Masterclass: Supporting regulatory compliance through the Lexcel framework
For legal practices and in-house departments Developed and Authored by PDA Legal
Presenter: Neil Partridge
LinkedIn: https://uk.linkedin.com/in/neilpartridge
Email: [email protected]
Telephone: +44 (0) 1372 879343
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
2. Schedule for today
Approximate timing
• 9:45 – 10:00 Welcome and Introduction
• 10:00 – 1040 Session segment 1: Lexcel update
• 10:40 – 11:15 Session segment 2: Data Protection controls
• 11:15 – 11:35 Comfort break
• 11:35 – 12:05 Session segment 3: Application of SRA ‘StaRs’
• 12:05 – 12:15 Session segment 4: AML and financial crime
• 12:15 – 12:30 Session segment 5: Q&A, final remarks and close
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
3. Outcomes from today’s session
Learning points to take back to your practice or department:
• Identification of the relationships between new regulations and their (close)
links to the Lexcel Standard. (‘A measure of reassurance’.)
• Gathering evidence that will support dealing with enquiries from the SRA and
other regulators (to demonstrate compliance).
• Achieving a healthy position to proactively measure compliance with
essentials, such as the GDPR and AML 2017.
• Operate in an environment that promotes a cohesive and collaborative
approach to risk management, client care and strategic growth.
• Enjoy a meshed net approach to identifying, monitoring, mitigating and
managing risk.
4. About the presenter
Neil Partridge: Operations Director, PDA Legal and Lexcel assessor
• >500 visits to legal sector organisations.
• Conducted the training for all Lexcel assessors on the new version of Lexcel.
• Speaker at Law Society 2018 and 2019 Annual Conferences.
• Presenter of Law Society webinars on risk, data protection and Lexcel v6.1.
• Author of articles on data protection, cyber security and Lexcel for the Law Society.
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
5. About the presenter
• Founded in 1998, by one of the first Lexcel assessors.
• Independent of assessment units and the Law Society.
• Conducted more than >2000 legal sector visits.
• Consulting and training on GDPR, cyber security,
AML, risk and Lexcel.
• File review services and compliance trend analysis.
• Information management/security audits.
• Preparation of registers, plans, policies and procedures.
FOUNDER SUPPORTER
Have you seen our file
review & monitoring service?
www.pda-legal.co.uk
Further information about our work can be found at our website: www.pda-legal.co.uk
PDA Legal
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
6. New regulations in recent times
Pressure points:
• The General Data Protection Regulation 2016 and Data Protection Act 2018
• The Money Laundering, Terrorist Financing and Transfer of Funds
(Information on the Payer) Regulations 2017
• The Criminal Finances Act 2017; and
• The European Union Financial Sanctions (Amendment of Information
Provisions) Regulations 2017
• SRA 2019 Code of Conduct; Standards and Regulations (‘StaRs’)
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
7. Lexcel Masterclass
Session segment 1 Lexcel update
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
8. Lexcel Masterclass
Lexcel update and hot-topics
• 1.3: Business continuity plan; ‘contagion’ and ‘IT Failure’
• 3.1a: The appointment of a data protection leader*
• 3.1b: Register of personal data processed by the firm*
• 3.1c: Handling Subject Access Requests*
• 3.1f: Data Protection Impact Assessments (data protection by design and
default)*
• 3.2h: Register of ALL software used by the firm
• 3.4: Website management policy (esp. Cookies!)
• 3.7: Out of date references to other regulations
• 3.7: Updating to reflect SRA STaRs 2019 (also in 6.2)*
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
9. Lexcel Masterclass
Lexcel update and hot-topics (continued)
Lexcel includes:
3.7: ‘… a register of each plan, policy and procedure that is contained in
the Lexcel Standard …’
Glossary, page 5 of Lexcel Standard [brochure] for Legal Practices v6.1:
‘…A ‘procedure’ is a written description of how an activity will occur within the
practice. A procedure describes the steps that personnel are required to follow in
order to complete an activity.
At an assessment, a procedure can only be said to be complied with if the
assessor can observe that the procedure contained in the practice’s
documentation is in effective operation…’
And, one person (only): “All procedures must have a named person who is
responsible for the procedure.”
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
10. Lexcel Masterclass
Lexcel update and hot-topics (continued)
The 2019 SRA Standards and Regulations require:
SRA StaR 2.1: “You have effective governance structures, arrangements,
systems and controls in place that ensure: (a) you comply with all
the SRA's regulatory arrangements, as well as with other regulatory and
legislative requirements, which apply to you;…”
SRA StaR 2.2: “You keep and maintain records to demonstrate compliance…”
SRA StaR 3.1: “You keep up to date with and follow the law and regulation
governing the way you work.”
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
11. Lexcel Masterclass
Lexcel update and hot-topics (continued)
• Significant changes to recent regulation; changes to procedures.
• Reliance on outdated or on templated procedures are leaving gaping holes.
• The infamous phrase: ‘…we have procedures for…;
• (3.2e) secure configuration of network devices,
• (3.2f) management of user accounts,
• (3.2j) [policy for] training for personnel on information security,
• Interviewed staff voice different ‘perspectives’ on the [unwritten] ‘procedures’.
• Write down what you’re doing.
• Train staff on the requirements.
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
12. Lexcel Masterclass
Lexcel update and hot-topics (continued)
• 5.1a: Compliance plans
• 5.1b: Risk registers
• 5.8b: Training on conflict of interest
• 5.11c: Complete records of file reviews
• 5.11f: Records of file review trend analysis
• 5.13a&h: AML controls and reviews*
• 5.18i: Risk data analysis; personal data
• 6.1c: Client care policy, prospective clients and new Data Subjects
• 7.5d/e: Up-to-date records of experts and counsel
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
13. Lexcel Masterclass
Session segment 2 Data protection controls
PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
14. Session segment 2: Data protection controls
The myth:
“Our only significant risks are money laundering, losing a public funding
contract or a claim for professional negligence; everything else is tick-boxing;
right?”
Director of a legal practice
The reality; how would you be able answer this question?
“If there was a breach or concern about a potential breach in my practice, how
would I go about evidencing my position in the face of queries from the ICO,
the SRA and my insurer?”
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
Question
Where data protection planning is concerned, where might there be
touchpoints with other parts of the Lexcel Standard?
15. Session segment 2: Data protection controls
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
Answer: Data protection touchpoints with the Lexcel Standard
• Section 1: Strategic planning and business continuity.
• Section 2: Financial controls.
• Section 3: Email, internet usage, social media.
• Section 4: Equality & Diversity, learning & development, role profiles,
recruitment and progression, inductions, cessation of employment,
performance management & whistleblowing.
• Section 5: Compliance plan, risk register, outsourcing, generic risks.
• Section 6: Client care, initial information to the client.
• Section 7: Use of counsel and experts, file closure/ conflict checks.
16. Session segment 2: Data protection controls
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
Important points to keep in mind
• GDPR is ‘principles’ and ‘outcomes’ based.
• One size does not fit all; beware of templates.
• An ‘IT solution’ is not the solution.
• Organise your GDPR controls on an individual basis.
• Far in excess of 90% of personal data is held electronically.
• Staff are most likely the source of breaches, but also the first defence.
• The vast majority of data breaches are as a result of human error.
17. Session segment 2: Data protection controls
PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
Lexcel 3.1a
Documented requirements of a Data Protection Officer (‘DPO’) but still
expected of any Data Protection Lead/Manger:
• Ensure and monitor compliance with GDPR.
• Provide advice and guidance to colleagues.
• Training and awareness raising.
• Conduct audits.
• Provide advice around Data Privacy Impact Assessments.
• Co-operate with the ICO (or relevant Supervisory Authority).
• Must not be conflicted with other roles [in the firm]. (Article 38(6)).
• Keep your information up to date; client care letters and website.
18. Session segment 2: Data protection controls
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
19. Session segment 2: Data protection controls
3.1b: ‘…keeping appropriate records of processing activities and
additionally, the lawful basis for processing categories of data,…’
• Mapping incomplete in almost 100% of Practices/Departments.
• 29: The average number of hours Practices spend mapping their data.
• Incomplete mapping;
• is contrary to SRA StaRs, Lexcel and Article 30 of the GDPR, and;
• hampers dealing with/mitigation of breaches, and,
• hampers dealing with Data Subject Access Request responses.
• Justification for retention not checked or correct.
• ‘Stashes’ of personal data in staff notebooks not recorded.
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
How much data does a ‘small high street’ Practice process?
20. Session segment 2: Data protection controls
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
• An identifier/unique reference/name
• A description of the data
• Why it is being processed
• The legal basis for processing the data
• Is it ‘sensitive’ (Article 9)?
• The date collected and created
• Where and how the data is held
(including locally and globally)
• The format (e.g. word document,
notebook, emails, CMS entry, diary.)
• The volume of the data
• The frequency it is to be updated
• The date it was last modified
• The status of the data and risk level
• The author
• The users’ rights (view, copy, redistribute)
• Internal and external sharing permissions
• Retention period
• Destruction date, and
• Date disposed
An effective Article 30 record will include the following for each type of data
(Along the X Axis)
21. Session segment 2: Data protection controls
Be clear as to why you are processing and on what legal basis
(Down the Y Axis)
• Marketing and promotional plans, databases and resources.
• Business/strategic/referral relationships (eg. estate agents).
• Payroll, recruitment (successful and unsuccessful and prospective and past)
appraisals, training records, next of kin, disciplinary matters, E&D, pensions,
diet/intolerances/healthcare, disability.
• Archiving, cost drafting, shredding. Registers of counsel and experts. Third
party witnesses and reports. IT/technology. Cleaners. Contractors.
• Current clients. Prospective clients. Archived matters. Case management
system. Complaints records. Undertaking records. Billing. Opponents or ‘other
side’. Beneficiaries.
22. Session segment 2: Data protection controls
Bear in mind
• ‘Legitimate Interests’ is only rarely applicable or limited in its appropriateness.
• You will need to have conducted a LIA to justify the use of LI versus any
other legal basis.
• Example: Live conveyancing matters have at least three different types and
reasons for processing.
• ‘Staff/HR data’ has multiple types; with different retention periods, permissions
and controls.
• You must know at as to where all data is held at all times; no surprises!
23. Session segment 2: Data protection controls
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
24. Session segment 2: Data protection controls
Lexcel 3.1b (achieving an appropriate Article 30 record)
SRA StaR 2.1: “You have effective governance structures, arrangements,
systems and controls in place that ensure: (a) you comply with all
the SRA's regulatory arrangements, as well as with other regulatory and
legislative requirements, which apply to you;…”
SRA StaR 2.2:“You keep and maintain records to demonstrate compliance…”
• Be clear on the purposes and legal basis for processing.
• Know where ALL of it is kept.
• Know who has access to it.
• Know how long you will keep it.
PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
Lexcel 3.1c: Handling Data Subject Access Requests (‘DSAR’)
SRA StaR: 3.6: “You ensure that the individuals you manage are competent to
carry out their role, and keep their profession knowledge and skills, as well as
understanding of their legal, ethical and regulatory obligations, up to date.”
• DSARs cannot usually be charged for and do not have to be in writing.
• Be alert! A DSAR can come in multiple guises, including; email, phone call, text
message, in person, in writing, etc.
• Be aware! Many such requests will not include the language ‘Data’ or ‘Subject’ or
‘Access’ or ‘Request’.
• Ask questions! If in any doubt, speak to your supervisor.
• Act fast! Report the DSAR to the Data Protection Lead without delay so that they
can make necessary decisions.
• The firm must deal with DSARs within 30 days. (Check spam email.)
25. Session segment 2: Data protection controls
PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
Lexcel 3.1f: Data Protection Impact Assessments (data protection by
design and default)
SRA StaR 2.5: “You identify, monitor and manage all material risks to your
business…”
• DPIA: Intended to chart the risk to data caused by processing activities.
• Outright absence of procedures in some cases, or;
• reliance on outdated template procedures.
• No procedure; no DPIA (will be conducted when one was in fact, merited).
• When a CMS is changed, a DPIA is going to need to be required.
• Some CMS providers offering ‘pre-packaged’ DPIAs. (Yes; really!)
• Potential for significant risk; without a leg to stand on if things go wrong.
• Article 35(7) of the GDPR sets out as to what ‘shall’ be included in a DPIA.
26. Session segment 2: Data protection controls
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
27. Lexcel Masterclass
Comfort break
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
28. Lexcel Masterclass
Session segment 3 Application of SRA ‘StaRs’
StaRs in your existing Lexcel framework
Undertakings procedure (1.3)
Equality and diversity policy: • 1.5 publishing
Diversity data • 6th principle
Financial management procedure: • 2.4 monitor
the financial stability of your firm and report to the SRA (3.6)
Risk management • 2.5 identify &
manage material risks
Development: • 3.1 Keep up-
to-date • 4.2 providing a
competent service
• 4.3 Ensure managers and employees are competent
Whistleblowing policy: • 3.11 & 3.12
Managing instructions • 4.1 client
instructions • 4.4 Supervise
client matters
Client care policy (broad): • 4.2 competent
service • 6.3
confidentiality • 7.1(b) referrals • Ethics (not
covered by Lexcel)
Generic risks: • 2.5 identifying
material risks to the business
Billing clients and handling financial transactions: • 5.1 accounting
for financial benefit
• Safeguard money and assets from clients and others
Conflicts: • 6.1, 6.2, 6.5,
7.1(c)
Policies and reviews: • 2.1, 2.2 & 2.3
Effective systems, controls & records
Management structure and accountability: • 2.1 Effective
structures and systems in place
• 8.1, 9.1, 9.2 Managers, COLPs & COFA responsibilities Informing the
client in writing: • 6.4 all material
info • 7.1(c) clear info • 8.10 & 8.11 how
you are regulated.
Costs info (8.7)
Website policy: • 7.1 (c) ensure
your publicity is not misleading
Strategic plan: • 7.1(c)
marketing your services
GDPR: • 3.1 keep up to
date with the law governing the way you work
• 2.1 effective systems to comply with regulatory and legislative requirements
Outsourced activities: • 2.3 Remain
accountable • 3.3 Ensure SRA
can inspect
Supervision and file reviews: 4.4
Complaints • 3.2 cooperate
with regulators • 7.1(c)
complaints
Accept or decline instructions (4.1)
Matter progress: • 4.2 service is
delivered in a timely manner
• 7.1(c) costs info
Structure and strategy
Financial Management
Information Management
People Management
Risk Management
Client Care File & Case Management
29. Session segment 3: Application of SRA ‘StaRs’
The Code of Conduct for firms requires:
8.4: “You ensure that when clients have made a complaint to you, if this has not been resolved to the client’s satisfaction within 8 weeks following the making of a complaint they are informed, in writing: a) of any right they have to complain to the
Legal Ombudsman … the time frame for doing so and …how to contact […]; and
b) If a complaint has been brought and your complaints procedure has been exhausted:
i. That you cannot settle the complaint; ii. The name and website address of an
alternative dispute resolution approved body which would be competent to deal with the complaint; and
iii. Whether you agree to use the scheme operated by that body. ”
The Lexcel standard v6.1 requires: 6.5: “Practices must operate a written complaints handling procedure, including: […] e) Once a complaint has been made, the
person complaining is informed in writing:
I. How the complaint will be handled; and II. In what time they will be given an initial
and/or substantive response…”
Lexcel 6.5: Complaints procedures
30. Session segment 3: Application of SRA ‘StaRs’
Follow through the touchpoints 8.4 of the SRA Code for Solicitors and 6.5 Lexcel standard v6.1: complaints handling
Complaints
Finance
• Bill disputed
Information management
• Data protection
• Website
• Review of complaints policy
People
• E&D complaints
• L&D for complaints Partner
• L&D for all staff
Risk Management
• Risk register
• Complaints re outsourced providers
• New enquiries
• File reviews and supervision
• Inactivity
• Closing risk assessment
• Risk review – complaints trends and client feedback
• Deadlines to respond to complaints
• LeO updates
Client care
• Policy
• Retainer letter / CCL
• Regular costs information
• Complaints policy
• Client satisfaction policy
File & Case management
• Matter progress
• File closing procedures
31. Session segment 3: Application of SRA ‘StaRs’
The Code of Conduct for Solicitors, RELs and RFLs requires:
3.5: “Where you supervise or manage others providing legal services: (a) You remain accountable for the work
carried out through them; and (b) You effectively supervise work being
done for clients.”
3.6: “You ensure that the individuals you manage are competent to carry out their role, and keep their professional knowledge and skills, as well as understanding of their legal, ethical and regulatory obligations, up to date.”
The Lexcel standard v6.1 requires:
5.9: “Practices must have a procedure to ensure that all personnel [...] are actively supervised. Such procedures must include…” 4.8: “Practices must have a performance management policy, which must include: a. the practice’s approach to performance
management b. performance review periods and
timescales.”
Risk management; Supervision
32. Session segment 3: Application of SRA ‘StaRs’
The Code of Conduct for firms requires:
3.11: “You do not attempt to prevent anyone from providing information to the SRA or any other body exercising regulatory, supervisory, investigatory or prosecutor functions in the public interest.” 3.12: “You do not subject any person to detrimental treatment for making or proposing to make a report or providing, or proposing to provide, information based on a reasonably held belief […] irrespective of whether he SRA or another approved regulator subsequently investigates or takes any action…”
The Lexcel standard v6.1 requires:
4.9: “Practices must have a whistleblowing policy.”
Reporting to the regulator
33. Session segment 3: Application of SRA ‘StaRs’
The Code of Conduct for Solicitors, RELs and RFLs requires:
3.2: “You ensure that the service you provide to clients is competent and delivered in a timely manner.” 3.3: “You maintain your competence to carry out your role and keep your professional knowledge and skills up to date.” 7.1: “You keep up to date with and follow the law and regulation governing the way you work.”
The Lexcel standard v6.1 requires:
4.3: “Practices must have a learning and development policy, which must include: a. Ensuring the appropriate training is
provided to personnel with the practice b. Ensuring that all supervisors and
managers receive appropriate training c. Evaluate training. d. A learning and development plan for all
personnel.”
Please also note the following training requirements: 4.2 d: “on equality and diversity requirements”, 5.8 b: “to identify conflicts.”, 3.1 e: “regular data protection training.”, 3.2 i: “on information security.”
Training and development
34. Session segment 3: Application of SRA ‘StaRs’
Training
Learning & development
• 4.3 Lexcel v6.1 - Appropriate training provided to personnel.
• All supervisors and managers receive appropriate training.
• A learning and development plan for all personnel.
SRA Code of conduct
• Maintain competence and keep up to date (all employees)
• Specific roles (COLP, COFA, Complaints partner)
Induction
• 4.6 Lexcel v6.1 - "appropriate induction for all personnel, including those transferring roles.. and must cover: a) the management structure and the individual's responsibilities...c) immediate training requirements
Lists of work the practice will and will not undertake
Managing high risk matters
Generic risks & causes of claims associated with areas of work
• 5.5 Lexcel
• 5.4 Lexcel
• 5.6 Lexcel
GDPR
• 3.1 (e) Lexcel v6.1 - "regular data protection training for all staff."
Information management & security
• 3.2 (i) Lexcel v6.1 - "training for personnel on information security"
Equality & Diversity
• 4.2 (d) Lexcel v6.1 - "training of all personnel on compliance with equality and diversity requirements"
Conflicts
• 5.8 (b) Lexcel v6.1 - "training for all relevant personnel to identify conflicts"
• NEW in StaRs – identify who you are acting for.
AML
• 5.13 (e) Lexcel v6.1 - "a plan for the training of personnel."
What learning and development to be provided under StaRs and Lexcel
35. Session segment 3: Application of SRA ‘StaRs’
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
36. Lexcel Masterclass
Session segment 4 AML and financial crime
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
Lexcel 5.13: AML
a) a documented, risk assessment that identifies and assesses the risks of money
laundering and terrorist financing to which the practice is subject
SRA StaR 2.5: “You identify, monitor and manage all material risks to your
business…”
• Completion of the Regulation 18 Risk Assessment.
• A detailed breakdown of risks and controls across the firm (very helpful).
• Review of risk data (Lexcel 5.18) to inform and test systems.
• Reports. Breaches. Near misses.
• Identify associated controls set out in the Risk Register (Lexcel 5.1b).
• Consider monitoring through file reviews (Lexcel 5.11).
37. Session segment 4: AML and financial crime
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
Lexcel 5.13: AML (continued)
h) where appropriate with regard to the size and nature of the practice:
ii) carry out screening of relevant employees
See Page 33 of the Legal Sector Affinity Group AML guidance:
Screening relevant employees prior to and during the course of their
employment in relation to their skills and knowledge and their conduct and
integrity.
SRA StaR: 3.6: “You ensure that the individuals you manage are competent to
carry out their role, and keep their profession knowledge and skills, as well as
understanding of their legal, ethical and regulatory obligations, up to date.”
38. Session segment 4: AML and financial crime
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
Lexcel 5.13: AML (continued)
h) where appropriate with regard to the size and nature of the practice:
iii) establish an independent audit function to evaluate, monitor
compliance with and improve the effectiveness of the practice’s AML
policies, controls and procedures
• Does not have to be external to the practice but must be independent of the
specific function being reviewed.
• You should take a risk-based approach to determining how frequently an
independent audit should take place.
• An independent audit will not necessarily need to be carried out annually,
but should occur following material changes to your risk assessment.
• Monitoring outcomes of annual risk data analysis (Lexcel 5.18).
39. Session segment 4: AML and financial crime
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
Lexcel 5.13: AML (continued)
h(iv) Otherwise, practices must document why 5.13h (i-iii) are not appropriate.
SRA StaR 2.2: “You keep and maintain records to demonstrate compliance…”
• Consider the outcome of the documented firm-wide risk assessment (Lexcel
5.13a)
SRA StaR 3.1: “You keep up to date with and follow the law and regulation
governing the way you work.”
• Consider outcomes of annual risk data analysis (Lexcel 5.18).
• Keep the situation under review and document consideration.
40. Session segment 4: AML and financial crime
PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780
41. Lexcel Masterclass
Session segment 5 Q&A and closing remarks
Presenter: Neil Partridge
LinkedIn: https://uk.linkedin.com/in/neilpartridge
Email: [email protected]
Telephone: +44 (0) 1372 879343
Download a copy of this deck at:
www.pda-legal.co.uk/lexcel-re-mar2020
Thank you for your participation
Top Related