The importance of the in-house compliance function in a law firm

September 1st, 2019

This article aims, firstly, to highlight the importance of the broad compliance environment in which law firms – as business entities – operate and, secondly, to make the argument that a compliance plan must be developed and applied in every law firm for which a dedicated resource should be appointed.

An often repeated adage goes along the lines of ‘a man who is his own lawyer, has a fool for a client’. The prudence in obtaining independent external legal advice, when faced with legal challenges, cannot be overemphasised. However, the adage may not always be apposite where the legal questions facing a legal practice are of a compliance or governance nature. In such instances, the legal practitioners in the firm, with their understanding of the nature, structure, size, and operating environment of the firm are best placed to scan the compliance landscape and to develop a compliance plan. The duties in respect of compliance ultimately lie with the partners. The compliance requirements facing law firms have their origin in the legal and regulatory environment in which the law firm operates.

Often, legal practitioners are called on to identify and interpret the compliance obligations for themselves and that has its own inherent disadvantages, including a possible lack of objectivity and an underlying need to protect one’s turf.

The compliance universe in which a law firm operates, includes the general compliance landscape applicable to any other business enterprise. Certain compliance obligations are unique to law firms, for example, the requirements applicable to the management of trust funds. General compliance and governance in legal practices cover an area, which is too wide to cover exhaustively, in this article.

The complex compliance framework

The compliance obligations for commercial business entities in general have seen a sharp increase in the last two decades as the various regulatory authorities have sought to address a number of matters, including –

  • the protection of consumers;
  • combating financial crime;
  • addressing the risks emanating from the general financial crisis; and
  • addressing the gaps identified in the regulation of certain professions.

The compliance landscape for legal practitioners in South Africa (SA) has also undergone significant changes in this period, most notably with the implementation of the Legal Practice Act 28 of 2014 (the LPA), the Rules and the Code of Conduct for all Legal Practitioners, Candidate Legal Practitioners and Juristic Entities (the Code) promulgated in terms of the Act, the Companies Act 71 of 2008, the Financial Intelligence Centre Act 38 of 2001 (FICA) and the Financial Advisory and Intermediary Services Act 37 of 2002 (the FAIS Act). The LPA introduced significant changes for the regulation of the legal profession in SA. The Companies Act affects commercial juristic entities established to conduct legal practices, with the FAIS Act applying to those legal practices providing financial advisery and/or intermediary services, while FICA applies to all legal practices as accountable institutions. Legal practitioners are also obliged to comply with other pieces of legislation such as the Prevention of Organised Crime Act 121 of 1998 and to have regard to the implications of the Protection of Personal Information Act 4 of 2013 (POPI) in preparation for its scheduled implementation. The complex compliance web includes –

  • the various statutes;
  • the common law;
  • the principles of ethical conduct espoused by the jurisprudence emanating from court judgments delivered over time; and
  • for those firms whose services include foreign clients, the obligations imposed by international instruments, such as the European Union’s General Data Protection Regulation (GDPR).

There have been several articles written on the impact of the data protection obligations of the legal profession arising from the provisions of POPI and the GDPR. Statutes, which do not receive as much general media coverage, also impose obligations on law firms pursuing practice in areas falling within the relevant statutory ambit. For example, s 3.3 of the PFA Guidance Note No 6 of 2018 issued in terms of the Pension Funds Act 24 of 1956 that prescribes the recovery of arrear contributions from an employer is outsourced to a legal practitioner, the agreement entered into between the pension fund and the attorney must at least provide that –

  • any amount recovered by the attorney must be transmitted into the pension fund’s bank account within seven business days of receipt; and
  • the defaulting employer must provide the relevant contribution statement as required in terms of s 13A(2)(a) and reg 33(1) of the Pension Funds Act, together with the outstanding contributions.

This is an example of a compliance obligation prescribed to form part of the terms of the mandate granted to a legal practitioner imposing an obligation on the legal practitioner (the obligation to pay the funds within the prescribed period) and also specifying that the mandate granted to the legal practitioner must make provision for the obligations of the defaulting employer. The latter will, in the ordinary course, not be party to the agreement between the legal practitioner and the pension fund, and yet the requirement is that the obligations of the defaulting employer (a third party) are included in the mandate. It is unclear how the legal practitioner will be expected to ensure compliance with this obligation by a party who is not party to the agreement.

The compliance obligations imposed by certain pieces of legislation (such as the FAIS Act) prescribe that the regulated entities must appoint a compliance officer. In certain industries the regulated entities have had to increase the capacities of their respective compliance resources in order to meet the applicable requirements. Increased compliance obligations may result in a commensurate increase in the operating costs.

The complex compliance environment has created some upside risks for the legal profession in that providing compliance advice and support has become a lucrative area of practice, as there is an increased need for legal and other specialist professional services to assess the impact of the compliance obligations for their clients and to provide advice on how the compliance obligations are to be met. The flip side is that there is also a downside risk associated with the increased compliance requirements in that legal practitioners now have a myriad of compliance obligations to meet in their own practices. In some instances, meeting the compliance obligations has placed additional strain on the (often limited) financial and human resources in practices, particularly smaller practices. Some legal practitioners have, colloquially, raised a concern that the increased compliance requirements may create an additional barrier for new legal practitioners wishing to enter practice or suggested that the financial burden of (and time dedicated to) compliance may be the reason that some legal practitioners cease practising. I am not aware of any comprehensive study carried out in this regard where the effect of increased compliance requirements has been studied and empirical evidence examined in order to assess how, and to what extent, the decision to enter or exit practice is affected by the compliance obligations on law firms.

The impact and perception of the three related concepts of governance, risk and compliance has been assessed in a number or reports, including those produced by PWC (‘Being a smarter risk taker through digital transformation’, accessed on 22-7-2019) and Aon (‘Managing Risk: How to Maximize Performance in Volatile Times’, accessed on 22-7-2019). It will be noted from the Aon report that the risk associated with changes to the regulatory or legislative environment is only partially insurable.

Some of the compliance challenges for law firms

Compliance obligations cut across every area of operation in a legal practice. Writing on the attorney’s trust accounting environment in the United States, Dr Rick Kabra (‘Top 10 Compliance Challenges for Law Firms’, accessed on 22-7-2019) lists the top ten challenges for law firms as:

  • lack of trust specific knowledge and rules;
  • limited resources of small firms;
  • manual systems;
  • commingled trust funds;
  • trust ledger overdrafts;
  • absence of safeguards to prevent common trust mistakes;
  • uncleared funds not addressed;
  • sloppy bank reconciliation;
  • separate billing and accounting systems; and
  • lack of controls and data protection.

The ten challenges listed by Dr Kabra would also apply in the South African environment.

In larger law firms and those with adequate financial resources, a specialist dedicated compliance resource may be employed. Smaller firms will not have such capacity and the compliance function may be delegated to one of the legal practitioners as part of their other duties. Sole practitioners, in particular, are at risk as the single practitioner will be responsible for compliance as part of all the other functions carried out in the firm and when providing legal services to clients. No matter the size or structure of the legal practice, ultimately the responsivity for compliance resides with the partners/directors jointly.

In the trust accounting environment, for example, legal practitioners have a responsibility to study and apply the applicable rules. For example, r 54.14.7 is of particular importance and it provides that:

‘54.14.7 A firm shall ensure:

Internal controls that adequate internal controls are implemented to ensure compliance with these rules and to ensure that trust funds are safeguarded; and in particular to ensure – that the design of the internal controls is appropriate to address identified risks; that the internal controls have been implemented as designed; that the internal controls which have been implemented operate effectively throughout the period; that the effective operation of the internal controls is monitored regularly by designated persons in the firm having the appropriate authority’.

Essentially, compliance with r 54.14.7 requires –

  • the conduct of an assessment to identify the applicable risks;
  • the designing and implementing of appropriate internal controls to address the identified risks;
  • the constant monitoring of the implementation and effectiveness of the internal controls in order to ensure that they adequately meet their intended avoidance and/or mitigation of the identified risks at all times; and
  • designating a person or persons with appropriate authority (which will be a senior person in the practice) to monitor compliance of the effectiveness of the identified risks.

The compliance obligations in respect of trust accounts are much more than those set out in r 54.14.7.

Some suggestions for a compliance plan

In developing a compliance plan, a law firm may consider a number of tools including:

  • A monitoring mechanism: Compliance by the firm with its compliance obligations can be monitored by the audit function. An assessment of the compliance function can be included as part of the scope of the internal audit carried out in the firm as part of its internal control measures. This will ensure that any breaches in the compliance obligations are identified at an early stage and that appropriate corrective measures can then be implemented. The danger of self-review must, however, always be borne in mind even where the services of an outside resource such as an auditor are engaged. The party/entity conducting the compliance function should not be the same party providing the review.
  • Regular training for all staff on the compliance obligations of the firm: It is hoped that, going forward, the training programme for legal practitioners (both pre-admission and in the future continuing professional development program) will include a component of compliance training.
  • Embedding the compliance obligations in all areas of operation of the firm: Meeting compliance obligations should not be viewed as a mere tick box exercise. Non-compliance by a legal practice with the applicable compliance obligations will lead to regulatory action and, in certain instances, criminal prosecutions. Compliance must be part of every area of operation in the legal practice and should be instilled in all staff at all levels of operation – from the most senior partners to support staff.
  • The development of a compliance checklist: A list of all the compliance obligations of the firm can be created with the timelines for action documented thereon together with the names of the responsible person/s.
  • The purchase of appropriate insurance cover such as Directors’ and Officers’ liability cover: The purchase of insurance cover is a risk transfer measure.
  • Drawing up a statutory compliance checklist: The main pieces of legislation applying to the firm can be listed together with a summary of the obligations imposed by each piece of legislation and a timeline for when such obligations are due to be performed and by whom.
  • Obtaining specialist advice on the compliance obligations of the firm and, if necessary, engaging an external specialist compliance service provider.

Remember that in the event of a breach of any of the statutory compliance obligations, ignorance of the law will not be an excuse.

Thomas Harban BA LLB (Wits) is the General Manager of the Legal Practitioners’ Indemnity Insurance Fund NPC in Centurion.

This article was first published in De Rebus in 2019 (September) DR 10.

De Rebus