The ripples are still being felt from the recent cases of Purrunsing, P&P and Dreamvar. How are law firms responding, especially in the current limbo before the P&P and Dreamvar appeals? Maria Shahid investigates
Property fraud, both in terms of cybercrime and in the more traditional sense, is becoming an increasing concern to all those involved in the conveyancing process, and a spate of recent decisions has caused solicitors to question existing processes and practices. Should letters of engagement exclude any duty to undertake checks on the seller’s identity? Should further enquiries be made of a seller’s solicitor about the identity checks made by them, particularly in high-risk transactions? Should firms consider taking out specialist cyber-insurance cover?
In this article, I outline the three most prominent key recent fraud cases, and look at how a number of firms are responding to this trend.
In Purrunsing v A’Court & Co (a firm) & anor  EWHC 789 (Ch), the seller’s solicitor was unaware that the seller was not in fact the true owner of a property in south London, and purchase monies were transferred to an account in Dubai.
Both sets of solicitors in the transaction were found to be in breach of trust: the duty not to release purchase monies before legal completion is an absolute one, and as the relevant property transfer deed (TR1) was forged, legal completion had not in fact taken place.
Both firms sought relief under section 61 of the Trustee Act 1925 (TA 1925), a statutory provision that allows a court to relieve a trustee from liability where they have ‘acted honestly and reasonably and ought fairly to be excused for the breach of trust’.
His Honour Judge Pelling refused to grant relief. The supposed seller of the property had provided an address different to that of the property and to that of the alternative service address as stated on the Land Registry register, and the seller’s solicitor had made no proper attempt to carry out ‘risk-based due diligence and comply with anti-money laundering regulations’. Importantly, no documentation was obtained linking the seller to the property. Similarly, the buyer’s solicitor should have been more alert and not satisfied with the answer they received on whether the seller was entitled to sell the property, and they should have communicated this concern to their client.
Both sets of solicitors were found to ‘bear equal responsibility for the loss’ suffered by the buyer.
Beth Holden of Anthony Gold solicitors, who acted for the claimant, said: ‘The public are entitled to look to the professionals to protect against fraud, even the estate agents who market the property. In this case, we see the court saying that conveyancers on opposite sides of the transaction have joint responsibility to protect the purchaser’s money, no matter who their client is.
‘Old doctrines of buyer-beware and solicitors’ warrantees of identity are not substitutes for compliance with strict requirements of anti-money laundering regulations and the duty to actively protect the transaction from fraud.’
The decision in Purrunsing contrasted with that in P&P Property Ltd v Owen White & Catlin LLP & anor  EWHC 2276 (Ch), later the same year, with the purchaser (P&P) failing in its claim against the fraudulent seller’s solicitor, as well as the estate agent.
Similar to Purrunsing, P&P involved a vacant property, which the fraudulent seller claimed he owned. When the true owner discovered what had happened, P&P brought a claim for breach of authority against Owen White & Catlin (OWC), as well as the estate agent, a Winkworth franchisee. This claim was based on breach of duty as well as breach of warranty of authority.
Robin Dicker QC, sitting as a deputy High Court judge, ruled that solicitor checks were designed to reduce the risk of fraud, but could not eliminate it. OWC only warranted to act on behalf of the person purporting to be the owner, and not the true owner. The breach of warranty claim failed.
The court in P&P distinguished Purrunsing on the basis that different versions of the Law Society’s Code for Completion by Post were used in the two cases: in Purrunsing, the 1998 version was used, which requires the funds being held on trust until satisfactory completion; whereas in P&P, the less stringent 2011 version was used, which contains wording to the effect that if completion takes place straight away, then the completion monies are not held on trust by the seller’s solicitor.
While the decision in P&P was welcomed by conveyancing solicitors for its pragmatic stance, their relief proved short-lived: not only has leave to appeal been granted, but a few months later came a decision which has seemingly placed greater responsibility on a buyer’s solicitor to verify the seller’s identity.
The decision in Dreamvar UK Ltd v (1) Mishcon de Reya (2) Mary Monson Solicitors Ltd  EWHC 3316 (Ch) involved a successful claim against City firm Mishcon de Reya by a client purchaser.
Dreamvar based its claim against Mishcon on negligence for failing to seek an undertaking from the seller’s solicitor that it had taken reasonable steps to establish its client’s identity, as well as failing to identify features of the transaction which suggested an increased risk of fraud. The second part of the claim was based on breach of trust.
Separately, the purchaser also brought a claim against Mary Monson, the seller’s solicitor, for negligence, breach of warranty of authority, and breach of an undertaking that it had authority from the real owner of the property.
The court dismissed all allegations of negligence against Mishcon. In particular, it rejected the argument for an undertaking, holding that this was contrary to standard practice in the profession.
However, deputy High Court judge, David Railton QC, did allow the claim for breach of trust against Mishcon, holding that it was an implied term of its retainer that it would only release purchase monies on completion of a ‘genuine purchase’. Furthermore, it was not entitled to relief from breach under section 61 of the TA 1925. Given that Mishcon had professional indemnity insurance (PII) in place to cover any loss, it was in a better position to deal with the consequences of the fraud than its client.
Leave to appeal has been granted in Dreamvar and P&P, and the conjoined appeals are due to be heard in February 2018. In the meantime, firms acting on behalf of buyers are left wondering what additional steps they should take to protect themselves from a similar scenario. I asked a number of firms about how they have chosen to respond to this recent case law trend.
David Pett is a solicitor and conveyancer at MJP Conveyancing in Norwich. He believes that, following these judgments, buyers’ solicitors should review their retainers. He says: ‘An express authority should be added which makes it clear that the buyer client is giving you authority to release funds received from the client, on the basis that you, as the buyer’s solicitor, are unable to guarantee that the seller is in fact the registered proprietor.
‘You would need to add, to ensure the term could be viewed as fair, that you will do everything expected to identify fraud and to alert the client of any concerns before any funds are released.’
The judge in Purrunsing pointed out that the seller’s solicitor knew of a number of factors which should have alerted them to a possible risk of fraud, including that the property was unoccupied, not subject to a mortgage, and of a reasonably high value, and that the seller was abroad and not returning to the UK before completion.
Bruno Edenogie is the compliance services manager at Cripps. One of the consequences of Dreamvar for his firm, he says, has been a marked increase in requests from third-party legal professionals. He says that these requests have three elements: ‘First, to provide them with an undertaking that we have taken reasonable steps to establish our client’s identity; second, to consent to their reliance upon the customer due diligence (CDD) that we have undertaken on our client; and third, to enable them to examine what we have done to satisfy ourselves in respect of our client’s identity, including reviewing the identity documents and data that we have used and relied on; so that they may guard against the risk of their client suffering loss as a result of identity fraud by obtaining an enforceable right against us for their reliance upon the CDD that we have undertaken on our client.
‘While we understand the rationale behind these requests, it is an onerous position that we are being asked to accept. We generally refuse such requests, as we are not willing (nor obliged) to accept responsibility or liability to the third firm’s client. We remind the third firm that we (like other regulated firms) are obliged to undertake CDD measures on our clients in accordance with legal and regulatory obligations, and that they should rely upon that when considering whether we have complied with our obligations in a particular instance.’
Niall Innes at Mills & Reeve, which acted on behalf of the estate agent in P&P, says that his firm has seen a number of enquiries by buyers’ solicitors asking his firm to warrant that the person who is selling the property is its true owner – questions that a prudent solicitor may not want to answer. ‘When acting for a buyer, we have been issuing guidance to our clients around this issue, explaining to them the potential of the risk for fraud.’
Beyond this trend in case law, the profession has seen a more general increase in fraud in recent decades, and especially, in the last few years, in cases of cybercrime. Figures published by the Solicitors Regulatory Authority (SRA) at the end of 2016 show that email hacks are the most common cybercrime in the legal sector – resulting in some £7m of client losses in 2016. And the most common of this type, making up three-quarters of the total, is the ‘Friday afternoon’ hack, named after the day when most completions take place, where client or solicitor email accounts are hacked, and bank details changed to that of the criminal.
In response, most firms have devised alternative means of communicating bank details with clients, primarily via telephone and, if necessary, by the encryption of emails. Added to this are sometimes lengthy warnings of the risk of fraud in email footers, as well as confirmation of how bank details will be communicated.
David Williams is a senior associate at multi-disciplinary practice, Savage Silk: ‘We do everything we can to protect our conveyancing clients from cybercrime, by sending the bank details out in hard copy, and we ensure the client knows that they will never be advised of a change of these by email.
‘After receiving bank details as part of a transaction, our solicitors confirm these via an established telephone number,’ he explains.
So, firms have clearly had to respond in terms of practice and process, but many are focusing on prevention as well as on training and communication.
Charlotte Gill, divisional director in cyber and TMT practice at advisory, broking and solutions specialists Willis Towers Watson, explains: ‘Employee awareness and training is key. Employees should have sensitivity to suspicious activities, know what to do in the event of a suspected breach, and be fully trained on the threats facing the network… Depending on the size of the organisation, it’s also worth forming a cyber-risk management group to assess the risk, set policies and procedures, and ensure these are revisited regularly. Ensure there is collaboration across corporate functions.’
Clare Hughes-Williams, a partner in the professional risk team at DAC Beachcroft, specialises in defending claims against solicitors, as well as advising insurers. She believes that the legal profession has on the whole responded well to the increasing risks, noting that over the last 18 months or so, an increasing number of firms of all sizes have requested training on dealing with cybercrime and fraud.
Cripps, says Edenogie, has rolled out training covering both fraud in the traditional sense, and cybercrime, especially around the hacking of email accounts. ‘We have training on cybercrime for new joiners, with a particular emphasis on its impact on residential property transactions and our procedures,’ he explains.
‘We have also recently issued firm-wide training on cyber-security, which was based on the firm’s risk profile and its potential vulnerabilities, which we had tested and subsequently addressed.’
He also highlights the importance of communication and collaboration across departments: ‘These cases have caused us to enhance our eagle eye for red flag indicators of fraud, and to ensure that we are following the Law Society’s property and registration fraud practice note. There is greater communication and collaboration between the compliance department and the residential property team, in order to ensure that fee-earners are sufficiently trained to identify red flag indicators.’
Stress-testing of existing security measures is also becoming an increasingly common tool in the fight against cyber-attacks. ‘We recently employed an external company to test our security measures, which include electronic, physical security (ie our reception team and the accessibility of our offices etc), and our staff, in order to ensure that they are not the weak link in our security,’ explains Edenogie. ‘The results were used to update our internal policies and procedures and provide tailored training to our staff on these issues.’
To what extent does existing PII provide firms with cover? While it extends to identity fraud along the lines committed in Dreamvar, grey areas remain around whether insurers will cover increasingly sophisticated cyber-attacks.
Savage Silk’s Williams believes that this needs to change, and that insurers ‘should find a way to assist the profession’. He adds: ‘The question is whether they can do so in a balanced and proportionate manner, so as not to add steps and costs to the conveyancing process that the public consider to be unnecessary and cause undue delay.’
Some firms are turning to cyber insurance as the most effective way of dealing with the issue, not least for the breach response cover insurers provide. ‘These policies often come with an “incident response” package, with access to insurers’ external resources for legal, forensics and PR, as well as cover for business interruption and increased costs of working,’ explains Gill.
Data loss is similarly not covered by traditional PII, which, as Hughes-Williams explains, can be ‘very detrimental to a solicitor’s business’.
‘Ordinarily, solicitors are only liable to their own clients. If you lose data, you could end up being responsible to people who are not your client,’ she adds.
Duncan Sutcliffe, director at commercial insurance broker Sutcliffe & Co, agrees that while traditional PII may inadvertently provide some cyber cover, it generally does not provide the same level of cover as a separate cyber policy. He adds that: ‘There is a growing interest from the profession in this type of cover.’
‘Cyber-attacks are a big threat to law firms,’ he cautions. ‘If they lose a computer it doesn’t matter, but if they lose data, they may as well shut up shop.’
Innes at Mills & Reeve believes insurance may also help. ‘It’s hard to see how the Court of Appeal decision will go,’ he says. ‘At this point, the best solution may be an insurance one, in the form of title insurance, which covers property fraud. You can then give advice that includes an element of risk.’
Firms clearly face a period of uncertainty while awaiting the decisions in the Dreamvar and P&P appeals, but equally clearly, they cannot rest on their laurels in the face of the increasing threats of fraud and cybercrime.