This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Tracey Calvert

Director, Oakalls Consultancy

Are you up to date with outsourcing risks?

Feature
Share:
Are you up to date with outsourcing risks?

By

If the SRA asked, would you be able to demonstrate that your outsourcing arrangements did not compromise your regulatory status, asks Tracey Calvert

If the SRA asked, would you be able to demonstrate that your outsourcing arrangements did not compromise your regulatory status, asks Tracey Calvert

The Solicitors Regulation Authority (SRA) has provided us with many clues about its priorities in the last year including some useful 'risk resources' available on its website. These should be on every compliance officer's reading list.

One of these documents, Silver Linings: cloud computing, law firms and risks, focuses on the risks attached to cloud computing and gives pointers about good and poor practice when storing data offsite. The document is intended to provide additional support in respect of a potential risk which the SRA has identified in its Risk Outlook 2013 and classified as "Lack of due diligence over outsourcing arrangements".

The SRA's thinking in respect of this way of operating can be applied to all outsourcing arrangements which a firm has with third parties. Three main areas of concern have been identified: firstly, risks to confidentiality; secondly, risks of conflicts of interest because large outsourcing operations may also be handling data for other law firms relating to the same matter; and thirdly, financial consequences if the outsource provider goes out of business.

In the early days of outcomes-focused regulation, when the style and priorities of the SRA Handbook were unfamiliar, there was some surprise amongst practitioners about the SRA's expectations in respect of such arrangements. These expectations are tucked away in outcomes (7.9) and (7.10) of the SRA Code of Conduct and it seems timely to revisit these requirements now.

Outcome (7.9) is perhaps the easier of the two outcomes to interpret in that it contains a prohibition on outsourcing reserved legal activities to a person who is not authorised to conduct such activities. Outcome (7.10) is more complicated in that it caters for the situation where you outsource legal activities and operational functions and requires a demonstration that you have met the conditions, or safeguards, contained within the outcome so that you can show that such outsourcing:

• does not adversely affect your ability to comply with, or the SRA's ability to monitor your compliance with, your obligations in the Handbook;

• is subject to contractual arrangements that enable the SRA or its agent to obtain information from, inspect the records (including electronic records) of, or enter the premises of, the third party, in relation to the outsourced activities or functions;

• does not alter your obligations towards your clients; and

• does not cause you to breach the conditions with which you must comply in order to be authorised and to remain.

This requires a consideration of many things. Firstly, what is meant by legal activities and operational functions? A cross-reference with outcome (7.9) shows that this excludes reserved legal activities. The SRA gives more pointers about its meaning in another web-based guide "OFR at a Glance". It uses this guidance to state: " Legal activities... include the provision of legal advice or assistance, or representation in connection with the application of the law or resolution of legal dispute". Operational functions are perhaps easier to identify.

Some examples of the types of activities which, if outsourced, would require compliance with Outcome (7.10) are as follows:

  • activities which would normally be conducted by a paralegal
  • initial drafting of contracts
  • legal secretarial services - digital dictation to an outsourced secretarial service for word-processing or typing
  • proofreading
  • research
  • document review
  • Companies House filing
  • due diligence, for example in connection with the purchase of a company
  • IT functions which support the delivery of legal activities
  • business process outsourcing

The firm's compliance officer for legal practice will need to have evidence to demonstrate compliance with these outcomes. If the SRA asked, would you be able to demonstrate that your outsourcing arrangements did not compromise your regulatory status? Consider the potential for greater risk if using a third party, and be satisfied that you have answers to the following:

• What mechanisms are in place to monitor the reputation of the third party both before you enter into an agreement and during the course of the relationship?

• What do you tell the client about the third party bearing in mind the need to meet outcomes relating to confidentiality?

• Are the service standards which you agree with the third party appropriately rigorous to ensure that you are not breaching the requirement to act in each client's best interests?

• Is client data safe?

• Do you have an appropriate contractual arrangement with the third party?

• Are you confident that the third party understands the relevance of your relationship with the SRA?

Tracey Calvert is a regulatory compliance specialist and the director of Oakalls Consultancy Limited. She is the author of "Conflicts and Confidentiality for Law Firms" and co-author of "OFR: Compliance in Practice" and "COLP & COFA: Compliance in Practice" all published by the Ark Group.

tcalvert@oakallsconsultancy.co.uk