Property Section Workshop: Fighting Fraud and Managing Risk - Cardiff Wednesday 24 th February 2016 The Law Society, Cardiff
Property Section Workshop: Fighting
Fraud and Managing Risk - Cardiff
Wednesday 24th February 2016
The Law Society, Cardiff
Stephen Murray Business Development Director
Who are PSG?
• Experts in search since 1998
• 250 staff across 49 local branches
• Trusted by over 1500 firms every year
• 97% of clients rate our service as good or
excellent
What you might not know!
• Process over 14,000 search instructions every month on average • 1 in 5 residential transactions
• 1 in 10 commercial transactions
• PSG are Executive members of CoPSO
• Stakeholder involvement with the Land Registry
• PSG Financial Services Ltd
What makes us different?
• A Search company first supported by the most up to date technology
• Constantly evolving products and technology • Supporters of training and education
• The Law Society • The SLC • The Conveyancing Association (Affiliate Member) • The LFS Conveyancing Conference & Awards
Please come and have a chat
Thank you
Property Section Workshop: Fighting
Fraud and Managing Risk – Cardiff
Wednesday 24th February 2016
The Law Society, Cardiff,
Peter Rodd,
Senior Partner, Boys & Maughan
Nick Podd,
Associate Consultant in Cyber Security,
Law Society Consulting
Fraud and Risk
1. Mortgage Fraud
2. Consequences of Fraud and Cyber Crime
3. The Regulatory Position
4. What Would it Mean in Practice?
5. Are You Covered By PII?
6. What Are the Risks?
7. How to Protect Your Firm
Mortgage Fraud
Mortgage Fraud hasn’t gone away!
• Two cases involving bogus firms
- Lloyds TSB Bank v Markandan & Uddin
- Nationwide v Davisons
Use the High Court decisions as training aids for all
conveyancing staff – fee earners and support staff.
What were the warning signs they missed?
Warning Signs
• Errors in letterheading.
• No landline telephone number.
• Inconsistent telephone or fax numbers with those usually used by the firm.
• Telephone calls being diverted to a call-back service.
• A firm apparently based in serviced offices.
• Email addresses using generic email accounts.
• Sudden appearance in your locality of a firm with no obvious connection to the
area, probably not interacting with other local firms at all.
• A firm appearing to open a branch office a considerable distance from its head
office for no obvious reason.
• A firm based in one part of the country supposedly having a bank account in
another part of the country.
• A client account apparently overseas.
• A strange or suspicious bank account name e.g the account not being in the name
of the law firm you are supposedly dealing with.
• ANYTHING UNUSUAL.
Mortgage Fraud
• What precautions do you take?
– Find a solicitor
– Lawyer Checker
– Code for completion by post
– Telephone to recheck the bank details
– Make sure that all conveyancers are familiar with and follow the
requirements of the CML handbook – even if there is no mortgage
involved.
Mortgage Fraud
• Sloppy Conveyancing increases the risk
– Be aware of the undertakings in the Code for completion by post
– Be wary of ‘replies to requisitions’ sent with the draft contract
– Make sure all conveyancers have read and are familiar with the Full
Certificate of Title – not just the short version.
http://www.lawsociety.org.uk/support-services/advice/articles/sra-
handbook-and-approved-certificate-of-title/
(from 30th November 2015)
Risky Transactions
• Lenders’ Four Greatest Concerns:
– Back to back sales
– Sales within 6 months of purchase
– Money passing direct
– Change in price from that in the mortgage offer
Mortgage Fraud
The key message:
• Anything unusual or out of the ordinary should be
regarded as a warning sign.
•Systems need to be in place so that staff know what action to
take in such a situation.
Cyber Crime
Victoria Derbyshire Programme on 7th January reported:
From 1st Jan 2014 to 31st October 2015
91 crimes of that nature
Totalling £10.2m
Average loss of £112,310
How big of a problem is it?
You’ve been scammed!
• What would happen if £500,000 had wrongly been
removed from your client account?
• What action do you need to take?
• Who do you need to talk to?
• What impact would it have on your firm?
• Would you survive?
Adverse Impact on Profits
• Financial Loss
• Reputation – ‘Talk Talk’
• Time
• Future Insurance
• Staff
• Closure of Business
• Regulatory Position
You’ve been scammed!
Could you survive?
Mrs Mackie didn’t!
http://open.live.bbc.co.uk/mediaselector/5/redir/versio
n/2.0/mediaset/audio-nondrm-
download/proto/http/vpid/p034845b.mp3
http://www.bbc.co.uk/news/business-34425717
• What happens if you fall victim to a scam?
– Law Society Practice Note – 20th August 2015
http://www.lawsociety.org.uk/support-services/advice/practice-
notes/protecting-your-firm-if-you-fall-victim-to-a-scam/
• Principle 2 - 'act with integrity'
• Principle 5 - 'acting in the best interests of each client'
• Principle 6 - 'behave in a way that maintains the trust
the public places in you and the provision of legal
services'
The Regulatory Position
The Regulatory Position
• Principle 7 - 'comply with your legal and regulatory
obligations and deal with your regulators and
ombudsmen in an open, timely and co-operative
manner’
• Principle 8 - 'run your business or carry out your role in
the business effectively and in accordance with proper
governance and sound financial and risk management
principles’
• Principle 10 - 'protect client money and assets'
The Regulatory Position
SRA Outcomes
•(1.1) You treat your clients fairly.
•(1.2) You provide services to your clients in a manner which protects
their interests in their matter, subject to the proper administration of
justice.
•(1.12) Clients are in a position to make informed decisions about the
services they need, how their matter will be handled and the options
available to them.
•(1.16) You inform current clients if you discover any act or omission
which could give rise to a claim by them against you.
SRA Outcomes
•(4.1) You keep the affairs of clients confidential unless disclosure is
required or permitted by law or the client consents.
•(4.2) Any individual who is advising a client makes that client aware
of all information material to that retainer of which the individual has
personal knowledge.
Fraud Act 2006
• Section 3 sets out the circumstances in which it is an offence not
to disclose information to others (such as the client)
• Section 4 sets out that people (such as solicitors) who are in a
position where they are expected to safeguard the financial
interests of others commit an offence when they fail to do this
The Regulatory Position
What does it mean in practice?
Who you going to call?
•Inform your bank. Do you have an emergency contact?
•Inform the police at the National Fraud and Cyber Crime Reporting
Centre on 0300 123 2040.
•Inform your professional indemnity insurer.
•Inform the Solicitors Regulation Authority (SRA) by telephone on
0121 329 6827 or email at [email protected].
And the REAL CRUNCH:
The firm must also restore the client account funds without delay. Its
partners might be personally liable for the client fund shortfall.
What does it mean in practice?
• Do not make any admission of liability or any offer of settlement to
any third party without specific consent from your insurers.
• Do not disclose the involvement of your own insurers beyond the
extent that you are required. Firms must disclose certain insurance
details to clients and/or claimants. Both these regulations apply
only to the compulsory element of the insurance, that is, the
minimum terms and conditions of cover. This means that only
details of the primary layer insurer have to be provided.
What does it mean in practice?
Implement your emergency action plan!
•Do you have one?
•Who knows what it contains?
•Are all the relevant telephone numbers readily to hand?
•When did you last update it?
Do you need to make use of the Cyber Incident Response (CIR)
service? http://www.cpni.gov.uk/advice/cyber/cir/
What does it mean in practice?
Can you continue to use your client account?
SRA Warning notice ‘Money missing from client account’
http://www.sra.org.uk/solicitors/code-of-conduct/guidance/warning-notices/Money-missing-from-
client-account--Warning-notice.page
What does it mean in practice?
• SRA Accounts Rules 2011
• It is your duty to remedy breaches of the SRA Accounts Rules 2011.
Specifically Rule 7 states:
• 7.1 Any breach of the rules must be remedied promptly upon
discovery. This includes the replacement of any money improperly
withheld or withdrawn from a client account.
• 7.2 In a private practice, the duty to remedy breaches rests not
only on the person causing the breach, but also on all the
principals in the firm. This duty extends to replacing missing client
money from the principals' own resources, even if the money has
been misappropriated by an employee or another principal, and
whether or not a claim is subsequently made on the firm's
insurance or the Compensation Fund.
What does it mean in practice?
• There is a clear duty in the SRA Accounts Rules to replace a
deficiency in a client account.
• In the general law, trustees in breach of trust also have a duty to
replace a deficiency.
• In any event, operating a deficient client account is very likely to
involve immediate and continuing breaches of trust – by paying
some clients their full entitlement, the amount left for other
clients reduces.
• Ultimately, a deficient trust account is likely to be distributed pro
rata.
• You may well breach your duty to act in the best interests of
clients if you pay client money into an already deficient account
without fully informed consent - no properly advised client would
pay funds into a deficient account with the risk of only receiving a
proportion back. Failing to inform clients exposes them to a risk of
loss (see O 4.2).
What does it mean in practice?
• Until missing money is replaced, you should not take costs from
the client account – you cannot “properly” require payment of
your fees from money held in a client account in such
circumstances and so rules 17.2 and 17.3 of the SRA Accounts Rules
2011 will not apply. Nor is it in the best interests of clients for you
to take costs from client account when there is insufficient in the
account for you to pay them in full.
• If you or your insurers do not replace the money promptly, you are
at serious risk of intervention by the SRA. Intervention may be
necessary in any event if there is reason to suspect dishonesty or
other grounds for intervention arise.
• Since it is unlikely that a deficient client account can be operated
without further breach of trust, you may well need to apply to the
court for directions as to how to distribute the remaining funds.
• Offences under the Fraud Act 2006 may be committed once you
are on notice that money is missing if you do not act properly and
honestly.
Are you covered by PII?
Professional Indemnity Insurance
The definition of a claim in the PII Minimum Terms and Conditions
(MTC) wording provides that an obligation on the part of an insured
firm to replace a client account shortage amounts to a claim under
the firm's PII policy.
Will insurers immediately replace missing money?
Clause 7 of the Participating Insurer's Agreement imposes an
obligation on the insurer to act with the utmost good faith in the
course of its dealings, as well as to pay claims without avoidable
delay after liability under the policy has been established and the
amount payable by the insurer has been agreed.
Are you covered by PII?
BUT,
SRA will expect the principals to make good the client account
shortage from their own resources in order to meet the urgency of the
situation or to insist upon closure of your firm.
It may be advisable to buy in specialist legal advice to assist.
Potential problems with lenders. Can you complete a purchase due to
happen the day after you discover the money is missing?
The SRA's policy in this area is in the process of development.
What are the Risks?
• Vishing
• Phishing; Whaling; Spear Phishing and Clone Phishing
• Malware
• Friday afternoon scams
• Intercepted emails
• Bogus websites
• False friend
• Surveys
• Screenshot manager: allows criminals take screenshots of your
computer screen
• Ad clicker: allows a criminal to direct a victim’s computer to click
a specific link
What are the Risks?
Intercepted emails:
http://www.thisismoney.co.uk/money/mortgageshome/article-
3385825/Sarah-Ritchie-saved-45-000-dream-home-lost-devastating-new-
scam.html
Bogus emails:
Which of the following are genuine?
How to protect your firm
Knowledge!
• If you open a scam email what might be the result?
- Malware
- Ransomware
- Virus
• Would you know this was on your system?
How to protect your firm
Knowledge!
(Play Vishing Scam Call)
How to protect your firm
Knowledge!
SRA Alerts
http://www.sra.org.uk/consumers/scam-alerts/scam-alerts.page
SRA Articles:
In the Shadows - Bogus Firms
http://www.sra.org.uk/risk/resources/risks-associated-bogus-firms.page
Spiders in the Web - Online Crime
http://www.sra.org.uk/documents/solicitors/freedom-in-
practice/cybercrime.pdf
Question of Ethics
http://www.sra.org.uk/solicitors/code-of-
conduct/guidance/questionofethics/June-2015.page
How to protect your firm
Knowledge!
Law Society Practice Notes:
PII
http://www.lawsociety.org.uk/support-services/advice/practice-notes/professional-
indemnity-insurance/
Information Security
http://www.lawsociety.org.uk/support-services/advice/practice-notes/information-
security/
Mortgage Fraud
http://www.lawsociety.org.uk/support-services/advice/practice-notes/mortgage-fraud/
Property and Registration Fraud
http://www.lawsociety.org.uk/support-services/advice/practice-notes/property-
registration-fraud/
How to protect your firm
Cyber Insurance:
What might it cover?
•Fines and investigations – Covering the potentially significant costs and
expenses of data protection regulator investigations and legally insurable
fines following data security breaches.
• Crisis management –This includes: Cyber incident response services
following a data breach, PR, repair of company and individual reputations,
breach coaching, and notification and monitoring costs associated with a
breach of information.
• Electronic data – Covering the costs of making data safe again after a leak
or breach.
How to protect your firm
Cyber Insurance:
What might it cover?
•Data Liability – Covering the financial consequences of losing or mis-
appropriating client or employee data on your network or network devices.
• Business/Network Interruption – Covering the loss of net profit as a result
of a material interruption to the insured’s network, after a denial of service
attack or network security breach.
• Multimedia Liability – Covering the damages and defence costs incurred in
connection with a breach of third party intellectual property, or negligence in
connection with electronic content.
• Cyber/Privacy Extortion – Covering ransom payments (extortion loss) to
third parties incurred in terminating a security threat.
How to protect your firm
What are the two most important things that
you can do to protect your firm?
How to protect your firm
What are the two most important things that
you can do to protect your firm?
Training!
More Training!
and third is
Repeat the Training regularly!
How to protect your firm
http://www.lawsociety.org.uk/news/stories/new-law-society-advice-on-
protection-against-scams/
http://www.lawsociety.org.uk/Support-services/Practice-
management/Scam-prevention/
http://www.lawsociety.org.uk/support-services/practice-
management/scam-prevention/practical-tips-to-protect-your-firm-from-
scams/
How to protect your firm
•Knowledge of how the risks arise.
•Checking that people are calling from where they say
they are calling from.
•Encouraging employees to use strong, unique
passwords and change them regularly.
•Don’t allow personal emails at work.
•Protect operating systems with up-to-date security
software.
•Using secure wireless connections – such as virtual
private network (VPN) software – to encrypt wireless
communications.
How to protect your firm
• Making sure that you are completely happy with your
outsourced IT provider (if you have one), and that
you understand how your systems are protected.
• Consider internal procedures, such as how you verify
that the destination account for the proceeds of a
house sale belongs to your client. (Copy bank
statement?)
• Set out bank details at the beginning of a
transaction stating that this will not be changed.
• Verify your bank account by telephone.
• Balance between adequate safeguards and still
getting the job done!
How to protect your firm
Specifically:
Phishing Emails
• Training
- What to look for:
• My desktop looks different.
• Why is my PC running slow.
• What are these funny windows that sometimes open?
• There’s a new icon on my desktop.
• When I log on to the internet, it goes to a different homepage.
• If something looks wrong, it probably is!
- Develop a suspicious approach.
- It’s not just an IT problem!
- No personal emails.
- Which members of staff cause the biggest headaches?
How to protect your firm
Specifically:
Phishing Emails
• No blame culture
- “I clicked on the email but nothing happened so I don’t
have to tell anyone.”
• Well maintained IT system – regular scans
- How often does your anti-virus software update? Zero-day
vulnerability risk.
- Virus check all discs/memory cards.
Don’t allow macros to run automatically.
How to protect your firm
Specifically:
Intercepted and Bogus Emails
•Never send bank details by email.
•Never accept email instructions for net proceeds of
sale.
•Warn clients of the risk: - Don’t hide the warning in your T&Cs.
- Is your client care letter already too long?
- What do you need to tell clients?
How to protect your firm
Specifically:
Intercepted and Bogus Emails
Seen on the bottom of one firm’s emails:
“IF WE HAVE SENT YOU OUR BANK DETAILS BEFORE YOU
SEND US ANY FUNDS PLEASE CALL US TO VERIFY THOSE
BANK DETAILS. THIS IS SO THAT WE CAN PREVENT FRAUD
AND THE DIVERSION OF FUNDS MEANT FOR THIS FIRM”
Is this a good idea?
How to protect your firm
Warning!
Our bank account details are as follows:
We will never send you an email asking you to send money to any other
account.
We will never telephone you asking you to send money to any other account.
If you receive a request to send funds to any other account, please contact us
immediately by using the telephone number on our headed notepaper.
We will never ask you to contact us by ringing any other number.
Please keep this information for future reference.
How to protect your firm
Specifically:
Vishing Telephone Calls
•Establish protocols with your bank:
- Who from the bank would contact you?
- Who would they ask for?
- Who can you contact in an emergency?
- Limit the people the bank can speak to and agree that with
the bank.
How to protect your firm
• Always ring back
- Use a different phone or ring another number first.
- Use a number that you know is genuine not one you’ve been
given.
- If in doubt, check the number you’ve been given with:
• Your relationship manager.
• The bank’s website.
- Be aware of what the bank will and will not ask you.
- Never transfer money to another account for safety.
- Remember that the number displayed on your telephone
may not be correct.
- Be wary about giving any security information over the
phone.
- If in doubt get someone else to ring your bank whilst you
remain on the line.
How to protect your firm
• Training
- All staff, not just cashiers and conveyancers.
- Where is the weakest link in your firm?
- Make sure staff know what information they can and can’t
give out.
- Refresh training regularly.
- Don’t make it easy for criminals:
• Understand and explain to receptionists the importance of
their role.
- Beware overconfidence.
- Have procedures and policies in place to deal with likely
scenarios.
- Ask staff if they know the latest scam:
• They don’t know – it hasn’t been identified yet!
- Constant vigilance.
How to protect your firm THE WORST PASSWORDS OF 2015
Rank Password Change from 2014
1 123456 No change
2 password No change
3 12345678 Up 1
4 qwerty Up 1
5 12345 Down 2
6 123456789 No change
7 football Up 3
8 1234 Down 1
9 1234567 Up 2
10 baseball Down 2
11 welcome New
12 1234567890 New
13 abc123 Up 1
14 111111 Up 1
15 1qaz2wsx New
16 dragon Down 7
17 master Up 2
18 monkey Down 6
19 letmein Down 6
20 login New
21 princess New
22 qwertyuiop New
23 solo New
24 passw0rd New
25 starwars New
How to protect your firm
Factory Default Administrator Passwords
Have you changed the default login and password
details for your router?
http://www.routerpasswords.com/
Beware: The curse of Social Media
Does your Facebook page give a criminal all the
information they need to hack your computer – at work
as well as at home?
What is the next scam?
How to protect your firm
How to protect your firm
Remember:
The criminals only have to be lucky once!