Are you getting complacent with compliance?
It's easy to get comfortable when working from home. But with complacency comes the risk of non-compliance with your regulatory obligations. Jessica Clay provides a refresher on your duties, the risks involved in remote working and how to stay compliant.
The SRA Standards and Regulations (StaRs) may have had a mixed reception since their launch in November 2019, but they have certainly provided an opportunity to take stock of how you practise and introduce essential steps to ensure ongoing compliance with your regulatory obligations.
However, with the move to hybrid working, there's a risk of complacency creeping in as we become more comfortable, which could leave us exposed to some fundamental risks in respect of compliance.
In this article, I provide a reminder of some of the risks in working remotely, and some practical tips on how you can stay compliant in case you've slipped into bad habits.
The key provisions
There are key provisions within the StaRs to be aware of when considering how best to ensure compliance with your regulatory obligations, and which might be engaged in the event of non-compliance.
- Principle 2 – you act in a way that upholds public trust and confidence in the solicitors’ profession and in legal services provided by authorised persons
- Principle 7 – you act in the best interests of each client
SRA Code of Conduct for Solicitors, RELs and RFLs (Code for Individuals)
- Paragraph 4.2 – you safeguard money and assets entrusted to you by clients and others
- Paragraph 6.3 – you need to “keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents”
For those with supervision responsibilities, paragraphs 3.5 and 3.6 are also key.
These state that where you supervise or manage others providing legal services, you:
- are accountable for their work
- must effectively supervise their client work
- must ensure that those you manage are competent to carry out their role, and keep their professional knowledge and skills, as well as their understanding of their legal, ethical and regulatory obligations, up to date
The risks in working remotely
Documentation and removable media
The increased risk of loss of confidential information and of data breaches through hard copy documents being transported and kept at home, rather than in offices with the necessary security, systems and controls in place, is inevitable.
You can minimise this risk by, wherever possible, working digitally and avoiding working from hard copy documents.
This includes taking fewer handwritten notes during phone calls or virtual meetings.
Instead, consider typing contemporaneous notes or, where this is not possible or preferable, seeking support from colleagues to do this on your behalf.
If working electronically in this way is not possible, consider transporting and storing documents in a locked receptacle.
If you have supervision responsibilities, you may want to stipulate the types of lockable storage you would prefer individuals to use, wherever possible. A large lockable filing cabinet or lockable drawer within a desk is likely to be harder to steal than a portable lockable rucksack.
Where this is not possible, remember (and remind others) to keep your working environment as secure as possible, by setting a home security alarm and/or closing windows when you/they go out.
Avoid using removable media to transport data and, if it does need to be used, ensure the device is encrypted.
Data and cybersecurity
Think about your day-to-day ‘home office’; where necessary and indeed where possible, try to work in a private environment where others cannot overhear your confidential conversations.
If you share your working space, think about wearing a headset, so at least one half of your conversation cannot be heard.
The same applies to your computer screen and making sure its content is not visible when it should not be.
You should also:
- avoid predictable passwords and consider using password managers
- update your password regularly
- regularly re-boot your computer and run updates, so that your antivirus software remains effective
- use two-factor authentication for email and log-ins, where possible
- verify email addresses by independent means wherever possible, and password-protect attachments (with the password being provided separately), to best protect against potential breaches
The ability to ‘share your screen’ through Teams and Zoom should be used with caution and, in some circumstances, limited to internal meetings.
- only share appropriate material/data with the parties in attendance
- disable email pop-ups, so that confidential information is not inadvertently displayed to others whilst screen-sharing. If you are sending people into, for example, separate ‘Zoom rooms’, check this has worked properly before commencing a discussion
- verify all attendees before starting to discuss anything confidential
The themes of accountability and exercising your judgement pervade the StaRs.
Wherever we are working, we remain accountable for our actions and we also need to be able to justify why we have acted in a certain way.
It is also a reminder to us all that working remotely should not lead to a relaxed attitude towards the importance of one’s regulatory obligations.
You should be aware that you are responsible for the professional judgement you exercise, and that any decisions you make on a particular case, particularly on complex issues where you could have arrived at a different outcome, should be carefully recorded. This should include reasoning for why you have chosen to act in a certain way, so that you can justify decisions, should you need to.
The SRA’s Enforcement Strategy recognises, however, that mistakes do happen; clear record-keeping will therefore help to distinguish between honest mistakes and less excusable ones.
Protect yourself and your firm
Test your understanding of risk and compliance issues with our half-day, one-day and two-day training courses.
Demonstrate your understanding in risk and compliance, legal practice or anti-money laundering with our Risk and Compliance Accreditation.
Assessing and Addressing Risk and Compliance in Your Law Firm, written by Rebecca Atkinson, outlines how to manage risk in your practice. It also contains draft risk registers, policies and procedures that can be tailored to suit the needs of your firm.