Client identification – are inadequate safeguards exposing your firm?

As obligations increase for law firms to manage the risk of a client ID ‘failure’, it is crucial that they take all possible steps to improve their safeguards, writes Ronwyn North.

Verifying a client’s identity is becoming increasingly important for law firms and is a business risk that must be managed.

It is unusual for the identity of a lawyer’s client to be completely unknown. Lawyers almost always need to know something about ‘who is the client’ in order to provide sound advice; take legal action in the correct name; and know to whom they owe professional duties, or who to sue for unpaid fees and so on.

However, a number of factors are driving increasingly rigorous client ID requirements and raising the stakes for lawyers if ID processes are inadequate or fail. These factors include:

• social elements – such as a more multicultural society in which the seemingly simple question of ‘What is your name?’ can have a complex answer;
• relationship aspects – whereby more complex networks of personal, corporate and business alliances make it harder to know or decide ‘who is the client’, particularly in the context of retainers and conflicts of interest;
• rising identity fraud – with growing opportunities for such fraud and related cybercrime being perpetrated by or against clients of a law practice, or against the law practice itself;
• new laws – whereby client ID factors such as residential status have an impact on the conduct of legal matters (e.g. requirements for Foreign Investment Review Board approvals, foreign resident capital gains withholding tax, and Office of State Revenue NSW foreign purchaser stamp duty surcharge);
• tougher legislative ID requirements – this is aimed at clamping down on identity fraud, money laundering and financing of terrorism and tax evasion (in some cases triggered at least in part by the perception, if not reality, that lawyers are facilitating illegal activities either by turning a blind eye to the client’s illegal activities or being too naïve to realise they are being used); and
• anti-money laundering laws – with the acceleration of the application of Tranch 2 anti-money laundering laws in New Zealand (and rumblings that Australia will follow suit) in the aftermath of the leaking of the Panama Papers implicating lawyers to the facilitation of tax evasion, among other things.

So it is apparent that the stakes are high with client ID – get it wrong and law firms and lawyers risk not getting paid, breaching the law or being exposed to the fallout from crime and terrorism.

Three levels of ID  

How can law firms reduce such exposure? It starts with ‘client identification’. This is often spoken of as if it is a single process, but it can be helpful to think of client ID as having three distinct streams or levels of inquiry:

1. (ID) Bare identification where the question is “Who do you say you are?”

2. (VOI) Verification or authentication of identity where the question is “Am I satisfied that you are who you say you are?”

3. (KYC) ‘Know your client’ or screening for client risk factors where the question is “Even if you are who you say you are, am I satisfied you are an acceptable risk?”

Each level of inquiry has its own area of focus and risks as set out in the table below (please click on PDF link).

Table1

Assessing the effectiveness of your approach

No ID process can be guaranteed to be 100 per cent effective against a determined and skilful fraudster, but a law practice will be well positioned to defend itself against professional negligence claims involving ID issues or breaches of ID protocols if it can show that it took reasonable steps or specified steps to ID the client.

However, approaches to client ID vary markedly between firms with regard to their identification of ID risks, the implementation of controls and how far they go to check that controls work. Consider the following examples.

• Some law practices take a one-size-fits-all approach to ID risks, while others take a risk-based approach and allow for variations between principals, practice areas or geographic locations.
• Some firms take a minimalist approach, doing basic checks and verification only if and when legally required, while others go all out with full verification and KYC processes. In a small firm, an ID process may take minutes. In a large global law practice, VOI and KYC clearances can take one or two weeks.
• Some firms trust lawyers and staff to follow policy and procedure and are slow to change or improve their approaches, while others have quality-assurance measures to ensure that what should happen does happen and proactively look for opportunities to do things better.

For many law practices, a driver’s licence is the lynchpin of ID processes and provides a useful illustration of how to assess the effectiveness of ID processes more generally.

Where do you fit on this table?

The table below summarises some of the common actions of lawyers in relation to client ID. Make an honest assessment of which actions reflect you or your firm (please click on PDF link).

Table2

Running your eye down the above table should allow you to form a view about the likely effectiveness of the client identification processes in your practice. You may have decided that you have nothing to worry about and your processes are well matched to the risks you face, but at least you have peace of mind.

On the other hand, there may be things that worry you about your law practice’s approach and, if this is the case, then do not just worry; do something! Effective action to identify and assess the real risks, strengthen safeguards or check that the safeguards you think are in place are, in fact, in place will be rewarding.

Appropriate action could well save your firm from the risk of not being paid or, more importantly, being caught up in some kind of legal breach.

Safe practice!

Ronwyn North is the managing director of Streeton Consulting and a qualified lawyer who specialises in consulting to the legal profession on practice management issues, including risk management. She can be contacted at rjnorth@streetonconsulting.com.au.

For more on this topic, click here to see ‘Risk management: Is identity fraud on your radar’ in a past edition of ALMJ.