Compliance for law firms may sound boring, but it is not!
2018 I retired as Co-General Counsel and so it may be timely for me to give a few reflections on compliance best practices. I was GC at Ashurst, an international corporate law firm with offices in sixteen jurisdictions. Thus my perspective has been framed by a globalised/international approach but I think that many of the core issues and strategies are applicable to other types of law firms with a different profile and/or a different client base.
A notable trend in law firm management from 2000 has been the development of law firms instituting their own internal General Counsel, Compliance and Risk Management functions. This has primarily been prompted by self interest – in acknowledgement of the size and complexity of modern law firm enterprises. It has also been prompted by client and regulator pressure and requirements. Whether or not firms have a self standing Compliance and GC function depends on many factors. These include the size, turnover, complexity, areas of practice, geographical spread and so forth. Even if a firm does not have [yet] these as separate functions, nonetheless some partners or managers will have the relevant responsibilities and many of my following comments are equally applicable to them.
“Compliance” is a word or concept that is bandied about with flexibility – a bit like “cyber”. It can mean different things to different people. I regard it as a spectrum on which compliance, risk management and governance sit along with many subsets e.g. regulatory compliance, legal compliance, reputation management, ethical practices, strategic alignment, quality assurance and constitutional issues.
Additionally, a firm’s notion of compliance also depends upon the experience and maturity of the firm, including how long it has had compliance processes in a formal sense and how they grew up and so forth. Many firms compliance practices have grown in an organic way may not have been reduced to writing. There is an increasing need to have documented processes and practices to show to regulators and clients.
One of the most important keys to successful compliance is getting sufficient of the firm, and in particular key opinion formers, to buy in to compliance. Once beyond the tipping point the rest generally follow. Getting “buy-in” can take time, be influenced by software systems introduced to address the most important needs, be dependent upon the character and experience of the GC and on the overall ethos of the firm. However if adequate compliance is to be achieved, “buy-in” is essential.
In international firms compliance processes should be applied in such a way that there is an appropriate balance between the need to have one global approach to a particular issues – to enhance the “one firm” selling point – with the need to be sensitive towards local office and jurisdiction approaches and laws and regulations. This rarely becomes a big issue but nonetheless needs to be recognised as one and kept under review so that any variances are known and adequately controlled and do not develop into fissures.
Compliance best practice requires everyone in the firm, lawyer and non-lawyer, to be trained to an appropriate standard. Many issues (e.g. information security and assurance and data protection) apply to everyone in the firm whereas some issues are more relevant to particular sectors e.g. business inception. Not only does initial training have to be given when people join the firm and/or there is new legislation but there is also a need for periodic up-dating or refresher training. Best practice involves having a multi-fold approach to training involving many different channels including face-to-face, e-training, mobile app devices, webinars and so forth. In some areas there is a legal requirement for refresher training (e.g. AML refresher training in the UK) which makes it a little easier but more generally there is no such legal sanction so one must rely on the carrot or stick approach.
Client terms and client commitments, often contained in “Outside Counsel Guidelines”, are increasingly important and onerous and introduce new compliance requirements. Before any new terms are entered into or renewed they should be reviewed by compliance. This is to check that the firm can meet the client requirements, particularly any IT and data security requirements, to ensure that they do not cut across any other clients terms (e.g. conflict requirements) and the firm’s strategic alignment interests. Dissemination of client requirements to the firms’ lawyers and relevant departments e.g. finance and IT is a challenge too. There are software systems to help. Another approach is to place the obligation on the client or matter partner to cascade the client requirements to the legal team on a matter.
Of course, one of the greatest current challenges, not only to law firms but to clients worldwide, is the whole issue of data security and protection that has been put into particular sharp focus by the General Data Protection Regulations (GDPR) introduced by the EU last year. In this context the Panama Papers and subsequent leaks are also very important. The need for firms to have a much better understanding of both client data they hold and their own internal data and personal information and the need for appropriate consents, measures and controls to be applied to that information and data, have created a new sub-set of compliance teams and/or made firms re-evaluate and reconfigure their information and data security groups. It can no longer be left to the Business Development or Marketing function. Given the ubiquity of this issue there is generally less need to get “buy-in” but nonetheless there may still be an element required e.g. explaining to partners it is an opportunity to re-engage with their contacts or clients rather than it being seen as an intrusion. As the potentially adverse consequences if data is improperly held and/or disclosed, this is an area where refresher training is going to be particularly required.
Whilst firms have to achieve relevant legal and regulatory requirements, there is rarely only one particular compliance approach that has to be applied to achieve the outcome. Usually there is flexibility and acknowledgement that the best practice for any one firm needs to take into account the firm’s history, the firm’s current standing and experience and its future development strategy.
Chistopher Vigrass has been a London based partner at Ashurst throughout his professional career. The last decade he has acted as the firm's General Counsel and Head of Compliance. With is knowledge and experience he is widely considered one of the industry's pioneers in his field.
Today Chris is an independent consultant.