Law Firm Compliance – Facts, Fallacies, and the Risks of Getting It Wrong

FACT: Legal practitioners have an obligation to stay compliant with a host of regulatory requirements depending on the practice’s specialisation.

FALLACY: Legal practitioners have all the resources they need to stay compliant.

FACT: The regulatory compliance processes are often time-consuming, difficult to understand, and expensive to implement.

FALLACY: Legal practitioners have all the resources they need to stay ahead of regulatory requirement changes and still be able to focus on their clients’ needs.

There’s no denying that compliance for legal practitioners is a standard and unavoidable part of providing legal advice and representation as a professional service. This does not mean, however, that the processes and protocols involved are simple. In fact, the opposite is often true - remaining compliant as a legal practitioner can be quite complex.

Regulatory requirements are evolving and becoming more complicated year after year. Over the last 20 years, the compliance landscape for South African legal practitioners has undergone significant change.

Some of the more notable of these are:

• The Legal Practice Act 28 of 2014 (the LPA)
• The Rules and the Code of Conduct for all Legal Practitioners, Candidate Legal Practitioners and Juristic Entities (the Code) promulgated in terms of the Act
• The Companies Act 71 of 2008
• The Financial Intelligence Centre Act 38 of 2001 (FICA) and
• The Financial Advisory and Intermediary Services Act 37 of 2002 (the FAIS Act).

From a client perspective, this is great news. It means a greater assurance of quality in terms of the services you receive from your legal practitioner. But for the law firms themselves – particularly the smaller ones -keeping up with the constantly changing regulatory landscape can prove challenging, to say the least.

Meeting compliance regulations can place unwelcome strain on both the human and financial resources of smaller legal practices.

There is also a widely held, though less commonly expressed, concern that these increased requirements have created an additional (and largely unwelcome) barrier to entry for new legal practitioners (notably “one-man bands”) entering the playing field.

And sadly, on more occasions than the industry may care to admit, the financial burden (coupled with the time needed to ensure compliance) has been the final nail in the coffin of many struggling legal firms.

Yet none of these scenarios changes the fact that every law firm still needs to develop (and apply) a compliance plan – for which a dedicated resource should be appointed.

It’s important to remember that the same compliance rules apply to all legal practices, no matter their size – even though the risk is, in most cases, bigger for larger firms.

However, while having a dedicated compliance team is very common in larger legal practices, it’s somewhat of a luxury for smaller firms, many of which find the budget simply isn’t there for hiring staff members who will only be responsible for mitigating compliance risks.

This is one of the reasons why "outsourcing" is such an attractive – and important – option for smaller practices. ?(It also helps mitigate any arguments around the objectivity of the compliance teams, and the perceived need by outsiders of legal firms wanting to “protect their own turf.”

It goes without saying, however, that it’s important to outsource the burden of compliance to a reputable outfit that will not only take care of the regulatory compliance, but also preach and implement awareness and diligence to all employees.

Legal compliance is unique in terms of workplace requirements, making the choice of company even more important.

The professional standards expected of legal professionals are very high. For example, legal practitioners commonly facilitate valuable financial transactions in various jurisdictions. If compliance is not adhered to - to the very last letter of the law - accusations of participating in the commissioning of crimes and money laundering can quickly surface.

Unlike most industries, ethical behaviour is strictly codified for legal practitioners, and regulatory and legal consequences are very real risks for those who don’t abide by these professional codes of conduct.

In addition, legal practices store, and have access to, massive amounts of personal and sensitive client data. The rapid expansion of regulation of data and privacy via PoPIA and GDPR adds yet another layer of compliance exposure for legal practitioners.

While the average person might assume the files on a legal practitioner’s laptop are essentially nothing more than a bunch of boring documents, hackers know the hard truth about that hard drive.

Legal practitioners must also adhere to the rules of attorney-client privilege, which means any information a client shares with their attorney must remain confidential.

As I’m sure you can imagine, your average law firm has access to trade secrets, intellectual property, and figurative (one hopes!) skeletons in the closets of their clients. And while it’s not a stretch to think a multi-national corporation can afford a sophisticated cyber security strategy,?many legal practices either can’t, or they simply don’t prioritise it.

This is one of the main reasons why so many law firms are targeted by hackers. So much valuable information, so little (comparatively speaking) cybersecurity.

Of course, on top of all this, foregoing compliance, regulatory duties and codes of business ethics put legal practice at risk of censure, devastating PR damage, and intense client dissatisfaction.

Here’s a selection of the sanction they could face if found to be in breach of legislation and regulations:

• Fines - for the most serious breaches, fines are now routinely in the hundreds of thousands of Rands. Coupled with the need to pay not only your own legal costs but also those of the prosecution, non-compliance is a costly exercise.
• Imprisonment - possible sentences could be as much as 10 years. On top of that, practitioners found guilty have to live with the stigma of a criminal conviction, which could restrict – or prohibit entirely - their ability to practice law. And remember: both employers AND employees can be prosecuted under criminal law, sometimes simultaneously.
• Loss of Reputation – this is often accompanied by a loss of clients. Increasingly, clients look very carefully at the record of potential business partners, and requests for details of any convictions have become standard on tender questionnaires. The damage a criminal conviction could cause to a practice’s reputation could last longer than the prison term - and be far more costly than the initial financial outlay.
• Loss of current or potential staff - there’s no doubt most applicants would think twice before applying for a job with a practice that has been prosecuted, or that’s broken any employment or human rights laws.
• Downtime and loss of productivity - breaching certain laws often means a practice has to cease trading until the errors have been rectified. This loss of production inevitably results in a loss of income. In the worst case scenario, this could cause the Practice to go out of business.
• Financial loss – In the event of the theft of trust monies, the Legal Practitioners Fidelity Fund does not protect the legal practitioner itself, only their clients. The basic Professional Indemnity Insurance cover provided by the Legal Practitioners Insurance Indemnity Fund is capped, and in some instances is insufficient to cover negligence claims. Financial losses could mean practices have to close, as partners and directors can be both jointly and severally held liable for these expenses.
• Loss of licence to practice – if found to be in breach, legal practitioners could be suspended or even struck from the roll through either the disciplinary processes of the Legal Practice Council, any other sanction, or both.

You can see now how important it is that a law practice remains compliant with all legislation and regulations. ?

So if your legal practice doesn’t have the necessary resources you need to comply with regulatory requirements, your best course of action is to outsource and call in the help of a reputable company .

So, what can an outsourced compliance company do for a legal practitioner?

Before answering that, let’s first take a look at the top compliance challenges legal practices face:

• Documented Policies and Procedures must be in place.
• Evidence that the Policies and Procedures are followed must be stored.
• Training must be done on a regular basis.
• Data Privacy must be managed.
• Accounting records must be up to date.
• Reporting responsibilities must be managed.

Now let's look at what the outsourced compliance company must not only offer, but also be able to prove:

1) Policies and Procedures:

• Consult on FICA (Financial Intelligence Centre Act) requirements
• Draft an RMCP (Risk Management Compliance Program)
• Consult on on-boarding of clients
• CDD (customer due diligence)
• AML (anti money laundering) screening
• Consult on PoPIA (Protection of Personal Information Act) requirements
• Draft the PAIA (Promotion of Access to Information Act) manual.
• Draft the PoPIA Framework
• Draft PoPIA Policies and Procedures
• Draft the Disaster and Recovery Manual
• Consult on NCA (National Credit Act) requirements
• Draft Credit Agreements
• Consult on over-indebtedness formulae
• Draft NCA Policies and Procedures

2) Evidence that the Policies and Procedures are followed must be stored.

3) Training must be done on a regular basis:

• FICA training
• PoPIA training
• NCR training

4) Accounting records must be up to date.

5) Reporting responsibilities must be managed.

Of course, documented policies and procedures are not the only determinant of a legal practice team's conduct. A strong company culture is also critical. Without it, these policies and procedures will be difficult to implement and sustain.

Culture should always start with the practice’s senior members - their actions, and the values they demonstrate, both publicly and in the office.

As well as implementing and respecting regulatory and ethical best practices, senior members also need to promote them throughout the practice. The best way to do this is by investing time and money into staff training and education.

Compliance laws and regulations are ever-changing, which is why it’s critically important that both management and staff are constantly updating their awareness of these issues.

So, instead of wondering why you don’t have a reliable outsource partner, just get in touch.

Email:?Jan de Beer - [email protected]

www.crtrustees.co.za