Compliance and Cybercrime: knowledge is power

It’s a well-known mantra that in the realms of cybercrime, criminals are invariably one step ahead. But this should not tempt any law firm to be complacent in protecting itself.

The digital landscape is increasingly hostile.

Covid-19 has heightened the cyber security for firms, in part by introducing more forms of cyber risk. The Law Society highlights, for instance, business impersonation requests to employees to update banking details, fraudsters posing as legitimate companies and fraudulent coronavirus insurance adverts. Stimulus funding is a favoured topic of fraudsters, sometimes posing as legitimate companies to make fraudulent applications.

In December 2020, government published its third National Risk Assessment of Money Laundering and Terrorist Financing (NRA). Unsurprisingly, it confirmed what we know already: professional services remain attractive to criminals, lending layers of legitimacy to their operations.

Significantly, though the NRA noted improvements in the supervision of accountancy and legal service providers, they are still prevalent in law enforcement cases. The risk score for legal services for money laundering remains high, with conveyancing, trust and company services and client accounts singled out as the highest risk – even though it found supervision of legal service providers has improved. In recent years, hundreds of millions of pounds are thought to have been laundered through conveyancing alone across the UK.

The risk of exploitation around those practice areas increases further if lawyers do not carry out their obligations under the money laundering regulations (MLRs) or if they adopt a tick box approach to compliance.

Also, firms cannot safely outsource compliance to their external IT suppliers and have been warned not to rely on them for protection. Mitigo Group’s CEO Lindsay Hill warned last summer that firms are failing to implement defences against ransomware attacks because of the misconception that they are not a target - and an assumption that their external IT support is qualified to look after its cybersecurity. She made clear that IT is not responsible for cybersecurity - which is a very different discipline).

So what can firms rely on?

Firms must be alert to the so-called red flags which indicate a higher risk. In conveyancing, they include anonymous buyers and complex corporate structures, and transactions involving multiple legal service providers.

Trust and company services providers (TCSP) can be exploited for money laundering, particularly where there is poor compliance with the MLR.

The SRA found that in 2018, out of 59 law firms in England and Wales carrying out such services, a significant number were not doing enough to meet their obligations. Some were found to have had no risk assessment while others failed to conduct ongoing customer due diligence. Just 10 firms had submitted a suspicious activity report (SAR) in the previous two years.

However, according to the 2020 annual report from the UK Financial Intelligence Unit, the number of SARs reported by the legal sector increased by 13 per cent in 2019-2020 compared to 2017-2018. The number has continued to increase.

The NRA noted in its report that most law firms do comply with their AML obligations and there have been positive steps in dealing with the risk posed by cyber criminals. For firms who are not pulling their weight, they are likely treating AML compliance as a low priority, insufficient or weak risk-based controls are in place and there may be a lack of legal sector-specific AML training available for them.

Firms must ensure they are familiar not only with all regulatory requirements, but also with the Law Society’s practice guidance on protecting the firm if it falls victim to a scam. The Society also has a range of further cyber security-related resources.

Law firms must tackle the cybersecurity risks head on and treat compliance as a primary issue. If they fail to do so, the risks could lead to financial losses not to mention long-lasting and unquantifiable reputational damage.


Posted on 04.03.21