With lockdown across the country and many of us forced to work from home, Rebecca Atkinson, Director of Risk at Howard Kennedy, asks how we can remain compliant during this period.
Client due diligence—verifying ID
Client due diligence (CDD) is more important than ever. However, the way we do this may need to altered in order to comply with lockdown measures while simultaneously ensuring a suitable standard of compliance.
There are five key steps to CDD:
- Obtaining ID documentation
- Verifying ID documentation
- Conducting a client and matter risk assessment
- Understanding the purpose and nature of the transaction
- Conducting ongoing monitoring
Verifying a client’s ID in person during this time will be mostly impossible as will be your client’s ability to have their ID verified by an appropriate third party. Some options are:
- Video call your client and ask that they hold up their photo ID and show it to you. Ask the client to send a photo of their ID that they have shown. The solicitor who had the video call can then certify the copy ID as a true likeness of the individual who they have met via video.
- If a video call is not available, ask the client to hold their photo ID next to their face, have someone take a photo of them and then send that photo to the solicitor with conduct of the matter. The solicitor should then view the photo and can certify the photo as a true likeness of the individual.
- If the above cannot happen (maybe because the client is on their own and they cannot manage taking a photo in this way) ask the client to take a photo of their photo ID and then a separate photo of themselves (a selfie) and email those to the solicitor who can then inspect the photos and again certify the photo as being a true likeness of the individual.
It is very unlikely during this time that clients will be able to send certified proof of address so you could consider taking two forms of proof of address instead.
It’s important not to relax your rules around CDD during this time as money launderers will be looking at this period as an opportunity.
Be aware of cyber criminals
Cybercrime is always with us but you may be experiencing an increase in attempts to trick your staff and clients. Here are some top tips on how to handle cybercrime:
1. Penetration testing
This involves paying someone to try and hack you! A penetration tester will test your network and website to find security vulnerabilities that an attacker could use to attack your firm and report these back to you.
2. Phish your own people
An effective (and fun) way of testing your vulnerabilities is to phish your own people in the firm. There are technology companies out there that can create realistic fake emails that invite the recipient to click on a link. This is a good way to test how vulnerable you are as a firm – although in the current climate you should warn your staff you may be testing them.
3. Have a clear internal reporting route
It is important that everyone in the firm understands how and to whom suspicious activities should be reported. Consider setting up an email group with an appropriate title such as ‘Cyber Concern’ or ‘Threats’ and have an internal process whereby any suspect email is checked by your IT team for safety. Whatever your reporting procedures it should be made absolutely clear what the recipient of a dodgy looking email should do.
4. Buy similar sounding domains
Fraudsters will attempt to impersonate your firm by buying similar sounding domains to pass themselves off as your firm. You can mitigate this somewhat by purchasing domain names that sound like your firm (as far as possible) and they are usually inexpensive.
5. Show when emails come from an external source
To counteract impersonation fraud, you may wish to set up your emails so that when they are received from an external source the email clearly indicates this. Fraudsters can make an email address from which the fake email is being sent look legitimate with the correct email address showing.
6. Cyber-attack simulation round table testing
Don’t wait to get back into the office to do this. Set up a virtual round table with fee earners, managers and staff and run through some scenarios.
Information Security on new software
We are all reaching for the next piece of software to make working remotely easier. This could be in the form of scanning apps, video conferencing, electronic signatures or instant messaging. Make sure that your firm has vetted these before your people start using them. Did you know that having WhatsApp on your mobile phone shares the contacts on the phone with Facebook? Carefully consider the security aspects of all new pieces of tech before the firm agrees to their use and make sure your people know they cannot download and use a new app without firm permission.
Supervising from a distance
Remember that supervision is a way to support colleagues and this is needed more than ever during lockdown. Think of ways to ensure supervision continues in your firm by considering the following:
- If you can, video call your people – it is not the same as face to face but better than a phone call
- Try and have a regular catch up slot
- Check workloads especially if the fee earner has reduced their hours
- If fee earners have been furloughed re-allocate their work
- Use shared calendars to keep up-to-date with work in teams
- Encourage people to share what they are working on
- Continue file reviewing and checking work and the post