When is a tick-box not a tick-box?
3Kites' new consultant, Ben Johnson, shares his experiences of navigating regulatory compliance and using technology to help… not hinder.
Over the past 14 years I have worked in the Risk and Compliance field. I have navigated my way through two changes of Solicitors Regulation Authority (SRA) regulation. First, the arrival of ‘outcomes focused’ regulation with the joys of principles, outcomes and indicative behaviours and more recently the slimmed down standards and regulations.
In parallel there have been (at least) two major changes in the anti money laundering (AML)/counter terrorist financing regulations. The effect of these changes has usually meant that compliance systems have needed to be updated and often on a short timeline and with limited resources within already stretched compliance and IT Teams.
The quick ‘temporary’ solution (or sticking plaster!) is, perhaps, a new form or workflow loop added to the existing system – but how often do firms find time to come back and rationalise the whole process and endure the pain of ripping off all these individual sticking plasters?
This is particularly the case with client and matter inception. HM Treasury has finally approved the Legal Sector Affinity Group (LSAG) AML guidance over the summer which perhaps now gives us a solid base to consider circling back to the sticking plasters.
The LSAG Guidance can be very frustrating as it often says that situation X may be regarded as higher risk but not all situations X will be high risk. For example: ‘A new business in any sector that presents significant financial barriers to entry ... should be considered as potentially higher risk” but “For the avoidance of doubt, a sector is not necessarily high risk simply because it has significant financial costs to entry’.
The whole rationale of the regulatory regime and the guidance is about applying the riskbased approach and applying multiple risk factors holistically.
There is good news though when the LSAG accepts that: 'It is not expected that a practice seeks to eradicate all financial crime risk.' Instead, the emphasis is on maintaining comprehensive and documented firm risk assessments and client/matter assessments combined with written records of decisions made on individual clients and matters that will enable the firm to justify its decisions and actions to law enforcement and the SRA.
Consequently, the drive for many onboarding processes is to gather information and document the decision processes. Workflows, checklists, risk factors and decisions proliferate. Fantastic.
Then the spectre of the magic words from the LSAG Guidance – ‘make sure that the use of a template does not lead to a tick-box exercise’ – comes back to haunt you.
There is always a danger that the best crafted process can become ‘tick box’ in practice. How many people (including lawyers) do you know who blithely tick acceptance of terms and conditions when purchasing items online without reading them? They are taking a risk… then they rationalise this by saying: “What are the chances of the terms being relevant? Are the terms negotiable? What happens if I don’t tick the box? Surely someone else will have read them and made sure they are fair?”
‘Tick box mentality'
Whilst ticking the box is an entirely human response, none of those justifications will hold water with a regulator.
For compliance processes, some factors that risk a ‘tick box mentality' emerging, might include processes where:
- important information is swamped by incidental chaff;
- key choices are in a long list of irrelevant or ‘niche’ choices;
- decision-makers do not understand the value they are adding to the decision;
- those inputting the information are not the ones best placed to know the information;
- the information entered is never seen again, never audited/checked and is not reported on;
- there appears to be no consequence to making the decision; or
- there is a perceived disincentive to making the ‘higher risk’ or difficult decision.
The key in design of a process is to challenge every input and make sure it is timely, relevant and known. Try to guard against asking people (especially lawyers) for information when they either don’t know yet (at inception) or no longer care (after closing of the matter) as it’s very hard to get accurate information or engagement with the process when it is mistimed or directed at the wrong people.
Bring important information upfront and get the key decision taken by the right people. Tailor drop-down lists as best you can. Use negative controls (such as preventing access to time recording, document management or billing systems) selectively – so that less critical information is gathered later in the process prompted by a later control. For example, some financial data, marketing data or ‘knowledge’ content could be deferred to the time of first billing, rather than asking for it upfront.
Whilst this can reduce the risk of creating a ‘tick box mentality', there will always be some who have not embraced your compliance culture. Taming them probably is beyond even the best designed process. However, making sure that you have an efficient, user-friendly escalation process that facilitates the compliance team helping to resolve the harder cases, is absolutely key.
Considering the process from the busy lawyer’s perspective is also vital so you design to facilitate ease of access and compliance rather than create unnecessary obstacles.
At 3Kites we have a breadth of relevant experience that enables us to methodically analyse processes, challenge the accepted norms and allow firms to rationalise and make informed decisions on how to build the process best suited to them.
Ben Johnson is a director of 3Kites. This is the 12th article in the series Navigating Legaltech
About 3Kites and Kemp IT Law
3Kites is an independent consultancy, which is to say that we have no ties or arrangements with any suppliers so that we can provide our clients with unfettered advice. We have been operating since 2006 and our consultants include former law firm partners (one a managing partner), a GC, two law firm IT Directors and an owner of a practice management company. This blend of skills and experience puts us in a unique position when providing advice on IT strategy, fractional IT management, knowledge management, product selections, process review (including the legal process) and more besides. 3Kites often works closely with Kemp IT Law (KITL), a boutique law firm offering its clients advice on IT services and related areas such as GDPR. Where relevant (eg when discussing cloud computing in a future article) this column may include content from the team at KITL to provide readers with a broader perspective including any regulatory considerations.