property section workshop: fighting fraud and managing risk - … › uploads › files ›...

Property Section Workshop: Fighting

Fraud and Managing Risk - Cardiff

Wednesday 24th February 2016

The Law Society, Cardiff

Stephen Murray Business Development Director

Who are PSG?

• Experts in search since 1998

• 250 staff across 49 local branches

• Trusted by over 1500 firms every year

• 97% of clients rate our service as good or

excellent

What you might not know!

• Process over 14,000 search instructions every month on average • 1 in 5 residential transactions

• 1 in 10 commercial transactions

• PSG are Executive members of CoPSO

• Stakeholder involvement with the Land Registry

• PSG Financial Services Ltd

What makes us different?

• A Search company first supported by the most up to date technology

• Constantly evolving products and technology • Supporters of training and education

• The Law Society • The SLC • The Conveyancing Association (Affiliate Member) • The LFS Conveyancing Conference & Awards

Please come and have a chat

Thank you

Property Section Workshop: Fighting

Fraud and Managing Risk – Cardiff

Wednesday 24th February 2016

The Law Society, Cardiff,

Peter Rodd,

Senior Partner, Boys & Maughan

Nick Podd,

Associate Consultant in Cyber Security,

Law Society Consulting

Fraud and Risk

1. Mortgage Fraud

2. Consequences of Fraud and Cyber Crime

3. The Regulatory Position

4. What Would it Mean in Practice?

5. Are You Covered By PII?

6. What Are the Risks?

7. How to Protect Your Firm

Mortgage Fraud

Mortgage Fraud hasn’t gone away!

• Two cases involving bogus firms

- Lloyds TSB Bank v Markandan & Uddin

- Nationwide v Davisons

Use the High Court decisions as training aids for all

conveyancing staff – fee earners and support staff.

What were the warning signs they missed?

Warning Signs

• Errors in letterheading.

• No landline telephone number.

• Inconsistent telephone or fax numbers with those usually used by the firm.

• Telephone calls being diverted to a call-back service.

• A firm apparently based in serviced offices.

• Email addresses using generic email accounts.

• Sudden appearance in your locality of a firm with no obvious connection to the

area, probably not interacting with other local firms at all.

• A firm appearing to open a branch office a considerable distance from its head

office for no obvious reason.

• A firm based in one part of the country supposedly having a bank account in

another part of the country.

• A client account apparently overseas.

• A strange or suspicious bank account name e.g the account not being in the name

of the law firm you are supposedly dealing with.

• ANYTHING UNUSUAL.

Mortgage Fraud

• What precautions do you take?

– Find a solicitor

– Lawyer Checker

– Code for completion by post

– Telephone to recheck the bank details

– Make sure that all conveyancers are familiar with and follow the

requirements of the CML handbook – even if there is no mortgage

involved.

Mortgage Fraud

• Sloppy Conveyancing increases the risk

– Be aware of the undertakings in the Code for completion by post

– Be wary of ‘replies to requisitions’ sent with the draft contract

– Make sure all conveyancers have read and are familiar with the Full

Certificate of Title – not just the short version.

http://www.lawsociety.org.uk/support-services/advice/articles/sra-

handbook-and-approved-certificate-of-title/

(from 30th November 2015)

http://www.lawsociety.org.uk/support-services/advice/articles/sra-handbook-and-approved-certificate-of-title/















Risky Transactions

• Lenders’ Four Greatest Concerns:

– Back to back sales

– Sales within 6 months of purchase

– Money passing direct

– Change in price from that in the mortgage offer

Mortgage Fraud

The key message:

• Anything unusual or out of the ordinary should be

regarded as a warning sign.

•Systems need to be in place so that staff know what action to

take in such a situation.

Cyber Crime

Victoria Derbyshire Programme on 7th January reported:

From 1st Jan 2014 to 31st October 2015

91 crimes of that nature

Totalling £10.2m

Average loss of £112,310

How big of a problem is it?

You’ve been scammed!

• What would happen if £500,000 had wrongly been

removed from your client account?

• What action do you need to take?

• Who do you need to talk to?

• What impact would it have on your firm?

• Would you survive?

Adverse Impact on Profits

• Financial Loss

• Reputation – ‘Talk Talk’

• Time

• Future Insurance

• Staff

• Closure of Business

• Regulatory Position

You’ve been scammed!

Could you survive?

Mrs Mackie didn’t!

http://open.live.bbc.co.uk/mediaselector/5/redir/versio

n/2.0/mediaset/audio-nondrm-

download/proto/http/vpid/p034845b.mp3

http://www.bbc.co.uk/news/business-34425717

http://open.live.bbc.co.uk/mediaselector/5/redir/version/2.0/mediaset/audio-nondrm-download/proto/http/vpid/p034845b.mp3









• What happens if you fall victim to a scam?

– Law Society Practice Note – 20th August 2015

http://www.lawsociety.org.uk/support-services/advice/practice-

notes/protecting-your-firm-if-you-fall-victim-to-a-scam/

• Principle 2 - 'act with integrity'

• Principle 5 - 'acting in the best interests of each client'

• Principle 6 - 'behave in a way that maintains the trust

the public places in you and the provision of legal

services'

The Regulatory Position

http://www.lawsociety.org.uk/support-services/advice/practice-notes/protecting-your-firm-if-you-fall-victim-to-a-scam/
























• Principle 7 - 'comply with your legal and regulatory

obligations and deal with your regulators and

ombudsmen in an open, timely and co-operative

manner’

• Principle 8 - 'run your business or carry out your role in

the business effectively and in accordance with proper

governance and sound financial and risk management

principles’

• Principle 10 - 'protect client money and assets'


SRA Outcomes

•(1.1) You treat your clients fairly.

•(1.2) You provide services to your clients in a manner which protects

their interests in their matter, subject to the proper administration of

justice.

•(1.12) Clients are in a position to make informed decisions about the

services they need, how their matter will be handled and the options

available to them.

•(1.16) You inform current clients if you discover any act or omission

which could give rise to a claim by them against you.

SRA Outcomes

•(4.1) You keep the affairs of clients confidential unless disclosure is

required or permitted by law or the client consents.

•(4.2) Any individual who is advising a client makes that client aware

of all information material to that retainer of which the individual has

personal knowledge.

Fraud Act 2006

• Section 3 sets out the circumstances in which it is an offence not

to disclose information to others (such as the client)

• Section 4 sets out that people (such as solicitors) who are in a

position where they are expected to safeguard the financial

interests of others commit an offence when they fail to do this


What does it mean in practice?

Who you going to call?

•Inform your bank. Do you have an emergency contact?

•Inform the police at the National Fraud and Cyber Crime Reporting

Centre on 0300 123 2040.

•Inform your professional indemnity insurer.

•Inform the Solicitors Regulation Authority (SRA) by telephone on

0121 329 6827 or email at [email protected].

And the REAL CRUNCH:

The firm must also restore the client account funds without delay. Its

partners might be personally liable for the client fund shortfall.

mailto:[email protected]


• Do not make any admission of liability or any offer of settlement to

any third party without specific consent from your insurers.

• Do not disclose the involvement of your own insurers beyond the

extent that you are required. Firms must disclose certain insurance

details to clients and/or claimants. Both these regulations apply

only to the compulsory element of the insurance, that is, the

minimum terms and conditions of cover. This means that only

details of the primary layer insurer have to be provided.


Implement your emergency action plan!

•Do you have one?

•Who knows what it contains?

•Are all the relevant telephone numbers readily to hand?

•When did you last update it?

Do you need to make use of the Cyber Incident Response (CIR)

service? http://www.cpni.gov.uk/advice/cyber/cir/

http://www.cpni.gov.uk/advice/cyber/cir/


Can you continue to use your client account?

SRA Warning notice ‘Money missing from client account’

http://www.sra.org.uk/solicitors/code-of-conduct/guidance/warning-notices/Money-missing-from-

client-account--Warning-notice.page

http://www.sra.org.uk/solicitors/code-of-conduct/guidance/warning-notices/Money-missing-from-client-account--Warning-notice.page




















• SRA Accounts Rules 2011

• It is your duty to remedy breaches of the SRA Accounts Rules 2011.

Specifically Rule 7 states:

• 7.1 Any breach of the rules must be remedied promptly upon

discovery. This includes the replacement of any money improperly

withheld or withdrawn from a client account.

• 7.2 In a private practice, the duty to remedy breaches rests not

only on the person causing the breach, but also on all the

principals in the firm. This duty extends to replacing missing client

money from the principals' own resources, even if the money has

been misappropriated by an employee or another principal, and

whether or not a claim is subsequently made on the firm's

insurance or the Compensation Fund.


• There is a clear duty in the SRA Accounts Rules to replace a

deficiency in a client account.

• In the general law, trustees in breach of trust also have a duty to

replace a deficiency.

• In any event, operating a deficient client account is very likely to

involve immediate and continuing breaches of trust – by paying

some clients their full entitlement, the amount left for other

clients reduces.

• Ultimately, a deficient trust account is likely to be distributed pro

rata.

• You may well breach your duty to act in the best interests of

clients if you pay client money into an already deficient account

without fully informed consent - no properly advised client would

pay funds into a deficient account with the risk of only receiving a

proportion back. Failing to inform clients exposes them to a risk of

loss (see O 4.2).


• Until missing money is replaced, you should not take costs from

the client account – you cannot “properly” require payment of

your fees from money held in a client account in such

circumstances and so rules 17.2 and 17.3 of the SRA Accounts Rules

2011 will not apply. Nor is it in the best interests of clients for you

to take costs from client account when there is insufficient in the

account for you to pay them in full.

• If you or your insurers do not replace the money promptly, you are

at serious risk of intervention by the SRA. Intervention may be

necessary in any event if there is reason to suspect dishonesty or

other grounds for intervention arise.

• Since it is unlikely that a deficient client account can be operated

without further breach of trust, you may well need to apply to the

court for directions as to how to distribute the remaining funds.

• Offences under the Fraud Act 2006 may be committed once you

are on notice that money is missing if you do not act properly and

honestly.

Are you covered by PII?

Professional Indemnity Insurance

The definition of a claim in the PII Minimum Terms and Conditions

(MTC) wording provides that an obligation on the part of an insured

firm to replace a client account shortage amounts to a claim under

the firm's PII policy.

Will insurers immediately replace missing money?

Clause 7 of the Participating Insurer's Agreement imposes an

obligation on the insurer to act with the utmost good faith in the

course of its dealings, as well as to pay claims without avoidable

delay after liability under the policy has been established and the

amount payable by the insurer has been agreed.

Are you covered by PII?

BUT,

SRA will expect the principals to make good the client account

shortage from their own resources in order to meet the urgency of the

situation or to insist upon closure of your firm.

It may be advisable to buy in specialist legal advice to assist.

Potential problems with lenders. Can you complete a purchase due to

happen the day after you discover the money is missing?

The SRA's policy in this area is in the process of development.

What are the Risks?

• Vishing

• Phishing; Whaling; Spear Phishing and Clone Phishing

• Malware

• Friday afternoon scams

• Intercepted emails

• Bogus websites

• False friend

• Surveys

• Screenshot manager: allows criminals take screenshots of your

computer screen

• Ad clicker: allows a criminal to direct a victim’s computer to click

a specific link

What are the Risks?

Intercepted emails:

http://www.thisismoney.co.uk/money/mortgageshome/article-

3385825/Sarah-Ritchie-saved-45-000-dream-home-lost-devastating-new-

scam.html

Bogus emails:

Which of the following are genuine?

http://www.thisismoney.co.uk/money/mortgageshome/article-3385825/Sarah-Ritchie-saved-45-000-dream-home-lost-devastating-new-scam.html























How to protect your firm

Knowledge!

• If you open a scam email what might be the result?

- Malware

- Ransomware

- Virus

• Would you know this was on your system?


Knowledge!

(Play Vishing Scam Call)


Knowledge!

SRA Alerts

http://www.sra.org.uk/consumers/scam-alerts/scam-alerts.page

SRA Articles:

In the Shadows - Bogus Firms

http://www.sra.org.uk/risk/resources/risks-associated-bogus-firms.page

Spiders in the Web - Online Crime

http://www.sra.org.uk/documents/solicitors/freedom-in-

practice/cybercrime.pdf

Question of Ethics

http://www.sra.org.uk/solicitors/code-of-

conduct/guidance/questionofethics/June-2015.page













http://www.sra.org.uk/documents/solicitors/freedom-in-practice/cybercrime.pdf





http://www.sra.org.uk/solicitors/code-of-conduct/guidance/questionofethics/June-2015.page








Knowledge!

Law Society Practice Notes:

PII

http://www.lawsociety.org.uk/support-services/advice/practice-notes/professional-

indemnity-insurance/

Information Security

http://www.lawsociety.org.uk/support-services/advice/practice-notes/information-

security/

Mortgage Fraud

http://www.lawsociety.org.uk/support-services/advice/practice-notes/mortgage-fraud/

Property and Registration Fraud

http://www.lawsociety.org.uk/support-services/advice/practice-notes/property-

registration-fraud/

http://www.lawsociety.org.uk/support-services/advice/practice-notes/professional-indemnity-insurance/









http://www.lawsociety.org.uk/support-services/advice/practice-notes/information-security/














http://www.lawsociety.org.uk/support-services/advice/practice-notes/property-registration-fraud/










Cyber Insurance:

What might it cover?

•Fines and investigations – Covering the potentially significant costs and

expenses of data protection regulator investigations and legally insurable

fines following data security breaches.

• Crisis management –This includes: Cyber incident response services

following a data breach, PR, repair of company and individual reputations,

breach coaching, and notification and monitoring costs associated with a

breach of information.

• Electronic data – Covering the costs of making data safe again after a leak

or breach.


Cyber Insurance:

What might it cover?

•Data Liability – Covering the financial consequences of losing or mis-

appropriating client or employee data on your network or network devices.

• Business/Network Interruption – Covering the loss of net profit as a result

of a material interruption to the insured’s network, after a denial of service

attack or network security breach.

• Multimedia Liability – Covering the damages and defence costs incurred in

connection with a breach of third party intellectual property, or negligence in

connection with electronic content.

• Cyber/Privacy Extortion – Covering ransom payments (extortion loss) to

third parties incurred in terminating a security threat.


What are the two most important things that

you can do to protect your firm?


What are the two most important things that

you can do to protect your firm?

Training!

More Training!

and third is

Repeat the Training regularly!


http://www.lawsociety.org.uk/news/stories/new-law-society-advice-on-

protection-against-scams/

http://www.lawsociety.org.uk/Support-services/Practice-

management/Scam-prevention/

http://www.lawsociety.org.uk/support-services/practice-

management/scam-prevention/practical-tips-to-protect-your-firm-from-

scams/

http://www.lawsociety.org.uk/news/stories/new-law-society-advice-on-protection-against-scams/















http://www.lawsociety.org.uk/Support-services/Practice-management/Scam-prevention/







http://www.lawsociety.org.uk/support-services/practice-management/scam-prevention/practical-tips-to-protect-your-firm-from-scams/






















•Knowledge of how the risks arise.

•Checking that people are calling from where they say

they are calling from.

•Encouraging employees to use strong, unique

passwords and change them regularly.

•Don’t allow personal emails at work.

•Protect operating systems with up-to-date security

software.

•Using secure wireless connections – such as virtual

private network (VPN) software – to encrypt wireless

communications.


• Making sure that you are completely happy with your

outsourced IT provider (if you have one), and that

you understand how your systems are protected.

• Consider internal procedures, such as how you verify

that the destination account for the proceeds of a

house sale belongs to your client. (Copy bank

statement?)

• Set out bank details at the beginning of a

transaction stating that this will not be changed.

• Verify your bank account by telephone.

• Balance between adequate safeguards and still

getting the job done!


Specifically:

Phishing Emails

• Training

- What to look for:

• My desktop looks different.

• Why is my PC running slow.

• What are these funny windows that sometimes open?

• There’s a new icon on my desktop.

• When I log on to the internet, it goes to a different homepage.

• If something looks wrong, it probably is!

- Develop a suspicious approach.

- It’s not just an IT problem!

- No personal emails.

- Which members of staff cause the biggest headaches?


Specifically:

Phishing Emails

• No blame culture

- “I clicked on the email but nothing happened so I don’t

have to tell anyone.”

• Well maintained IT system – regular scans

- How often does your anti-virus software update? Zero-day

vulnerability risk.

- Virus check all discs/memory cards.

Don’t allow macros to run automatically.


Specifically:

Intercepted and Bogus Emails

•Never send bank details by email.

•Never accept email instructions for net proceeds of

sale.

•Warn clients of the risk: - Don’t hide the warning in your T&Cs.

- Is your client care letter already too long?

- What do you need to tell clients?


Specifically:

Intercepted and Bogus Emails

Seen on the bottom of one firm’s emails:

“IF WE HAVE SENT YOU OUR BANK DETAILS BEFORE YOU

SEND US ANY FUNDS PLEASE CALL US TO VERIFY THOSE

BANK DETAILS. THIS IS SO THAT WE CAN PREVENT FRAUD

AND THE DIVERSION OF FUNDS MEANT FOR THIS FIRM”

Is this a good idea?


Warning!

Our bank account details are as follows:

We will never send you an email asking you to send money to any other

account.

We will never telephone you asking you to send money to any other account.

If you receive a request to send funds to any other account, please contact us

immediately by using the telephone number on our headed notepaper.

We will never ask you to contact us by ringing any other number.

Please keep this information for future reference.


Specifically:

Vishing Telephone Calls

•Establish protocols with your bank:

- Who from the bank would contact you?

- Who would they ask for?

- Who can you contact in an emergency?

- Limit the people the bank can speak to and agree that with

the bank.


• Always ring back

- Use a different phone or ring another number first.

- Use a number that you know is genuine not one you’ve been

given.

- If in doubt, check the number you’ve been given with:

• Your relationship manager.

• The bank’s website.

- Be aware of what the bank will and will not ask you.

- Never transfer money to another account for safety.

- Remember that the number displayed on your telephone

may not be correct.

- Be wary about giving any security information over the

phone.

- If in doubt get someone else to ring your bank whilst you

remain on the line.


• Training

- All staff, not just cashiers and conveyancers.

- Where is the weakest link in your firm?

- Make sure staff know what information they can and can’t

give out.

- Refresh training regularly.

- Don’t make it easy for criminals:

• Understand and explain to receptionists the importance of

their role.

- Beware overconfidence.

- Have procedures and policies in place to deal with likely

scenarios.

- Ask staff if they know the latest scam:

• They don’t know – it hasn’t been identified yet!

- Constant vigilance.

How to protect your firm THE WORST PASSWORDS OF 2015

Rank Password Change from 2014

1 123456 No change

2 password No change

3 12345678 Up 1

4 qwerty Up 1

5 12345 Down 2

6 123456789 No change

7 football Up 3

8 1234 Down 1

9 1234567 Up 2

10 baseball Down 2

11 welcome New

12 1234567890 New

13 abc123 Up 1

14 111111 Up 1

15 1qaz2wsx New

16 dragon Down 7

17 master Up 2

18 monkey Down 6

19 letmein Down 6

20 login New

21 princess New

22 qwertyuiop New

23 solo New

24 passw0rd New

25 starwars New


Factory Default Administrator Passwords

Have you changed the default login and password

details for your router?

http://www.routerpasswords.com/

http://www.routerpasswords.com/

Beware: The curse of Social Media

Does your Facebook page give a criminal all the

information they need to hack your computer – at work

as well as at home?

What is the next scam?



Remember:

The criminals only have to be lucky once!

property section workshop: fighting fraud and managing risk - … › uploads › files ›...

Documents