’s Head Cashier and COFA stole more than £500,000, £267,000 from the client account and £260,000 from the office account. The cashier had fallen victim to a ‘romance scam’. She had been employed at Easthams for over 20 years [4]. At a conveyancing practice in Cirencester a cashier stole over £1.2 million from the client account in a scam that lasted over three years. She was paying stamp duty monies from the client ledgers to her own personal bank account, which was then frittered away by her partner on gambling. The reputational damage to the firm, the impact on staff numbers and the increase in professional indemnity insurance were significant following this fraud. In April 2017 the firm was intervened into by the Regulator.
When the question was asked why this was not spotted earlier, the Defendant replied ‘the firm trusted her. They were busy [5].’
A gambling addiction also affected the conveyancing practice TCS in Ellesmere Port when the Finance Manager was found to have stolen over £320k from the office account. She had been employed for over five years when the offence came to light [6].
The examples cited highlight situations where long standing or trusted employees’ personal circumstances changed. They were not (as far as we can understand) planned or targeted attempts to infiltrate the business as we often see by sophisticated organised criminals, but opportunities that arose when members of staff who were employed in a trusted, responsible position who knew the processes and systems took advantage of their position and exploited vulnerabilities and weaknesses within those systems.
How can employee fraud be prevented?
Taking steps to prevent such problems occurring is the best solution. These might include:
1. Support whistleblowing
Having a policy in place to encourage and support staff to whistle blow together with an effective procedure to report any concerns or problems.
2. Robust screening at job offer stage
Robust and effective screening and checks in place at job interview stage. Especially for those staff who will have access to accounts, sensitive or significant amounts of data.
You may wish to check references, require key certificates or check on past history with the regulator or professional body.
Obviously under the Money Laundering, Terrorist Financing and Transfer of Funds Regulation 2017, 21, there is a requirement to carry out screening of relevant employees [7].
3. Monitor staff access to data
Actively monitor what systems and data staff access or attempt to access. Is it appropriate and proportionate to their role that they have that access?
4. Limit ability to extract and send data
IT solutions exist that can prevent the extraction of significant data, (as in the Morrisons litigation) or can limit those who can send the information.
5. Tightening processes when staff leave
When staff leave do you lock down their access to systems, or can they still access them remotely? It would assist if you had records of what systems they can access when employed, so they can then be locked out once they have left, this should also include the return of hardware (phones, laptops) and credit cards for example.
6. Regular audit and checks
The staff who perpetrated the frauds against the law firms as detailed above were all trusted, long standing employees. Most staff are loyal and hardworking, but circumstances change, and so regular audits or reviews are vital to spot any issues.
It is perhaps instructive that the new SRA Accounts Rules [8], (effective 25 November 2019) require that client account reconciliations are signed off by the COFA or a manager, and any differences investigated and resolved (Rule 8.3).
Impact on law firms
The impact has been significant for the businesses in the above examples. Beyond the reputational damage and potential loss of business, there is the time lost to investigating and resolving issues. In addition there is the impact on staff morale and future recruitment, as well as any penalties imposed by the regulators and the potential increase in insurance premiums.