Having a sound strategy is key to effective management of risk, and no less so when addressing the vulnerability of law firms to the risk of fraud

This two part article is based on a presentation by the author at the Society’s “Many Faces of Fraud” conference at Dunfermline on 24 May. The concluding part will feature in next month’s issue.

To be as effective as it can be, a fraud risk management strategy needs to address:

  • Risk identification/assessment – so that the risks, both from within the firm and from clients and other external parties, are identified and understood properly; and so that gaps and weaknesses in the firm’s controls are identified and addressed;
  • Controls – so that risks are addressed by effective and practical processes and procedures, ranging from staff screening and client vetting processes to signing authorities and segregation of duties;
  • Monitoring – so you can establish that the controls put in place are actually being complied with, and any non-compliances are addressed by modification of the controls and/or training;
  • Training – so that there is an appropriate level of awareness of fraud risks, and so that everyone is clear about the firm’s policy and about their own roles and responsibilities in relation to fraud risk management;
  • Response to a fraud – so that appropriate action is taken to minimise the impact of the fraud, and so that lessons are learned in order to minimise the risk of recurrence;
  • Insurance – so that the firm has/considers the protection afforded by relevant insurances, and so that there is clarity about the extent of the protection those insurances provide and the terms and conditions applying to them. 

Risk identification/assessment

Law firms face the risk of fraud on the part of the firm’s own people, whether partners or employees, and fraud on the part of clients and other third parties.

  • Fraud by partners and employees may involve:
  • theft of client funds or property, e.g. by misuse of powers of attorney;
  • dishonest misapplication/investment of client funds;

theft of the firm’s own funds, e.g. intercepting/ misappropriating cash received in payment of fees; altering the cast of the firm’s payroll to inflate the perpetrator’s salary – even if the individual amounts are relatively insignificant, if this continues undetected over an extended period, the amount misappropriated over time may be very substantial;

  • misapplication of the firm’s money to purchase goods or services or to settle personal debts;
  • misrepresentation to clients concerning the funds held for the client or concerning the performance of investments managed by the firm.

Fraud on the part of clients and other third parties may involve:

  • using the firm to facilitate a fraud or scam, e.g. back to back mortgage fraud or advance fee fraud;
  • having the firm remit client funds to/for the benefit of the fraudster (see case study, part1);
  • altering cheques whether drawn on the practice’s client or firm bank accounts (see the alert by the Society’s Morag Newton, Journal, February 2007, 28: “Fraud: client accounts targeted again”);
  • hacking into or other misuse of the firm’s IT;
  • identity fraud, e.g. fraudsters masquerading as proprietors of property instructing solicitors to sell property on their behalf. A scenario, discussed in the 2007 Risk Management Roadshow, is described in the August issue. The Society has, for some time now, been warning the profession of property-related scams, for example Journal, March 2005, 48:

“…fraudsters have obtained mortgage finance over unsecured properties by purporting to be the proprietors. In each case the fraudsters have obtained extracts of the titles either by way of a substitute land certificate or extract sasine titles. They have taken these extracts to a solicitor with whom they have no previous connection and usually in a town other than the town in which the property is located.

“In each case they have produced driving licences and utility bills by way of identification, although it now transpires that the driving licences would appear to be extremely clever forgeries. The properties were unencumbered and the funds were deemed to be required either for the purchase of a property abroad or for refurbishment of the existing property. It is likely that the real owners of the properties are working abroad and that the properties were tenanted out, which would have enabled the fraudsters’ access to them for the purposes of having surveys carried out.

“In two of the four cases the solicitors received signed mandates from the purported owners for the funds to be telegraphically transferred to a third party. In the other two cases the funds were transferred to the individuals’ bank accounts, which would appear to have been fraudulently set up for that purpose.”

Risk assessment

Can you state confidently that the risks mentioned above do not exist and could not arise in your practice? It is no answer to state, in response, that everyone in the firm is honest or that anti-money laundering and other checks are carried out on new clients or that you are certain that anyone stealing money would be detected straight away.

Perception: “If anyone is stealing money, our auditors would spot it.”

Reality: Is that the auditors’ role?

The experience and research in relation to fraud doesn’t support that view of things. The harsh reality is that:

  • colleagues who are considered utterly trustworthy and honest are capable of committing fraud, given the motivation and opportunity;
  • frauds are capable of going undetected for long periods of time because the perpetrators know that they are trusted and exploit weaknesses in the firms’ controls and monitoring arrangements.

Perception: “Our employees have proved themselves honest and completely trustworthy.”

Reality: Experience shows that otherwise loyal and honest colleagues can be capable of dishonesty when motivation and opportunity arise.

Risk controls

Do you have risk controls in place in your practice that would prevent a fraudster perpetrating a fraud, or promptly detect fraudulent activity if it did occur? If not, consideration ought to be given to addressing identified risks with appropriate risk controls, awareness training and monitoring.

Risk controls start with a clear statement of the firm’s policy in relation to fraud risk management, and visible commitment from the top of the firm. The firm’s policy establishes clearly the culture of the firm, marking the firm out as no soft touch so far as fraudsters, internal or external, are concerned. It makes it clear to staff that there will be the toughest possible response to fraud and a zero tolerance approach to non-compliance with the firm’s fraud risk management control procedures.

Visible commitment from the top supports the statement of policy and evidences the culture.

It undermines the firm’s position if partners are seen to pay only lip service to the firm’s policy and controls.

A wide range of controls may be appropriate, depending on the areas of risk identified and the nature of the firm’s activities and operation. Examples of controls, for illustration purposes, will be provided in the concluding part of this article in next month’s issue; and see case study, part 2.

Perception: “We are careful in the selection of our employees.”

Reality: If colleagues are seen as presenting little risk, what about clients?

To address the risk posed to the firm by dishonest clients, risk control starts with the firm’s vetting criteria and engagement process. Vetting considerations should address the following points:

  • Consider what the firm’s criteria should be for taking on a new client/instruction.
  • Establish why the prospective client contacted you/your firm.
  • Check the source of any recommendation.
  • Satisfy yourself that the client actually exists. For companies, obtain evidence of incorporation.
  • Does the person instructing you have authority? Consider, for instance, individuals instructing you on behalf of himself/herself and their spouse.
  • Consider the implications for the firm’s reputation in taking on a particular client or instruction.

Better to be safe rather than sorry after the event that the firm took on a particular client which later abuses the firm’s trust. Always remember the firm is not obliged to accept any client or any instruction.

The concluding part of this article, in next month’s issue, considers the need for monitoring of compliance with risk controls and for training to ensure risk controls are effective. If, in spite of the firm’s prevention strategy, a fraud is detected, what action needs to be taken to mitigate the impact on the firm? Next month’s article addresses both that and the extent to which insurance is available to cover losses and investigation costs.


CASESTUDY: PART1 – REMITTING CLIENT FUNDS

At the conclusion of a commercial property sale, a cheque for the £350,000 sale price less the fees and outlays was issued to the clients, ABC Limited, along with a statement explaining everything. A day or two later, the Finance Manager from the company telephoned the senior assistant in the firm who had handled the transaction and arranged for the cheque to be cancelled and replaced with a cheque made out to ABC (Guernsey) Limited. A week after the replacement cheque was uplifted from the solicitors, the Finance Director of ABC Limited contacted the senior assistant, irritated that the sale proceeds hadn’t been received and asking for an explanation. Although the Finance Director had been led to believe that his subordinate was currently on holiday, he had in fact disappeared having deposited the replacement cheque in a bank account controlled by him. What risk controls would be appropriate to prevent a recurrence?


CASESTUDY: PART 2 – RISK CONTROLS

Referring back to the case study earlier (ABC Limited), a variety of risk controls may be appropriate, including the following possible measures.

Terms of engagement might specify that the firm will not accept verbal instructions to change or amend cheque payments. Considering the issue of who has authority in a limited company, it might be appropriate to specify pre-agreed parties authorised to give or vary cheque payment instructions. For all the foregoing reasons, it may be appropriate simply to state categorically that cheques/transfers will be issued in the client company name and in that name alone.


ALISTAIR SIM AND MARSH

Alistair Sim is a director in the FinPro (Financial and Professional Risks) National Practice at Marsh, the world’s leading risk and insurance services firm. To contact Alistair, email: alistair.j.sim@marsh.com

The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.

Marsh Ltd is authorised and regulated by the Financial Services Authority.

Share this article
Add To Favorites