The Solicitors Regulation Authority (SRA) has published its annual Risk Outlook 2020/2021. It appears they have switched the publishing schedule to roughly coincide with the practising year.
Twice a year was a bit much.
In this overview of the latest Risk Outlook, we highlight the key parts of the report, what you should do with the information, and what’s missing.
What is the SRA Risk Outlook?
Every year, the SRA compiles a report to identify the key risks to legal practice as viewed by the regulators.
It is organised into themes with narrative attached. Some risks are born out of research. Others are identified through enforcement and disciplinary actions.
The SRA works closely with government and other regulators, so the organisation has several intelligence sources unavailable to front line solicitors.
The Risk Outlook is also a useful indicator of the direction of travel of SRA policy.
What are the current risks to the profession?
Unsurprisingly, the Risk Outlook 2020/2021 is highly influenced by the coronavirus pandemic (what isn’t these days?), Brexit and ongoing cybersecurity threats. All of these “externalities” can impact the way solicitors can practise and deliver their services.
The key risks identified are:
They say: “Solicitors and law firms are targeted by criminals. Money laundering damages society and the economy. You can help to stop it.”
We say: This is a very useful overview of the current AML risk facing solicitors. The SRA’s AML supervisory function is becoming ever more professional and systemised. Firms falling short of AML legislation are living on borrowed time.
They say: “People and businesses trust solicitors to look after their money. Keeping it safe is your responsibility.”
We say: Misuse of client money is an ever-present risk. The risk increases when firms are in financial distress, so we may see an uptick in enforcement action over the coming year.
They say: “The profession should reflect the diversity in society to make sure there is public confidence in the legal system. Diverse businesses are better businesses and inclusive workplace cultures are key to making sure that everyone can perform well, prevent discrimination and support customers from every background.”
We say: To their credit, the legal regulators have been pushing the diversity agenda long before the Black Lives Matter movement took central stage. It has been a core professional principle since 2011.
They say: “The information and money entrusted to solicitors and law firms is a target for criminals. You need to have systems and controls in place that help to protect this.”
We say: Cybercrime has reached industrial levels and working from home presents the hackers with new opportunities. Law firms are custodians of some of the most valuable data and assets.
Our profession cannot afford to be the weak link in the chain. There are opportunities for law firms to win new work by having world-class security in place.
They say: “Your firm’s culture and practices should reflect the ethical standards expected of everyone we regulate. Falling short of the ethical standards we set damages people’s lives and trust in the profession.”
We say: We all know what we mean by professional integrity but trying to define it is nigh on impossible. It is fact specific, subject to shifting societal attitudes as well as regulatory and political landscapes. Ethical behaviour is more than avoiding dishonesty.
But we risk confusing “lack of integrity” with inexperience or lack of support. Law firms need to protect their junior lawyers, and where they do not – or actively contribute to unethical conduct – firms should also face disciplinary action.
They say: “Many people and small businesses do not get the legal help they need. Helping these consumers will widen access to justice, as well as benefit your business.”
We say: The SRA has little choice but to continue down this road, with the Competition and Markets Authority (CMA) continuing to breathe down its neck.
We remain sceptical of the drive towards price transparency. It seems to conflate price with service, quality and public information. This is illustrated by the SRA’s fascination with price comparison sites – hardly the most ethical business models.
Handing over the marketing keys to price comparison companies is a big step, and one which will be impossible to roll back from.
They say: “Poor standards of work and service can affect people’s lives, liberty and finances, as well as public confidence in the rule of law. Your firm should make sure that everyone can and does meet the professional standards of competence.”
We say: There are areas of our profession where poor standards are rife. They also tend to be the areas where margins are low and firms rely on process-driven workflows and unqualified staff.
The regulators need to think of these issues before rushing towards initiatives that will drive down profitability.
What should the COLP do with the Risk Outlook?
You will need to set aside time to digest the report. It is roughly a 30 minutes read.
The SRA Risk Outlook is not published for general interest. It is intended to be actionable. That means identifying where the risks affect your firm and updating your internal risk register and mitigating actions.
Review and update your internal systems and controls to reflect the updated risks. Implementation typically involves documentation, procedures, workflows, and internal communications.
All senior managers need to be on board with your updated risk register. Implementation of risk strategies is not the sole responsibility of the COLP.
Train your staff on the key risks as they relate to your firm. This might involve, for example, refreshers (AML, cybersecurity) or skills development (standards of service).
What’s missing from the Risk Outlook?
We think the SRA has missed some key issues:
1. Regulatory risk
Although no regulator is going to admit that its own rules are a cause for concern, we believe there is a case to include it.
As much as they say that the 2019 Standards and Regulations have bedded in well, our anecdotal experience suggests otherwise. For example:
- Firms are less sure of their regulatory obligations, particularly around the Accounts Rules and marketing.
- The fact that the reporting threshold is significantly lower has not been fully appreciated. Many firms are not reporting when they should because they are still using the “material breach” test.
- The streamlined principles-based approach to the rules has been completely undermined by several volumes of official guidance. These will become de facto rules yet are not subject to consultation. They can be (and are often) amended on a whim.
- The SRA has had to roll back from previous messaging. Two examples spring to mind:
- “If you are compliant with the old Accounts Rules, you will be compliant with the new rules”. This is simply not true, yet SRA officers were parroting this message during the Standards and Regulations roll out.
- “You can bill for your costs in advance”. Whilst the Accounts Rules may technically say this, the SRA message was not qualified in any way. The latest version of the guidance has remedied this to some extent, although possibly too late for some.
2. Financial stability risk
The market landscape section of the SRA Risk Outlook sets out the key areas causing unprecedented uncertainty for law firms (Covid, Brexit, Economic, Consumer Behaviour).
Following the logic, this must ultimately translate to an increased risk of cash flow issues and law firm failures.
Redundancies and grievances may therefore rise, in turn increasing the likelihood of employment claims and settlements.
Law firm mergers and closures are likely to increase, as those unable to cope with the new normal looking for exits. All of these issues create compliance and regulatory issues.
This has to be fixed sharpish. The absolute shambles of an IT rollout has caused incalculable lost hours in trying to figure out practising renewals and other notifications.
At a time of such external pressure, firms can ill afford to be stuck trying to figure out how to work around a broken system.
Not only that, but the authorisation and notification system is now so unnecessarily complicated that there is a real risk that the SRA will have increasingly inaccurate data about those it regulates.
Not because firms are not willing to engage with their regulator. But because they can’t figure out how.
What else should be on the SRA Risk Register? Let us know what you think.