Despite so much being at stake, some firms are still unwilling to change processes or attitudes about fraud. There are many conscientious law firms that have already upgraded their anti-fraud risk controls, but recent notifications highlight that some are still not taking this issue seriously enough.
The solicitor community needs to manage fraud risk more effectively and responsibly and stop taking email and verbal instructions for funds transfer on little or blind faith. Principle 10 of the SRA's Code of Conduct mandates that you must protect your client money and assets.
Email, on its own, is not a reliable or secure communications method. Transferring funds to a bank account that is notified by email, especially if altered or advised at last-minute, without making any checks, is not protecting clients' money and is therefore a breach of Principle 10. Acting on instructions from so-called bank staff and revealing online banking user credentials and account information is also not protecting clients' information.
False email correspondence is often at the heart of fraudulent activity so here are some rules that should be followed by solicitors;
New Clients
- Explain the risk of fraud openly at the outset when relevant to the transaction / matter and obtain a commitment to cooperate.
- Obtain / exchange bank details at the outset of the transaction, and preferably face-to-face, except in unusual circumstances.
- Verify bank details provided against a cheque book, paying in book or statement.
- If there is a likelihood that changes may be needed, and attendance in person will be impractical, agree a code word for discussing financial transactions.
- Explain that changes will not be made to your firm's bank details and changes to clients' instructions for funds transfer will be treated suspiciously. Re-iterate to clients the process in which you follow to confirm their details and to ensure they are who they say they are.
- Update your client care letter/s, T&Cs, email footer and other relevant documents to reflect your revised fraud prevention processes.
Existing Clients
- Explain the above revised policies to existing clients (via a mass mailer (not email) or as and when correspondence is sent).
- Request that clients attend your offices to provide bank details or obtain them over the phone when you can be certain it is your client you are dealing with in the normal course of events.
- Obtain evidence in support where time permits (if you already have a bank statement obtained for client identity checks at the outset then this would service to verify bank details).
- On any transactions nearing completion where there is insufficient time to obtain bank details in the above ways, receipt of bank details for funds transfer must be validated with the client by phone. The call must be instigated by the firm using the details provided by the client at the outset. Unique and common knowledge, for instance about the matter or subjects involved can be used to further authenticate the client.
Staff Training
- Relevant staff must be trained on revised procedures and mandated to follow them without expansion.