Firms can face many challenges in relation to breaches:
- Staff not understanding what a breach is
- Staff fearing the reaction they will get from reporting a breach
- What needs to be reported to the Solicitors Regulation Authority (SRA)
- Confusion over the reporting of breaches by non-solicitor employees
- Compliance officers being challenged by fellow partners over-reporting to the SRA.
A key piece of breaking news was covered in the webinar relating to the confusion over the reporting of serious matters to the SRA by non-solicitor employees; in essence, the SRA’s confirmed view is that there is no specific requirement for a non-solicitor employee to report serious breaches directly to the SRA, but they can if they want to and their firm must allow them to do so and not subject them to detrimental treatment. The SRA goes on to say that “non-solicitor employees have an important role to play in escalating any concerns that they have over serious breaches internally, so that firms can comply with their reporting obligations”. For full details see our reporting clarification blog.
A number of incidents have surfaced over the years where compliance officers have suffered detriment at the hands of fellow partners after reporting serious matters to the SRA, including being forced to resign from their firm or being removed from the office of compliance officer; although this is now forbidden there is still likely to be internal conflict about the commerciality of reporting issues to the regulator.
All the Standards & Regulations come into play when looking at breaches, so having a proper understanding of them and how they apply to a particular role is crucial.
In addition to having an understanding of the Standards & Regulations, you also need to look at the SRA Enforcement Strategy, which goes into more detail about reporting and the approach taken over enforcement.
When assessing the seriousness of a breach you will need to consider things like:
- The nature of the allegation
- Intent/motivation behind the breach
- The harm caused by individual’s/firm’s actions and impact on the victim
- Vulnerability of client.
Examples of serious breaches:
- Sending sensitive data to the wrong place
- Hiding matters from a client that could lead to a claim
- Falsifying documents
- Making hidden profits
- Using the client account as a banking facility.
Although the SRA does not specify a format for making a report it is important to include the information it would expect to see, for example:
- Type of report (breach, serious misconduct, for investigation by the SRA)
- Reason for the report
- The Standards & Regulations that have/may have been breached
- Reason(s) for concluding the matter is serious.
Many firms get very concerned about having to make a report to the SRA, but experience has shown that if you take an appropriate approach and show you have learned lessons and will do all you can to avoid similar issues arising in future it will leave matters to rest; even where the SRA investigates further it can be the individual it focuses on rather than the firm itself.
If you don’t make a report when one is necessary, and you later get caught, you could face the following consequences:
- Withdrawal of authorization
- Reputational damage from enforcement action
- Loss of accreditations
- Loss of insurance cover/increased premiums
- Loss of clients
- Loss of staff.
We all make mistakes, it how we handle and learn from them that makes the difference; hiding things is not an option as at some point they will come out!
Five steps to effective breach management
- Put in place effective breach management policies and procedures
- Train all staff on breach management
- Create and maintain a breach register
- Report to the SRA promptly when appropriate
- Create an appropriate breach reporting culture.
Breach management was discussed in our final webinar of our recent four-part webinar series ‘Working with the SRA’s Standards & Regulations (STaRs)’ which ran throughout February.
The webinars examined some key areas of risk that law firms are exposed to and how the Standards and Regulations apply to them. These included:
- Risk Management
- Risk-Based File Audits
- Complaint Management
- Breach Management.
You can still watch them here on demand.
Alternatively, you can request a free demo of our Risk and Compliance software here.