1.1 Who should read this practice note?
- Managing partners, practice managers and staff of firms which hold a client account and who are responsible for:
- the secure management of the client account
- the firm's information security
- the management and day-to-day operation of the practice
- the firm's professional indemnity insurance (PII)
- business continuity management and handling their clients' business when something goes wrong
- Compliance officers for legal practice (COLP) and compliance officers for finance and administration (COFA)
1.2 What is the issue?
Firms holding client accounts are vulnerable to the risk of theft of confidential data which could lead to the theft of client money held in client accounts. Firms of all sizes can be targeted. The effect on the scammed firm can be extremely serious both financially and reputationally.
You must immediately take certain actions if you find or suspect that your firm has been the victim of a scam, resulting in your client account being compromised:
- Inform your bank.
- Inform the police at the National Fraud and Cyber Crime Reporting Centre on 0300 123 2040.
- Inform your professional indemnity insurer.
- Inform the Solicitors Regulation Authority (SRA) by telephone on 0121 329 6827 or email at firstname.lastname@example.org.
These actions could help safeguard your clients' money and potentially your firm's reputation and even its viability.
A firm's resilience and ability to recover will vary according to individual circumstances and the nature of the perpetrated scam. In the worst case scenario, in a firm where the equity partners do not have limited liability or have made personal financial guarantees, the scam could lead to bankruptcy of individual partners and the firm's closure. Members of an LLP may, in limited circumstances, be held liable.
This practice note outlines the regulatory and legal requirements that apply when a firm's client account has fallen victim to scammers. It provides advice which aims to help the firm overcome problems which might otherwise lead to its failure and forced closure.
There are a number of reporting obligations that the firm needs to discharge immediately.
The firm must also restore the client account funds without delay. Its partners might be personally liable for the client fund shortfall.
There are then further actions necessary to bring about the firm's recovery and to improve security to the firm and to its systems.
This practice note is not concerned with advice on how to protect your firm from scams and cybercrime generally. In view of the changing nature of the methodologies and increasing sophistication of scams, solicitors and non-qualified staff in firms should keep their knowledge of good and bad practice up to date by following advice from the SRA, the Law Society, their banks, and their professional indemnity insurer and organisations concerned with cybersecurity. Sources of such information are listed at the end of this practice note along with other useful information.
Firms should ensure that incident response policies and procedures are regularly reviewed and kept up to date. They should remain alert to potential warning signs so that they can take averting action and undertake due diligence where possible.
1.3 How do scams occur?
All institutions holding funds are vulnerable to sophisticated targeted attacks from fraudsters, for example through emails or telephone calls.
Criminals use a variety of ever changing and increasingly sophisticated means, electronic and/or verbal, involving impersonation and/or infiltration, in an attempt to obtain confidential financial information and data with the aim of stealing money from bank accounts. A firm's client account can be targeted in this way. Banks and clients can also be targeted in an attempt to defraud the client account.
To make their scam appear credible, the criminals may use tactics, such as convincingly passing themselves off as calling from a bank or referring to the details of a genuine transaction which they have acquired dishonestly. Or they may use the names of law firms, solicitors, parties to a conveyancing transaction, beneficiaries of trusts and wills or persons linked directly or indirectly to a client account, to make their activity seem credible.
2. Regulatory and legal requirements
The following sections of the SRA Handbook are relevant to this issue:
There are ten mandatory principles which apply to all those the SRA regulates and to all aspects of practice. Those relevant here are:
- Principle 2 - 'act with integrity'
- Principle 5 - 'acting in the best interests of each client'
- Principle 6 - 'behave in a way that maintains the trust the public places in you and the provision of legal services'
- Principle 7 - 'comply with your legal and regulatory obligations and deal with your regulators and ombudsmen in an open, timely and co-operative manner'
- Principle 8 - 'run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles'
- Principle 10 - 'protect client money and assets'.
- Chapter 10 on 'You and your regulator' of the SRA Code
- (1.1) You treat your clients fairly.
- (1.2) You provide services to your clients in a manner which protects their interests in their matter, subject to the proper administration of justice.
- (1.12) Clients are in a position to make informed decisions about the services they need, how their matter will be handled and the options available to them.
- (1.16) You inform current clients if you discover any act or omission which could give rise to a claim by them against you.
- (4.2) Any individual who is advising a client makes that client aware of all information material to that retainer of which the individual has personal knowledge.
Indicative behaviours (IB):
- IB(10.1) - actively monitoring your achievement of the outcomes in order to improve standards and identify non-achievement of the outcomes.
- IB(10.2) - actively monitoring your financial stability and viability in order to identify and mitigate any risks to the public.
- IB(10.5) - notifying the SRA of any serious issues identified as a result of monitoring referred to in IB10.1 and IB10.2 above, and producing a plan for remedying issues that have been identified.
Rule 4 of the SRA Code of Conduct: Confidentiality and disclosure
- (4.1) You keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents.
- (4.2) Any individual who is advising a client makes that client aware of all information material to that retainer of which the individual has personal knowledge.
SRA Accounts Rules 2011, Rule 7
- 7.1 Any breach of the rules must be remedied promptly upon discovery. This includes the replacement of any money improperly withheld or withdrawn from a client account.
- 7.2 In a private practice, the duty to remedy breaches rests not only on the person causing the breach, but also on all the principals in the firm. This duty extends to replacing missing client money from the principals' own resources, even if the money has been misappropriated by an employee or another principal, and whether or not a claim is subsequently made on the firm's insurance or the Compensation Fund.
Rule 8.5 of the SRA Authorisation Rules for Legal Services Bodies and Licensable Bodies 2011
SRA Indemnity Insurance Rules
'You and your regulator' of the SRA Code Chapter 10
PII Minimum terms and conditions
The SRA Participating Insurer's Agreement
The following legislation also applies to this issue:
Fraud Act 2006
- Section 3 sets out the circumstances in which it is an offence not to disclose information to others (such as the client).
- Section 4 sets out that people (such as solicitors) who are in a position where they are expected to safeguard the financial interests of others commit an offence when they fail to do this.
Data Protection Act 1998
- The act provides for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.
- Principle 7 of the act concerns information security obligations.
3. What you must do immediately if you discover your firm's client account has been scammed and who you must inform
3.1 Regulatory and legal implications
Operating a compromised client account risks being regarded as a breach of trust and also as constituting serious misconduct because of the impact on clients.
It is essential that in the immediate aftermath of the incident you do everything that you can to contain the situation. This means engaging with the following organisations without delay in order to limit the damage and bring about the best possible result in rectifying it.
3.2 Informing your bank
You must contact your bank immediately if you suspect there has been an unauthorised or suspicious withdrawal from your client account. Delays in contacting the bank could lead to further loss of funds from the client account and reduce the opportunities to make recoveries.
Ask your bank's relationship manager and its fraud department to help you contain the losses, secure and protect the account and records and assist where possible in recovery of funds taken through criminal activity.
It is advisable to keep a record of the content and times of your communications with your bank.
While each bank may react differently and according to the individual circumstances, your bank can be expected immediately to freeze the client account to prevent further losses. The bank can also be expected to contact the receiving bank without delay to attempt to recover lost money, if the fraudsters have not yet taken it out from the receiving bank account.
The bank will also co-operate with and support any police investigations to ascertain what has happened.
3.3 Informing the police
You must inform the police straight away that your client account has been compromised.
To report fraud, including online or internet crimes and to receive a police crime reference number, contact Action Fraud at the National Fraud and Cyber Crime Reporting Centre on 0300 123 2040, or via the business section of its website.
3.4 Informing your professional indemnity insurer
You must inform your insurer under the terms of your PII policy of any claims or circumstances that may give rise to a claim.
This triggers a claim under your PII policy for the loss sustained to the client account.
When notifying insurers of the claim and circumstances, you should also consider your duty of client confidentiality; O(4.1). Client confidentiality and legal privilege can only be waived with the express consent of the client. There is no effective waiver of privilege where a client has not yet made a claim against the firm. You should describe to the insurer the nature of the problem without providing client details.
The situation is more straight forward if your terms of engagement or retainer made clear that if your firm has to make a notification under the professional indemnity policy, of information about the client and the client file, in the absence of the client's prior disagreement, the client file may in those circumstances be seen by an assessor or another person unconnected with the firm.
3.5 Informing the SRA
You must inform the SRA promptly on 0121 329 6827 or email at email@example.com.
The SRA will work closely with you to safeguard your client's interests. It might also be able to assist in expediting the police involvement.
Funds stolen from the client account will amount to a breach of the SRA Accounts Rules 2011 because the rules impose absolute liability regardless of personal fault.
If you are a compliance officer for legal practice (COLP) or compliance officer for finance and administration (COFA), you have additional reporting duties. These are set out in rule 8.5 of the SRA Authorisation Rules for Legal Services Bodies and Licensable Bodies 2011.
The theft may put the financial viability of your firm into immediate question if the amount stolen and needed to be immediately replaced exceeds the means of those liable to repay it. Chapter 10 on 'You and your regulator' of the SRA Code, particularly outcome 10.3, applies:
Outcome (10.3) - You notify the SRA promptly of any material changes to relevant information about you, including serious financial difficulty, action taken against you by another regulator and serious failure to comply with or achieve the principles, rules, outcomes and other requirements of the Handbook.
IB(10.4) - Notifying the SRA promptly when you become aware that your business may not be financially viable to continue trading as a going concern.
3.6 Informing affected clients
If a particular client's money has or may have been stolen in the scam, you must inform the client - O(1.16): 'you inform current clients if you discover any act or omission which could give rise to a claim by them against you'. Informing clients who may be affected about the client account shortfall will also ensure that you are acting in accordance with Principle 4, to act in the best interests of clients.
You may wish to say to the client, preferably with your insurer's agreement, that you will be notifying your insurers and will be passing on the client's details.
3.7 Ensure you do not compromise your insurance coverage or fall foul of the reimbursement provisions
Ideally, you should get agreement from the insurer on what you may tell clients and other parties.
Do not make any admission of liability or any offer of settlement to any third party without specific consent from your insurers.
Do not disclose the involvement of your own insurers beyond the extent that you are required. Firms must disclose certain insurance details to clients and/or claimants. Both these regulations apply only to the compulsory element of the insurance, that is, the minimum terms and conditions of cover. This means that only details of the primary layer insurer have to be provided. The obligation to disclose comes from two different sources, the SRA Indemnity Insurance Rules and the Provision of Services Regulations 2009.
3.8 Informing other clients and other parties
This is dealt with under Section 5 - the practicalities of dealing with client monies after a shortage has been identified.
4. What you must do next - putting into effect an action plan
The precise order of urgency for next steps will be dependent on your individual circumstances and what the SRA and other agencies advise but it seems likely that putting the following next steps into action should be done in parallel.
Drawing up a plan of action will help you demonstrate to the SRA, your bank and your insurer that you are acting professionally and responsibly, with serious intent to limit damage, safeguard the public interest and restore confidence in your business as a going concern.
The following indicative behaviours from the SRA Handbook are relevant here:
IB(10.1) - actively monitoring your achievement of the outcomes in order to improve standards and identify non-achievement of the outcomes.
IB(10.2) - actively monitoring your financial stability and viability in order to identify and mitigate any risks to the public.
IB(10.5) - notifying the SRA of any serious issues identified as a result of monitoring referred to in IB10.1 and IB10.2 above, and producing a plan for remedying issues that have been identified.
4.1 Cyber-incident response
In the immediate aftermath of a cyber-based scam, you should decide if you need to make use of a Cyber Incident Response (CIR) service.
CIR services should be well-placed to advise you on what action needs to be taken. They should have proven knowledge and experience that will enable you to contain the incident and prevent recurrence.
The government has certified a number of providers. Further information, along with contact numbers, can be found on the CIR service website.
Unless you have relevant add-on insurance to your standard PII policy, the cost of these services is unlikely to be covered.
If you hold cyber-insurance, depending on the extent of its cover, you might be able to get assistance with or recover some of the following costs:
- costs of response
- neutralising cyber-infection
- putting right damage to, or loss of information from, IT systems and networks and of data breach
- informing clients and reputational damage
- fines (where insurable by law)
Cyber-insurance is still an immature market. You should seek advice from your insurer and broker as to what a cyber-insurance policy covers.
4.2 Replacing the stolen funds - plan of action
You should be able to demonstrate that you have taken prompt action to inform your bank and to contain the damage.
The SRA regards a deficiency in the client account as exposing clients and others to a risk of financial loss and damage to public confidence. The SRA will expect urgent assurances from you that you have put in place measures to replace the stolen funds without delay. The SRA has published a Warning notice: Money missing from client account which sets out its expectations.
It should be possible to obtain early indications from either the insurer or the bank or both (depending on the circumstances) as to the steps they are prepared to take to replace the funds.
Under the SRA Account Rules 2011, it is your duty to remedy breaches.
Rule 7 of the SRA Accounts Rules 2011 provides that any breach of the rules must be remedied promptly upon discovery, including money improperly withdrawn from the client account.
If the bank and/or insurer delays in replacing or refuses to replace the stolen funds, the SRA might require the principals to do so from their own funds. Specifically, rule 7.2 states:
'This duty extends to replacing missing client money from the principals' own resources, even if the money has been misappropriated by an employee or another principal, and whether or not a claim is subsequently made on the firm's insurance...'
If the client account shortage continues, the SRA might deem the firm to have committed serious regulatory breaches.
4.3 Professional indemnity insurance
As part of the assurances the SRA will seek from you as to how you will replace the stolen funds, the SRA will want to know whether you have submitted a claim against your PII policy and whether and when the insurer is likely to pay.
The definition of a claim in the PII Minimum Terms and Conditions (MTC) wording provides that an obligation on the part of an insured firm to replace a client account shortage amounts to a claim under the firm's PII policy.
The large sums likely to have been taken will usually mean that the insurer can be expected to appoint panel solicitors to investigate. The insurer will probably reserve rights and investigate coverage. The insurer may also investigate whether the firm can recover their loss from anyone else, for example, from their bank.
The insurer should be able to confirm within two days of being informed by you of the fraud whether it has decided to appoint panel solicitors to commence investigation. This should not, however, in the circumstances, be a reason to delay paying the claim.
Insurers have a duty to treat their customers fairly. Clause 7 of the Participating Insurer's Agreement imposes an obligation on the insurer to act with the utmost good faith in the course of its dealings, as well as to pay claims without avoidable delay after liability under the policy has been established and the amount payable by the insurer has been agreed.
There is a risk that if the bank and the insurer are plainly uncooperative and persist in their deliberations, the SRA will expect the principals to make good the client account shortage from their own resources in order to meet the urgency of the situation or to insist upon closure of your firm.
In these circumstances, you may wish to hire independent expert legal advice to assist you as this might work out a less financially damaging option than negotiating with your insurer or your bank.
4.4 Obtaining independent expert legal advice
The impact of any delay in making good the client account on the scammed firm's viability while the regulator, insurer and bank carry out their processes should not be underestimated. It could result in the firm's forced closure.
It may be advisable to buy in specialist legal advice to assist you in getting through this difficult phase to ensure the firm's survival.
Information on sources of external expertise is provided at the end of this practice note.
4.5 Other general insurance policies
In addition to your PII policy and any cyber-insurance you might hold, you should check your firm's other general insurance policies for cover and for assistance with reputational damage or business interruption which might help you recover your business.
5. The practicalities of dealing with client monies after measures have been initiated to replace the stolen funds
5.1 Developing SRA policy
Lenders will want to be notified about how a mortgage transaction will be completed. The insurer might also wish to prioritise which clients should be paid first or to pay a client in instalments and refund the balance later.
A deficient account cannot be used (beyond a de minimis transition to realisation of the extent of the problem) because any withdrawal will be a breach of the Accounts Rules. Some degree of tolerance, of a few days, less than a week, would allow plainly identifiable recent receipts to be used for required payments.
However, how you can operate as a firm is far from straightforward.
There are legal as well as regulatory requirements that affect how you might be able to act.
In certain circumstances, it may be an offence under Section 3 of the Fraud Act 2009 not to disclose information to others, such as clients, that a shortage to the client account has arisen as a result of the fraud.
Principle 7 of the Data Protection Act 1998 concerns information security obligations and the penalties for breaching these obligations.
- The Information Commissioner's Office (ICO) advises that you should be clear about who needs to be notified about the breach of data security and why and, for example, you consider notifying the affected parties and the ICO. Links to the ICO's guidance can be found at the end of this practice note.
- The SRA's Warning notice: Money missing from client account takes a robust view of how the regulator perceives the situation.
5.2 Recovering the client account
Clients whose funds are needed without delay will need to be informed of the theft and that urgent steps are being taken.
To overcome a barrier to getting your firm back in business, the bank might decide to set up a new client account which will enable you to deposit the funds securely. Your bank will let you know whether and when it can authorise you to use the client account again.
Any new receipts should be credited to a secure client account through which transactions can take place without any impact from the shortage. The usage of the account will have to be in line with SRA requirements.
You may well breach your duty to act in the best interests of clients if you pay client money into an already deficient account without fully informed consent. No properly advised client would pay funds into a deficient account with the risk of only receiving a proportion back. Failing to inform clients exposes them to a risk of loss (see O 4.2).
Until the missing money is replaced, you should not take costs from the client account. The SRA's advice is that you should work closely with the SRA on what you need to do to start operating the client account again. You should consult the SRA's Supervision function in these circumstances, on 0370 606 2555.
Losses from scams have tended to be of two kinds - one leading to a general shortage and one not.
In the former, thieves may gain access to banking details enabling them to operate the account. Alternatively, they may telephone the firm posing as bank employees and persuade them that the client account is at risk and to transfer the monies into a 'safe' account - facilitating the theft. In these scenarios, the money taken could be 'anybody's' and there will be a general deficiency to the client account.
In the second category, as a result of learning about an imminent payment through intercepting communications (typically emails), the thieves impersonate a genuine party in a transaction to instruct the firm to change the destination account for the expected payment. When the duped firm sends the money of client A to the wrong account there will be a liability to A to account for the missing money, and to replace that money, but there is no general deficiency. There is no obligation to pay A from other clients’ money nor does the debt to A mean that other clients’ money is affected. Client A would theoretically sue the firm for an account and the firm would be insured in respect of that claim; no-one else would be affected.
The SRA in these circumstances would still be expected to insist that the firm makes good the loss without delay.
5.3. Closing your firm
Ultimately, if it becomes clear that money will not be forthcoming from the bank, insurers or from private sources within a timescale acceptable to the SRA, the firm will have to close.
It may nevertheless be possible to arrange for an orderly closure, recognising that the client funds will still need to be replaced.
The SRA might still require recovery of the stolen money from the principals' own funds.
Once again, specialist legal advice might be valuable to the firm at this stage.
6. Recovering your business - reviewing your incident response policy and lessons learnt
If the firm has survived and recovered, you should review the incident to see what lessons can be learnt to prevent further attacks. It is important for the firm to identify how and why the scam was successful. The firm should consider whether the scam resulted from a control failure, or whether correct preventative measures were not in place at the time.
This may involve reviewing and revising your information security, business continuity and incident response policies and procedures, technical controls, staff training and cybercrime awareness.
Your bank, insurers and lenders might insist on verification that these measures have been taken.
You should ensure that all preventative measures are regularly reviewed to ensure that they reflect current best practice, are applied consistently across the firm, and are effective, and each time an attempt is made to breach your firm's systems even if it was unsuccessful.
A review could also include small but effective steps such as making clear that all members of the firm know that, if they think they have fallen victim to a scammer or made a mistake which could lead to further loss of funds from the account, they must bring this to the attention of the appropriate person straight away. They should know who the appropriate person with responsibility for dealing with the breaches within the firm is (for example, a COLP, COFA, IT manager, etc).
Free help and support is available including training and information-sharing in cybersecurity (see below).
7 Sources of help and support in the event of being scammed
7.1 Practice Advice Service
7.2 External sources
7.3 Law Society reporting
We are interested in hearing your experiences in dealing with scams, in order to gather intelligence to best support the profession and keep our guidance up to date.
Please email firstname.lastname@example.org to share your experience with us.
8 Help with awareness and preventative measures
8.1 Law Society advice
Protecting your firm against scams - webpage dedicated to helping firms protect themselves against being scammed and providing them with help and support if they have fallen victim to fraudsters.
Law Society practical tips to protect your firm from scams
Guidance for law firms on cyber insurance
Cybersecurity website - guidance, free training, information sharing and accreditation.
This includes a free online CPD course for members developed by the UK government as part of its National Cyber Security Strategy with the support of both the Law Society and the Institute of Chartered Accountants in England and Wales (ICAEW).
The course aims to:
- increase awareness of cybersecurity issues so that you can apply the knowledge in your own context
- help you to protect both yourself and your business
- help you to be more aware of security issues and more confident of discussing these with clients
The course covers:
- what cybersecurity is
- how it affects you and your clients
- why you should care about it
- cyberthreats to your business and you
- cyber-attacks (phishing and hacking) and their impacts
- mitigating the impacts
8.2 SRA advice
8.3 Solicitors' Assistance Scheme
The Solicitors' Assistance Scheme (SAS) offers general confidential help and advice for all solicitors in England and Wales, their families and employees, on professional and personal problems. The first hour of the advice is free.
The SAS website has a list of solicitors who specialise in giving advice on situations where there is a delay in making good the client account due to, for example, disputes about liability. The list can be found at http://www.thesas.org.uk/fraud/
SAS website: www.thesas.org.uk
Telephone: 0207 117 8811
8.4 Law Care
Law Care provides support to legal professionals in the UK and Ireland facing personal and professional problems via a free confidential helpline.
Telephone: 0800 279 6888
8.5 External advice
- Cyber Essentials is a government-backed and industry supported scheme to guide businesses in protecting themselves against cyberthreats.
- Financial Ombudsman Service insight report: Calling time on telephone fraud - a review of complaints about 'phishing' scams.
- Ofcom press statement, June 2014, on measures put in place by Ofcom and the telecoms industry to help thwart the fraudsters behind the 'no hang-up' loophole by which scammers phone up pretending to be from your bank, the police or other law enforcement agency. In order to reassure you they are genuine, the fraudsters suggest you hang up and ring your bank/police straight back. However, the fraudster does not disconnect the call so that when you dial your bank's real phone number, you are actually still speaking to the fraudster or an accomplice.
8.6 Law Society practice notes on related areas
- Information security - managing information within your practice.
- Professional indemnity insurance - your regulatory obligations relating to PII.
- Business continuity - identifying threats and impacts; building the capacity for an effective response.
- Mortgage fraud - protecting you and your firm from being used to commit a mortgage fraud.
- Property and registration fraud - to assist you when acting in property transactions. Fraud targeted at the properties of both individuals and companies, including identity and other types of fraud and the presentation of forged documents to Land Registry for registration.
- Anti-money laundering - to help you comply with the Proceeds of Crime Act 2002, Terrorism Act 2000 and Money Laundering Regulations 2007 and all amending legislation up to October 2013. It also details good practice.
- Closing down your practice - the numerous actions you need to take when closing your practice.