When home is not your castle
It’s a dangerous business, Frodo, going out of your door…” These prophetic words of Bilbo Baggins have formed the bedrock of SAGE’s advice over the lockdown, and form the rationale for the majority of the UK workforce working from home.
Working from home has its advantages: lower transport costs (from bedroom to desk), better work-life balance, and spending more time with family. It also has disadvantages: higher snack intake, devoting endless hours to curating videoconference backgrounds that showcase your cool credentials, and spending more time with family.
For a profession which, historically, has not been the fastest to embrace change, the move to homeworking came as something of a shock. The old normal was not a suitable model for working in a socially and professionally distant world, and adaptations are necessary. With change come new opportunities, but also new risks.
Client verification
Of a Tuesday afternoon, whilst leafing through the latest Journal, a phone call comes through. A new client. He has a deal which needs to complete. You take all the details and, over the next few days, start the process of opening a file. Then it hits you: just who is the client?
He told you his name was Connor MacGregor, but how do you know if it was actually Connor MacGregor, and just who is Connor MacGregor? You can’t meet face to face, and you can’t readily get the originals of their ID. How do you verify identity?
The rules requiring sight of the client’s original ID are unwavering, yet in a world where meeting clients still seems some way away, trying to match the ID to the client is not as simple as previously; and what is to be gained by seeing original client ID against a background where (a) we have not physically met the client, and (b) we have no easy means of verifying that the ID itself is authentic?
The good news is that alternative ways of satisfying the customer due diligence (“CDD”) and money laundering requirements should be possible in most cases. As always, much depends on the risks of each situation and whether those can be sufficiently addressed through other means, but it is also worth remembering that there are three stages to CDD: identification of the client (information gathering), risk assessment of the client, and verification of the client (evidence gathering). If you cannot meet the client face to face, this may affect your risk assessment and may simply mean having to exercise more rigour and more caution at the third stage, verifying identity, than if you had met them face to face.
In some instances, e-verification in its own right may be sufficient, although it has to be borne in mind that this only establishes that someone of a given identity exists and not necessarily that you are dealing with that person.
Further steps
Further steps you might therefore wish to consider would be:
- Ask the client to send you a copy of their ID documents – ideally a scan/pdf, but possibly a photo – via their phone. Having received the copy, you could ask them to hold up the documents during a videoconference call with their face also in vision (and try to keep a record of that).
- You should then undertake an e-verification check of the document and the details contained on it. Systems which draw on multiple data sources (including official sources) are to be preferred, especially where physical ID checks are impossible or have their limitations. A single source (e.g. the electoral register) would not normally be sufficient in itself.
- If that check produces no concerns, a final cross check might be to make a point of sending a letter to the client (without advance warning) at their given address, with the letter requiring some unique or specific form of acknowledgment to be sent back to you. A fraudster would be likely to find it difficult to intercept such communications.
- Finally, you would then request that the client does follow this up by providing a sight of their original documents in the normal way at a later stage of the transaction but, as long as other risk factors do not raise concerns, you may be able to take the view that you are able to at least start working on the matter, on the strength of this process.
Bear in mind also that any deviation from your normal CDD practice while the current restrictions apply, may be best discussed and signed off by a supervising partner or your MLRO, on a case by case basis.
Also, the Law Society of Scotland has issued practice updates in relation to client verification and you should continue to refer to its website on these matters.
Remitting funds etc
You hold client funds. They need to be sent to another firm of solicitors. You cannot send a letter with bank account details. The only option (short of secure online client portals) is to request an email with the details. The receiving solicitor duly obliges and emails you their account details. You require to confirm independently that the bank details are correct and have not been intercepted. You pick up the phone and start to dial the firm’s main office number. No good – the office is closed. You call the number on the email and the person on the other end gives you the number of their office or cashroom manager with whom to check. Don’t be fooled – if the email has been compromised, you could just be calling the hacker and being directed to their accomplice.
So how do you independently confirm that the details you received are legitimate?
Options might include contacting other personnel in the firm, separately and without advance warning, to seek confirmation of the firm’s bank account details. The important thing is to be careful and think about whether you really are – as you must do – obtaining confirmation of bank details from at least two independent sources. Always bear in mind that sending client money to an unauthorised recipient is usually the start of a professional negligence claim from which there is seldom any defence.
This also stretches beyond monetary considerations; whether you are dealing with a client or another solicitor, it is imperative that you take all appropriate steps to ensure client data remain secure.
Conference calls
As the majority of client interaction moves online, the risk of eavesdropping, or worse, increases. For most firms, videoconferencing will mean relying on third party software. The problem with this is that the security measures for those systems are managed by third parties. There have already been news articles raising concern about the security of some of these systems. In the event that something does go wrong, there is likely little recourse against those companies. Make no mistake, if a security or data breach does occur, the client’s first stop will be your firm, followed by the ICO, SLCC and/or Master Policy insurers.
Was it reasonable for you to arrange a conference call through those systems? What if there were reports that they were vulnerable to hacking? And what if you didn’t tell your client who, had they known of the risk, would have preferred a phone call? These are the potential questions which you might need to answer in the event of a security breach.
That said, videoconferencing is proving a very useful communication medium in the current situation and has a real part to play in client verification, to say nothing of relationship management with your clients.
Protecting cash flow
Cash is king and remains the lifeblood of any business; all the more so where everyone’s purse strings are being tightly drawn and there may be more reluctance than ever to extend credit to client organisations fighting for their own business survival.
Similarly, at a time when bad debts are on the rise and debt collection actions are likely to progress through the courts with all the haste of a lethargic garden snail, this is not the time to allow large amounts of work in progress to accumulate over the course of a transaction.
Measures to protect and preserve cash flow might be (i) more often requiring a retainer at the start of a transaction, (ii) indicating an intention to render regular interim fees, or (iii) reserving the right to deduct fees from settlement sums before any balance is remitted to the client.
If the client balks at these options, ask yourself why; and whether it is still worth taking on the work.
The solution
The easiest way of catering for any new risk management measures will be to revisit that trusty old friend, the letter of engagement.
Don’t assume that your existing letter of engagement will come to your rescue in the changing environment in which we are now operating and, if you do wish to be able to resort to or rely on any of the measures outlined above, be sure that your letter of engagement is reviewed and updated to cater for them. Getting the client’s agreement from the outset is key.
If there is a take home from all of this (or rather a keep home, since you’ll be there already), it is this:
- Verify, verify, verify – a voice at the end of a phone, the person typing you an email, could be anyone.
- Let clients decide whether, and to what extent, they are content to use methods of communication beyond the usual.
- Wherever possible and appropriate, get paid upfront.
- Keep your clients informed of any changes in practice you are making, and any security or other risks they may present.
- Be sure to issue fresh letters of engagement where appropriate, to reflect any new measures you wish to introduce.
Whether the current state of affairs is temporary, or whether some adaptations will survive going forward, remains to be seen. What is important is that in the “here and now”, thought should be given to the new risks that remote working brings. In a time of uncertainty, the need for vigilance and security is paramount, not only to protect your clients, but also yourselves.
Update
Since preparing the above article the Coronavirus (Scotland) (No 2) Act 2020 has come into effect (from 26 May 2020). The Act introduces a number of important changes to the signing and use of electronic documents. Of particular note is part 7 of the Act, which enables notaries to make affirmations or declarations without being in the same room as the person from whom the oath is being taken.