The SRA have stated that “We expect solicitors and firms to continue to meet the high standards the public expect”….. and…”We expect firms to have appropriate contingency plans in place for disruption, but we recognise that these are exceptional circumstances and the coming months could present particularly challenging issues. “
COFAs - Client money protection during COVID-19
By Richard Hill
Compliance under COVID-19
The SRA have stated that “We expect solicitors and firms to continue to meet the high standards the public expect”….. and…”We expect firms to have appropriate contingency plans in place for disruption, but we recognise that these are exceptional circumstances and the coming months could present particularly challenging issues. “
The SRA have said they will take a proportionate approach in view of the circumstance but also it is clear that if you do face compliance difficulties linked to the virus, then they would expect you to clearly document the approach you have taken in dealing with this.
COFAs will need to consider whether the controls and procedures in place in a normal working environment can still work effectively with everyone (or part of your workforce) is working from home remotely. Documenting a review (e.g. “COFA review of systems and risks under COVID-19 restrictions”) would be a must to show you have at least considered this and identified additional risks with remote working and arrangements put in place to minimise these risks. Whilst the SRA may take a ‘proportionate approach’ that does not release firms (and its COFAs) from their responsibilities. Firms will still be expected to demonstrate and have in place controls and procedures to protect client money with timely bank reconciliations, proper client account withdrawals, prompt return of surplus funds and avoiding their client account being used as a banking facility.
Remote working
Many law firms and businesses can easily work from home and the technology is certainly available to make this happen so the issue is not a technological one but a cultural one and about working methods of some firms. Many law firms have shown the switch to remote working has many benefits, but some have shown how ill-prepared they are moving to remote and flexible working with a heavy reliance on paper, office attendance and outdated IT infrastructure.
In some firms COFAs will need to assess whether having their finance team or staff working remotely could cause some operational issues and mean some procedures won’t work as effectively.
Examples of risks to consider:
• Increased threat of cyber scams and COVID-19 related phishing emails being successful if staff feel overwhelmed.
• Individuals may start to feel become more financially pressured may increase risk of deliberate or inadvertent misuse of client funds.
• Finance staff might be depleted due to furloughing and unable to provide the usual checks and balances.
• Staff may feel it is not as easy to double check information with someone and feel isolated at home.
• Processes and procedures are more likely to be ignored or overridden by fee earners who feel under more pressure to generate fees during difficult times.
• Maintaining dual authorisations could prove challenging for some firms.
• Moving to electronic form of signature to sign off client account withdrawals when firms used physical signatures previously.
Client money processes under COVID-19
Up to date accounting records and posting of transactions in a timely manner
Most firms are continuing to work albeit in a reduced capacity and from home.
There may be situations where the person posting client transactions is not working (either due to being furloughed or through illness). The key risk if client account records are not kept up to date is that money paid out of the client account may exceed the amount held for that client leading to a serious breach of the rules. Keeping accounting records up to date will be critical to all monitoring and handling of client money.
If there is a delay in posting it is advisable that the client account should be reviewed by another member of staff before payment is made.
Receipt and payment slips
Rules 5.2 states that you must appropriately authorise and supervise the withdrawal of client funds. This can be difficult when staff are working remotely depending on the firm’s systems.
Most account packages offer electronic authorisation when generating requisitions to receipt and withdrawal client funds which must remain in place when working remotely.
For those firms that rely on physical sign off they could consider alternatives including scanned payment slips. Free apps are available where you can take a photo of pages and generate a PDF (e.g. Genius scan).
The rule does not specify that a withdrawal needs to be signed but best practice would encourage this. An email could suffice in authorising payment (with a copy of the ledger/completion statement attached) but extreme care must be taken here as relying on email authorisation may pose cyber and fraudulent risks with email hijacking and phishing. To overcome this the accounts staff can confirm by phone the payment instruction with the fee earner.
Processing of bank payments
The ability to segregate duties (input and authorise withdrawals from client account) may not be possible. Often the bank payments are processed by the accounts team and authorised by a partner/COFA.
COFAs must still ensure that robust authorisation of payments controls remain in place. The firm may want to grant access to the banking facility to another responsible individual in order that payments can be made. This will need to be set up with the bank. An audit trail should be kept of who has access to login to the bank and when they have logged in with good password management.
The COFA should monitor client account very carefully or alternatively they could appoint a dedicated ‘gatekeeper’ who monitors the client account regularly and reports to them.
Firms should also maintain a verbal check of bank account details for outgoing bank payments.
Bank reconciliations (Rule 8.3)
Firms have already said that staff shortages may risk the bank reconciliations not being completed every 5 weeks or more. If discrepancies are not identified and investigated promptly it will be posing an ongoing risk to client money.
The COFA must ensure the bank reconciliation is carried out frequently. This is vital. Even if there has not been much activity on the client account due to the slowdown of work the reconciliation should still be undertaken. The SRA places great importance on the preparation of reconciliations and one of the first things that they will request when visiting a firm is the latest client account reconciliation.
The SRA have stated “Carrying out reconciliation statements at least every five weeks is a key part of making sure you are protecting clients' money. They allow the firm's managers to make sure that client money is safe. And if there are any differences shown by the reconciliation, managers are under an obligation to promptly investigate and resolve any issues. Firms should therefore have contingency plans in place to make sure reconciliations are completed if, for instance, a key member of their accounts staff is unwell.
If your contingency plans fail because of the impact of coronavirus, then we would recommend that you take all necessary steps to assure yourself that client money is being dealt with by your firm properly. You should document your approach and all your decisions.”
Banking facilities are not provided through the client account (Rule 2.3)
Fee earners may let their guard down and be afraid to explain or say no to clients as to why they cannot hold funds (or send to unrelated parties) as they become stressed and anxious over the reduction in work.
COFAs should suggest that fee earners should take extra care to notify details of all expected funds to accounts in advance so checks can be carried out.
The same rigorous checks must apply as a breach in this rule is often considered serious. Warning signs include funds held in client account after completion, frequent receipts and payments not fully explained, use of ‘general’ file and funds arriving from third parties unexpectedly or that appear to be unrelated parties to the transaction.
Payments and receipts must relate to regulated services.
Delays in Banking Client Cheques
Rule 2.3 states that client money should be paid promptly into a client account.
If you are unable to promptly pay client cheques into a client account, you must:
• Inform your client as to the position.
• Establish whether the client can pay the funds electronically into a client account.
• If funds cannot be paid electronically document any decision, why the cheque cannot be banked promptly.
• Ensure proper procedure for secure holding of any client account cheques prior to banking.
The SRA stated “Our Accounts Rules set out that you should promptly pay client money into your firm's client account. Prompt means prompt in all the circumstances. If you are delayed in paying in any cheques because of the impact of the coronavirus on your firm or your bank, we would expect you to keep your client updated as to the position and document any decisions you make. We will take all of the circumstances into consideration if we were to receive any complaint and would be very unlikely to conclude that there has been a breach of our rules in this situation.
You may also want to look at other banking options so you can continue to effectively deal with your client’s money, such as requesting electronic payments where these are possible.”
Accountants report
An Accountants Report must be obtained within 6 months of the end of the accounting period under Rule 12.1. The SRA do expect law firms to do what is possible to keep within that timeframe. Many law firms reporting periods are in line with their financial year end which is usually end of March or April.
This could cause problems for some firms and accountants as the COVID-19 related restrictions could mean delays to the report being finished with the lack of resources available and no onsite access for the accountants. This will depend on how long the restrictions are in place and the ability of law firms and accountants to work remotely.
A delay itself would not be viewed as a serious breach which would need self-reporting by the COFA to the SRA and at present it is not suggested that firms would need to notify the SRA of an unqualified Accountants Report that was completed late (after 6 month deadline) due to the COVID-19 restrictions. COFA’s need to remember it is the firm’s obligation to have the report prepared, not the accountants.
Documentation will be the key. COFA’s should document any delay (even unqualified reports) and the SRA will expect this. Qualified reports still need to be sent to the SRA and any delay caused by COVID-19 should be explained in the covering email. Those with a history of late filling could expect more SRA queries as previous compliance history will be considered by the SRA.
The documentation and handling could be important in the event of any future regulatory queries.
What to do
- Consider whether now is a better time to carry out the report as with lower transaction volumes the finance teams might find it easier or depending on staffing resources it could be delayed until the Autumn an still in the 6 month timeframes.
- Firms that work electronically and using cloud-hosted systems will have no problem in working with their accountants to carry out the report.
- On most systems, the accounts software can be accessed remotely and ledgers/reconciliations etc printed off.
- Documents can be emailed, scanned and uploaded.
- Send your breach register and new accounts manual (or any documentation) that sets out the firm’s policies since the change in account rules in November 2019.
- Video conference (e.g. Zoom or Microsoft Teams) can be used to discuss matters.
- Even if the reports require access to physical files then as much of the work as possible should be completed
Cyber threats
Cyber criminals are also taking advantage of the fact that many people who are working from home have not applied the same security on their networks that would be in place in their working environment. They are also preying on fears of the coronavirus and sending 'phishing' emails that try and trick users into clicking on a ‘bad’ link. Once clicked, the user is sent to a dodgy website which could download malware onto your computer, or steal passwords. The scams may claim to have a 'cure' for the virus, offer a financial reward, or be encouraging you to donate. With more people working remotely or from their own devices, your risk of encountering ransomware may increase. Accounts staff will see an increase in financial scams and checking of bank details for payments will remain critical to protect client money. Scams including Share Screen and fake Zoom requests are also becoming more frequent.
The National Cyber Security Centre (NCSC) reported a 400 percent increase in coronavirus related fraud reports in March. Law firms are a prime target for criminals looking to exploit the change in stressful and unfamiliar working environment with remote working.
The SRA have said “Cybercriminals are trying to take advantage of lower levels of security brought about by increased remote working, IT challenges, and the different mindset people may have when working from home. We have received specific reports about law firms being targeted. In one such example criminals attempted to create a standing order for £4,000 a month from a firm’s client account.”
Click here to view the SRA’s and NCSC advice. https://www.sra.org.uk/sra/news/press/cyber-awareness-during-lockdown/
Financial stability and cash forecasting
When talking about financial compliance and reporting the COFA cannot avoid the problematic obligations to report financial stability. The SRA Code of Conduct for Firms sets out that firms must ‘actively monitor your financial stability and business viability’ (in Rule 2.4) and also that you ‘notify the SRA promptly of any indicators of serious financial difficulty relating to you’ (Rule 3.6 (a)).
It has been a common misconception that the COFA is the only compliance officer responsible for monitoring and reporting financial stability but the SRA Standards and Regulations places the obligation falls on the COLP under standard 9.1(b) of the Firm Code.
The reality is financial management will more than likely fall under the COFA’s remit and the challenge here will be managing the financial impact of the COVID-19 restrictions but also juggling the further onus to report any serious financial difficulty. Internally, the hardest task will be defining and agreeing in what scenario to report. Examples could include; banks and other finance providers refusing to provide further funding and loans needed by the firm to see through COVID-19; the ability of the firms to repay and services its debt obligations; the firm are expecting to close down due to financial pressures caused by COVID-19; and financial projections which think it is more than likely the firm is not financially viable and funding is not available.
Goes without saying the COFA providing monthly forecast reports on cash flow and carrying out a form of ‘stress test’ on the firm with financial modelling will be important so the firm can make informed decisions.
Summary - COFAs hitlist
There are mixed experiences from COFAs under the COVID-19 restrictions with some using it to reinforce controls but are also gaining more recognition on the controls already in place that are working just as well in a more remote environment. Others have seen resources decrease and are under pressure to manage the risks of client money compliance.
Hitlist
1. Review of remote working and identify any additional risks and solutions - “COFA review of systems and risks under COVID-19 restrictions” – circulate this review with recommendations and any changes in procedures so everyone is aware – use bullet points to summarise.
2. Consider internal review/audit – carried more regularly during this period. Monitor client money transaction more frequently. Consider increasing COFA oversight and protocols if needed. Create a suite of reports to run each week.
3. Maintain the breach register to spot any trends emerging caused by remote working to act quickly
4. Maintain effective internal lines of communication with accounts staff for breach reporting and support. Regular video conference calls (e.g. Zoom) or use of Microsoft Teams.
5. Disseminate information about cyber risks and compliance risks including data protection, client confidentiality and ID checks on clients.
6. Remove access to the accounts systems and banking systems for furloughed employees
7. Training and awareness – some COFAs may decide this is good timing to refresh training on protecting client money and certainly should raise awareness of some of the risks on transacting client money.
May 2020
ILFM - The Professional Institute for COFAs
Although membership of the ILFM is not exclusive for COFAs, we feel that as the professional institute for legal finance & management, it's a very good fit for you if you're looking for independent advice, support and resources to help you in your day-to-day role.
The professional institute for legal finance & management professionals, including Legal Cashiers, Accounts Managers, COFA's, Practice Managers and Finance Directors.
Comments