One of the COFA’s core duties is to safeguard client money by ensuring the law firm has sound accounting controls and procedures.
In this edition of COFA Corner, we look more specifically at a law firm’s payment controls. We also look at situations which could potentially lead to a professional negligence claim with the firm’s professional indemnity (PI) insurers or result in a financial loss to the practice.
A legal practice will incur the costs of policy excesses on PI claims and can suffer increases in PII premiums: this creates a reputational risk for a practice. It should also be emphasised that a law firm cannot place full reliance on the PI insurer to cover the financial losses incurred, if the legal practice’s controls are deemed grossly insufficient or if established procedures have been inappropriately overridden.
Scenarios of PI claims and losses linked to payment controls
In our experience, law firms generally have strong payment controls. However, situations arise from time to time where there has been a lapse in those payment controls, resulting in an inadvertent financial loss to the client or to the practice.
Where a financial loss arises from a failure in payment controls, it will have arisen, in the majority of cases, from some form of misdirected payment from the client bank.
Examples of situations where such instances can arise include:
1. Errors which have been made in processing payments to a recipient outside the UK and which have inadvertently been sent to an incorrect overseas bank account. Recovering these can be challenging.
2. Payments made from a client account on behalf of a client or matter, which are not in accordance with an underlying legal document. For example, payments made which do not accord with the instructions contained in a will.
3. Short-term loans from a practice’s own resources to assist a client with a payment in relation to their matter, which are not properly approved. They may have been made on the assurance that the client’s incoming funds will cover the loan, but, for whatever reason, they do not materialise.
4. Data which has been intercepted as a result of cybercrime.
The law firm is exposed in the first two examples, because there has been human error in the practice when processing the payment information. For example, the recipient’s bank account numbers might have been incorrectly recorded as part of the payment process. In these situations, there would arguably be some form of legal recourse to retrieve the funds. However, circumstances can arise where this is not always successful, particularly in relation to cybercrime, which presents a real financial risk to law firms.
Examples of payment controls and procedures
The level of controls and procedures required will vary according to the size and structure of individual practices. The controls for a sole practitioner will clearly not be the same as those for a large, multi-office partnership. The following are, however, examples of payment controls that can be considered.
- When payment requests on the client account are initiated at the first stage of the payment process, someone who has not compiled the primary source should review them.
For example, a payment is made to return a client’s funds. The client provided the bank data at the outset of the matter and the fee earner uses this to enter the payment request into the case management system or onto a payment request slip. The fee earner’s legal secretary or a cashier can, as a secondary check, review the payment request with the primary source data document for accuracy and not just with a payment request slip, which may contain an inadvertent error.
A practice can have rigorous controls the remaining payment process, but the initial data crosschecked a source document and there has been an input error, those rigorous controls could just be incorrect data from the outset.
- In accordance with the SRA Accounts Rules 21, only suitable individuals should be authorised to sign on the client bank accounts; and this authority should also extend to the office bank accounts. Authorised signatories to the firm’s bank accounts should be kept to a practicable minimum and an authorised individual should be removed from bank mandates etc when she or he leaves the practice.
- Where a banking payment system has a two-stage login authentication requirement to process, say a TT/CHAPS payment, when one person accesses the banking system to enter the data, while another uses a separate login to authorise the payment for release should actually involve two separate people in the process and not the same individual. Ideally those individuals should not be from the same team/department and separated to minimise the risk of collusion, but practically this is not always possible.
Under no circumstances should those individuals share their login details and passwords to the banking payment system, so another person could action the two-stage authentication on their behalf. For periods of absence, a firm should individuals the with their own login and password details.
- A practice should not take lightly the decision to lend funds to a client and there should be a firmly established approval process agreed among the principals. In addition, it is important to have appropriate safeguards in place for such loans, so that the outcome of a client matter is not compromised by the law firm’s own interest in recovering the loan from the client.
- Always be sceptical of any request to change a payment destination or details that do not follow a usual payment routine. Whether a request is internal or external, a practice should communicate clear procedures to all its staff. These can include the following:
- Terms of business with the client stipulate at the outset that funds will only be paid to them through a nominated bank account. Any request to pay funds to an alternative account will only be agreed in exceptional circumstances and after all necessary checks have been made.
- Any requests to send funds to an alternative bank account should be checked with the fee earner responsible or with a principal in her or his absence. The client should be contacted by telephone using the contact number on file, to ensure the instructions do in fact originate from her or him.
- If any telephone calls are received which require follow-up action, such as contacting the client or bank, it is wise not to attempt to make the call immediately. In addition, use a different telephone line: scammers often remain on the original line, leading you to believe wrongly that you have called your client or bank to confirm the instructions.
- Any payment requests, particularly by email, should always be viewed with caution. Never assume the payment details contained in the email are correct: always cross-check them with reliable documentation.
The examples and tips on payment controls above are by no means exhaustive, but they do provide some practical considerations for COFAs as part of the payment-control environment.
First published in the Jan/Feb 2018 issue of Legal Abacus Magazine. COFA Corner is written by Jason Mitchell, Partner – Legal Sector Specialist at Francis Clark LLP
This publication is produced by Francis Clark LLP for information only and is not intended to constitute professional advice. Specific professional advice should be obtained before acting on any of the information contained herein. While Francis Clark LLP is confident of the accuracy of the information in this publication (as at the date of its production), no duty of care is assumed to any direct or indirect recipient of this publication and no liability is accepted for any omission or inaccuracy.
Comments