Protecting client money

Why this risk matters

  • Most firms hold money for clients in a pooled client account. Protecting that money is one of the most basic duties of a solicitor.
  • If staff have access to client money, then it is very important to supervise them appropriately. This should involve limiting access to client money only to those who need it. We see cases where employees of firms have misused money without their employer knowing.
  • We also see cases where poor systems and controls have led to client money being misappropriated by third parties.

Trends

  • We receive on average 43 reports of misappropriated client money each quarter. This represents a decline from a peak of 54 reports at the start of 2016
  • Email modification fraud, commonly known as “Friday Afternoon fraud” often targets conveyancing funds:
    • This fraud happens when criminals impersonate a genuine person who is going through a property transaction. They do this by breaking into that individual’s email system or forging emails from it.
    • The criminals then contact the solicitor using the stolen or falsified address, and ask for their bank account details to be changed. The solicitor accepts the change of details and sends client money to the criminal’s account.
    • We also see cases where the criminal impersonates the law firm and tells the client that the firm has new bank details. In these cases, the client sends the deposit and other monies to the fraudster’s bank account.
  • Over the last year, solicitors have reported to us over £12m of client money stolen by cybercriminals.

Actions

  • Firms that hold client money need to have appropriate systems and controls to protect that money and to comply with the SRA Accounts Rules. They must be able to monitor how well these systems are working. Steps that they can take include:
    • appropriate vetting, supervision and training of staff
    • good accounts management and audit
    • appropriate controls on the client account, including who can access it, when and how.
    • Any firm dealing with client money needs to be aware of email modification fraud, and to have a system to manage this risk. This can include:
      • exchanging bank details with the client and any third parties at the start of the transaction, including the other party’s conveyancer, and being clear that this will not change under any circumstances
      • training staff to be aware of any email received that asks to change bank details, and to verify this by telephone to a previously known number.
      • taking care to protect client information as such details can be used by criminals to identify targets.
      • considering using systems such as Lawyer Checker to verify that what is described as the contact or bank information for a third party law firm is genuine.
  • Firms need to report any case of stolen client money to us, even if the money has been replaced.
  • Where solicitors and firms report the loss of client money to crimes such as email modification fraud, we will respond proportionately. Where we have taken action against firms in such cases, it has been because they
    • did not have suitable systems to protect against crime
    • did not replace lost money promptly
    • did not report matters promptly.
  • Firms who knowingly misuse their clients’ money are likely to be referred to the Solicitors Disciplinary Tribunal.
  • When we learn about criminal activities or frauds targeting those we regulate, we issue scam alerts on our website to warn the public and law firms about known threats and to help them recognise patterns.

Further information