Compliance Plans, Risk Register, Client Care, Code of Conduct, COLP/COFA, Business Continuity, Outcomes Focused Regulation! All terms we see all too often within the legal profession. “Compliance” has taken the industry by storm but has left lawyers in a state of confusion and anxiety.
There are so many different facets to consider when referring to “compliance” within a firm. Practices will need to consider the code of conduct, Equality Act, Anti Bribery Legislation, the EU Commerce Directive and many other codes of practice, regulations and legislation.
Even before a firm considers change they need to recognise that we are no longer in a profession where regulation and compliance can be avoided. Everyone within the practice is affected by the firm’s compliance status, not just the partners or qualified members of staff.
The starting point for most firms is evaluating their public facing information, including websites, emails, letterheads and registration with the information commissioner and where applicable registration as an Exempt Professional Firm.
From an SRA perspective each firm has a risk profile, and so when deciding which firms they wish to ‘supervise” or approach for a thematic review they will consider public facing information amongst other things; such as complaints, claims and any other dealings the firm may have had with the SRA. We would encourage firms to ensure that their pubic facing information is “compliant” to help minimise their risk rating.
Once firms have ensured their public facing information is “compliant” the next consideration should be to the firm’s client care packs.
A client care letter and terms of business plays a critical part of compliance with the client care provisions of the Code of Conduct, however so often when we review these documents we find large gaps and non compliances.
But is it any wonder? Over the past 3 months there have been at least 3 required updates to Client Care Letters/Terms of Business; namely the changes to the Legal Ombudsman Scheme details in February 2013, the implementation of the Legal Aid, Sentencing and Punishment of Offenders (LAPSO) Act 2012 in April 2013 and the structural changes made at the Financial Services Authority.
Legal Eye has reviewed hundreds of Client Care Letters and Terms of Business documents over the past few years. Of those reviewed 84% did not contain accurate regulatory information. Common omissions and non-compliances include fee details, incorrect or incomplete complaint’s details both in the complaint’s section itself and the financial services paragraphs. Distance selling, cancellation rights, quality standards, equality and diversity, outsourcing and details of the Financial Services compensation Scheme were some of the other common paragraphs which we found needed to be updated.
The firm’s COLP will need to ensure that the client care pack has been updated to reflect all of the compliance requirements, including those that have been recently updated. They will also need to demonstrate that the firm has a procedure in place to check and verify that fee earners are using the most up to date documents and procedures.
Documented audit trails are a key component to mitigating the regulatory risk exposed to a firm. With the compliance arena being so fast paced, firms are struggling to implement the changes as quick as new requirements are introduced and updated.
Where we assist firms with their file review processes we are able to keep them updated and appraised of developments in the regulatory world with practical solutions. So with regards to the changes to the Financial Services Authority we advised all of our clients what the changes were and updated their terms of business, client care letters and demands and needs statements so that they could use the updated versions without any delay.
However, whilst updates can be made and distributed firm-wide, it is the fee earning and support staff that need to use these documents, and therefore they need to find a way of ensuring that they are using the correct version at the time they send the initial documents to their clients. In practice this can be one of the biggest challenges firms face because fee earners are using example text or precedents from a whole host of references in their directories, so old templates, clauses and references creep in to new documentation. From a compliance perspective it is the COLP’s responsibility to ensure that there is an adequate system in place to prevent and mitigate the risk of out of date information being used, but it’s a time consuming task when there are so many compliance updates to consider.
Legal Eye records show that 74% of firms that we have communicated with before any advice or feedback is rendered did not have any file review processes in place, which is a fundamental flaw to a firm’s risk management process. Of the 26% of firms that had file review processes in place only 5% actually followed up the corrective action, which is a congruent part of the supervision and risk management requirements under the code of conduct. The file review process not only reveals valuable information about practices and procedures undertaken by the firm but also it is a risk management tool which insurers expect firms to have in place.
Insurance and Compliance Plans
At a time where firms are due to complete their insurance proposal forms it is a great opportunity for practices to carry out a gap analysis linked with their compliance plans. Most insurers will also be keen to establish whether the firm has a risk management strategy and whether they carry out an annual risk review on complaints, claims, notifications, file reviews, business continuity plans and tests, risk assessments of unusual/high risk matters and regulatory issues. Evaluation of client feedback and clear reporting lines and governance are amongst many of the other requirements of both insurers and “compliance”
Business Continuity Plans
There are lots of overlaps with the outcomes set out in the code of conduct, various accreditations and information requests as part of insurance proposal forms, with Business Continuity Plans being one of them. There have been a number of CQS accredited firms that we initially visited who did not have a Business Continuity Plan in place. This is not only a breach of the CQS practice management standard but also a non-compliance of the Code of Conduct and insurance requirements, particularly if firms have indicated they have a valid plan in place. Where firms do not have adequate plans they should note the SRA have asked for these documents during visits to firms.
We have also seen CQS approach firms for copy documents, including sight of their Business Continuity Plan and other policy documents to support their initial or re-application. However, where such policies, plans and procedures have not been reviewed or updated or, the polices or plans are not in place at all, firms run the risk of suspension from the panel or in worse case scenario rejection from the Panel altogether. This is a big concern when we visit firms across the country because we are seeing an increased number of firms being approached for documentation.
Traditionally disaster recovery plans were necessary, however this was replaced with the requirement to have a Business Continuity plan. These plans should include details of disaster recovery and contain information on the key risks exposed to the firm with details of how the firm propose to mitigate the impact of those risks. The risks identified should extend beyond disaster recovery, but also include for example the impact of unexpected absences from the office. Key personnel should be named so that all staff are informed of their responsibilities and are aware of the relevant contacts if the practices’ business continuity had been affected.
Once the firm has a plan in place they should test their plans to check if they are effective. This can include testing of back ups or regularly updating the Contact List attached to the plan so that it reflects any changes to personnel details and updates to service providers so that they can be easily contacts should the need arise.
Equality and Diversity
Last year the SRA were on the road conducting thematic reviews across the country. Firms were expected to demonstrate how they were complying with Chapter 2 of the Code of Conduct. Equality and Diversity is of high priority and firms should ensure that they are reviewing their policies to ensure they reflect the Equality Act 2010, provide training to staff on Equality and Diversity, make reasonable adjustments where required and have a system in place to address any breaches of the Equality and Diversity Act and internal policies.
It is an on-going cycle to achieve “Compliance” within a practice, but in order to get the wheels in motion firms will need to plan their journey, starting initially with public facing information and then tackling the firm’s internal documents and procedures, using the Code of Conduct to help identify structure the “Compliance” journey
“Compliance” and the management of the firm’s risk is not something that can happen overnight or in isolation, so all staff, workers and consultants within the practice, both operational and business services need to be part of the culture change for firms to find the light at the end of the tunnel.