The UK has left the EU and the transition period is set to end on 31st December 2020. Up until then all UK organisations are bound by the General Data Protection Regulation (GDPR). So, what happens after 31st December 2020?

After the end of the transition period the GDPR will be brought into UK law under what’s known as the UK GDPR, which will be supplemented by the Data Protection Act 2018. This UK legislation closely mirrors the GDPR with some changes, especially around transfers of data between the UK and the EU/EAA. UK organisations that have an establishment in the EU or offer goods or services to, or monitor the behaviour of, EU individuals will continue to be bound by the EU GDPR, and may need to review their documentation.

Adequacy – In order to protect individuals’ personal data when it is transferred from the EU to a ‘third’ country i.e. a country outside of the EU, the European Commission looks at the protections offered by that country, in particular its data protection legislation as well as the way that government treats data privacy. If the Commission is satisfied that a third country offers sufficient protection it awards what is known as an adequacy decision. Once an adequacy decision is awarded, transfers can go ahead unhindered, as if they were being transferred within the EU. Once the transition period ends on 31st December 2020, the UK will become a third country, and how data can be transferred from the EU to the UK will depend upon whether the Commission awards an adequacy decision to the UK. This is by no means a forgone conclusion. Discussions are under way but the trade negotiations as well as EU concerns over UK government surveillance leaves a question mark over the likelihood of adequacy being achieved, especially in the short-term. In the absence of such a decision, organisations will need to find different lawful bases for dealing with their EU business, such as standard contract clauses, binding corporate rules etc.

The transfer of personal data from the UK to EU countries can continue as normal after 31st December 2020, because the UK has in effect given the EU an adequacy decision.

EU Representatives – organisations offering goods or services or monitoring the behaviour of individuals in the EU and that have no offices or branches in the EU will, after 31st December 2020, be required to appoint a representative in the EU. Organisations offering products or services to more than one EU country will not need to appoint a representative in each country but normally would to do so in the country where most activity takes place. Contact details for the representative must be included in the organisation’s privacy notice and a written agreement must be in place with the representative detailing the representative’s responsibilities. The representative will be the main point of contact for the local data protection authority/authorities as well as data subjects.

Under the UK GDPR it is intended that organisations outside of the UK that are bound by the UK GDPR will be required to appoint a representative in the UK.

Standard Contract Clauses – traditionally, organisations transferring personal data to countries outside the EEA and where no adequacy decision is in place, have been able to use approved standard contract clauses (SCCs) as a lawful basis for such transfers. The recent Schrems 2 ruling by the Court of Justice of the European Union (CJEU) agreed that SCCs are still valid, but that in order to rely on them organisations need to carry out (on a case by case basis) a risk assessment and consider implementing additional safeguards. SCCs place strict obligations on the parties and in some cases risk assessments may well throw up issues that give cause for concern. The CJEU also put pressure on data protection authorities (in our case the ICO) to be proactive in ensuring organisations comply. Particular difficulties may be encountered by organisations transferring to the USA because any risk assessment will reveal the very issues that led to the demise of the Privacy Shield.

There is a plan to introduce new, updated SCCs at some point but our advice in the meantime is to put SCCs in place, carry out the risk assessment and apply whatever safeguards you can, such as encryption, pseudonymisation.

Contact us if you have questions: [email protected] or 07887 524507

Here is a link to our DPO (Data Protection Officer) Service: https://hunningsconsultancy.co.uk/dpo-service-data-protection-officer/

Here we have gathered together information anda number of useful articles from the Law Society so that you may find them easily in one place. 

The new national lockdown will come into force in England at 12.01am on Thursday 5 November and last until at least Wednesday 2 December. 

In Wales, the restrictions brought in through the national ‘firebreak’ lockdown will continue until 9 November.

But remember - you can Carry on Trading!!

What are the new restrictions in England?

The most relevant points for solicitors include:

• going to work – everyone who can work effectively from home must do so. Where people cannot do so, they should continue to travel to work/attend their workplace
• international travel – outbound international travel and overnight stays away from home are to be banned, unless for work purposes. If people must travel, they should follow the quarantine guidelines and relevant travel corridor restrictions
• courts – courts will remain open unless otherwise stated
• education – childcare, schools, colleges and universities will remain open and the prime minister stressed school is the best place for children to be
• vulnerable people – clinically vulnerable people have been asked to follow the restrictions closely as far as possible. New guidance will be published on visits to care homes
• property market remains open – the housing secretary has given an update on the housing market update ahead of second lockdown:
  • renters and homeowners will be able to move
  • removal firms and estate agents can operate
  • construction sites can and should continue
  • tradespeople will be able to enter homes
  • all must follow the COVID-19 safety guidance
• key workers – the definition of 'key workers' will be the same as it was in the first lockdown and will therefore cover solicitors if they fall within these categories:
  • advocates (including solicitor advocates) required to appear before a court or tribunal (remotely or in person), including prosecutors
  • other legal practitioners required to support the administration of justice including duty solicitors (police station and court) and barristers, solicitors, legal executives, paralegals and others who work on imminent or ongoing court or tribunal hearings
  • solicitors acting in connection with the execution of wills
  • solicitors and barristers advising people living in institutions or deprived of their liberty

Some articles

Blueprint for law firms and solicitors facing local lockdowns

https://www.lawsociety.org.uk/topics/coronavirus/practical-framework-for-law-firms-and-sole-practitioners-on-return-to-the-office

Coronavirus (COVID-19) information for legal services

https://www.lawsociety.org.uk/topics/coronavirus/coronavirus-covid-19-information-for-legal-services

Guidance to law firms on the Job Support Scheme

https://www.lawsociety.org.uk/topics/coronavirus/guidance-to-law-firms-on-the-job-support-scheme

Ups and downs: lockdown and high street conveyancing firms

https://communities.lawsociety.org.uk/september-2020/ups-and-downs/6001304.article

Why law firm leaders need to take a break

https://communities.lawsociety.org.uk/coronavirus-managing-in-a-recession/why-law-firm-leaders-need-to-take-a-break/6001217.article

Getting back to the office: supporting your people

https://communities.lawsociety.org.uk/coronavirus-managing-in-a-recession/getting-back-to-the-office-supporting-your-people/6001322.article

The Law Society Gazette reports today that the Legal Services Board has approved the SQE - due to start in the autumn of next year.

Uncertainty has been removed. Qualifying as a solicitor will be by this method from the autumn on 2021. Here's a link to the article in the LS Gazette announcing this: https://www.lawgazette.co.uk/news/its-official-lsb-approves-solicitor-super-exam/5106169.article?

For information about the SQE see here: https://hunningsconsultancy.co.uk/the-new-sqe-exam-and-qualification-method/

For information on how you can use the Apprenticeship Scheme to pay for the SQE training costs see here: https://hunningsconsultancy.co.uk/apprenticeships-the-sqe-how-this-can-save-you-money/

For information on how we can help aspiring solicitors with monitoring your QWE see here: https://hunningsconsultancy.co.uk/external-qwe-certification-service-2/

DPO Service:

We are pleased to be able to announce that we are launching this new service for our clients. https://hunningsconsultancy.co.uk/dpo-service-data-protection-officer/ This is another element of our Business Support for Law Firms & Other Businesses. Having a Data Protection Officer for your company is are requirement where you a public body or you handle large amounts of personal data. Examples might be: recruitment companies, call centres, GP surgeries, security companies (eg CCTV footage). Even if the appointment of a DPO is not mandatory under GDPR, the ICO still recommends the appointment of a DPO, or , if you decide not to do so, then a note be made to record the decision and reason. Having a DPO demonstrates your commitment to protecting personal data.

How can we help? Advice & assistance. You may appoint someone outside your organisation. That saves you putting them on the payroll. It allows you to buy the time you need. It frees up a senior staff member to work on other issues. It also means that you have someone independent who is an expert and may state bluntly what needs to be done without fear of how it might affect their prospects in the organisation.  We can also help you when and if you receive a Subject Access Request.

How can we help?

If you would like to discuss our Data Protection Officer services or indeed any issues relating to data protection, please email us at [email protected] or call 07887 524507.

Here is a link to a summary of our DPO Service: https://hunningsconsultancy.co.uk/dpo-service-data-protection-officer/

Here is a link to an article on who has to have a DPO, their role and responsibilities and the source legislation: https://hunningsconsultancy.co.uk/what-does-a-dpo-do-who-needs-one/

What does the DPO do?

In short, help to ensure that your organisation protects the personal data that it handles and remains compliant with GDPR. For some organisations the appointment of a DPO (Data Protection Officer) is mandatory, for others recommended.

The GDPR states that:

“The data protection officer shall have at least the following tasks:

• to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
• to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
• to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
• to cooperate with the supervisory authority;
• to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.”

..and further states that “The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.”

In terms of the DPO role there are various considerations for organisations to take into account.

What do you have to do to support the DPO?

You must ensure that:

• the DPO is involved, closely and in a timely manner, in all data protection matters;
• the DPO reports to the highest management level of your organisation, i.e. board level;
• the DPO operates independently and is not dismissed or penalised for performing their tasks;
• you provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their GDPR obligations, and to maintain their expert level of knowledge;
• you give the DPO appropriate access to personal data and processing activities;
• you give the DPO appropriate access to other services within your organisation so that they can receive essential support, input or information;
• you seek the advice of your DPO when carrying out a DPIA; and
• you record the details of your DPO as part of your records of processing activities.

This demonstrates the importance of the DPO role to your organisation and shows that you must provide sufficient support so they can carry out their role independently. There is a requirement for your DPO to report to the highest level of management and must have direct access at board level in order to give advice so that senior management can make informed decisions in regard to data protection and processing.

 Who must have a Data Protection Officer?

For the following organisations the appointment of a DPO is mandatory under GDPR.

The GDPR states that a Data Protection Officer must be appointed:

• If the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; So, for example, all local authorities are obliged to appoint a DPO
• If the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; for example companies working in the data sector, social media companies etc., where they are monitoring a large number of individuals (and this will also include for example the use of CCTV)
• If the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

The following types of data are defined as ‘special categories of data’ under Article 9 of the GDPR:

• personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
• genetic data, biometric data for the purpose of uniquely identifying a natural person
• data concerning health, data concerning a natural person's sex life or sexual orientation

There is no definition of ‘large scale’ in the legislation though the ICO advises that “processing may be on a large scale where it involves a wide range or large volume of personal data, where it takes place over a large geographical area, where a large number of people are affected, or it is extensive or has long-lasting effects”. So, it’s likely that the following sorts of organisations will be required to appoint a DPO: most GP surgeries, all hospitals and many companies in the healthcare sector, companies with a very large number of employees, companies using ID verification in large numbers, trade unions, recruitment companies, call centres, security companies (eg, handling CCVT) etc.

 Appointing a Data Protection Officer (DPO) is not mandatory for all organisations, but all organisations are encouraged to at least consider the option of appointing a DPO. Having a DPO demonstrates a commitment to protecting personal data but should also help organisations remain compliant. If you decide not to appoint a DPO then you should clearly document your rationale for this decision. The ICO says “Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR. However, a DPO can help you operate within the law by advising and helping to monitor compliance. In this way, a DPO can be seen to play a key role in your organisation’s data protection governance structure and to help improve accountability.”

 Who can be your DPO?

Many people underestimate the importance of the DPO role and the extensive duties and responsibilities that go with the role.

The GDPR states that the DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39” (see below re tasks of the DPO).

Organisations can appoint a member of staff as their DPO provided they meet the criteria and importantly, provided there is no conflict with their other duties. For example, employees who decide or have influence over the means or manner of processing of personal data cannot be appointed as DPO.

Internal or Outsourced?

Many companies choose to outsource their DPO to ensure independence and to ensure that they are getting the right level of expertise and experience. Often the role will be part-time and partly conducted remotely, but DPO’s must have direct access to senior management and must gain a full understanding of the company’s processing activities, and this is unlikely to be possible without visiting the company’s premises and engaging with employees. Article 38 for example states that “The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.” Data Protection Officers should also provide or ensure training for all staff involved in processing activities.

Finally, a few FAQ’s

What happened after Brexit, does it dilute the requirement for a Data Protection Officer?

No, the rules will remain the same after the Brexit process is completed as the GDPR will be incorporated into UK law (with some minor changes) under the European Union (Withdrawal) Act 2018.

Can we have more than one DPO?

No, an organisation can only have one named Data Protection Officer, though of course you can have other data protection staff to support the DPO.

Can someone be DPO for more than one organisation?

Yes, a DPO can work for more than one organisation and this will often be the case with outsourced DPOs. Obviously a DPO has a duty of confidentiality and this should be included in any contract with your DPO.

Can we outsource our DPO?

Yes, you can, and in many ways this is a good way to demonstrate independence and avoid any conflict of interest. However, a DPO can be an existing member of staff so long as they have the right level of expertise and are not involved in making decisions concerning the processing of personal data. If you are thinking of appointing a DPO please contact us for an initial chat. 07887 524507 or [email protected]

Is it the responsibility of the DPO to make sure we are compliant with the legislation?

No, the organisation (whether you are a controller or a processor) is responsible for ensuring you are compliant, although clearly the DPO will be highly involved in helping you become and remain compliant

How can we help?

 If you would like to discuss our Data Protection Officer services or indeed any issues relating to data protection, please email us at [email protected] or call 07887 524507.

Here is a link to a summary of our DPO Service: https://hunningsconsultancy.co.uk/dpo-service-data-protection-officer/

For reference, the relevant Articles in the GDPR are given below:

Article 38

Position of the data protection officer

1. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
2. The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
3. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
4. Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
5. The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
6. The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

Article 39

Tasks of the data protection officer

1. The data protection officer shall have at least the following tasks:

(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;

(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;

(d) to cooperate with the supervisory authority;

(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

How can we help?

 If you would like to discuss our Data Protection Officer services or indeed any issues relating to data protection, please email us at [email protected] or call 07887 524507

Here is a link to a summary of our DPO Service: https://hunningsconsultancy.co.uk/dpo-service-data-protection-officer/

What do I mean and why is it important?

Here I’m talking about creating a situation where all parties feel that they have gained something. Then everyone feels that it is beneficial. They are much more likely to abide by it, work with it and promote it. It’s much more durable.

People talk about creating a WIN-WIN situation but I would argue that you need to aim for the WIN-WIN-WIN. Why? Actually, there is often a 3^rd party. Where or who? Imagine that a manager and an employee agree on a course of action that is mutually beneficial to them, but works to the detriment of the company that employs them. Or an adviser refers in another company to provide a service because they will make a fat commission, but that is not in the interests of the end client.

So I always look for the WIN-WIN-WIN in any situation.

Let's look at some examples in the commercial sphere. A client asks you to do something, you provide the service, they pay you.  That’s a WIN-WIN. How could you turn that into a WIN-WIN-WIN?

1. Perhaps by making it a win for your company, not just in that transaction. You could make sure you learn from what you did, make templates, improve your process, document it, so that next time you could do it better and more swiftly, perhaps for the same or an enhanced charge, thereby improving profit. You could see if you could package the service. A huge one that solicitors and other professional service firms miss is to ask the happy client to recommend you AND to tell them about other services you offer or listen carefully when they are talking to triggers for other things you could help with.
2. Perhaps the client asks for services you don’t supply. Do you turn them away? Or do you spend just a little time listening to them and then in looking for someone you can recommend to them to provide that service? If the client is asking you, they are offering you the opportunity to create a WIN WIN WIN. Here you are creating goodwill with the client, strengthening the relationship with the people to whom you refer them and indeed there may well be a reward flowing back (it might be monetary or some other method).

A WIN-WIN-WIN will apply to other areas of life than the commercial transactional. Take, for example, the workplace. It is hugely applicable in Change Management. If you can get the people whom you want to change to believe that it is in their interest to change, so they want to do so you have a classic WIN-WIN-WIN: It benefits the manager trying to implement the change, the employee who feels better with it and works with it and the company that needs the change implemented. In Finance/Accounts, if you get to know your client, spend just a bit of time with them then that will help the relationship that can make the transactions work better for you, for them and also for your employer who might then get swifter payment etc.

Maybe you can also apply this to your children, friends etc. It is what a Mediator will seek to achieve in mediation. Then all sides find a deal they can live with – rather than having one imposed by the courts. It applies to international relations – you’ve got to give the losing side something so that they can save face. It applies to negotiations.

So – go and look for your WIN-WIN-WIN and see what you can find!

The MoJ has published a series of documents for the Legal Profession with advice and guidance for when we leave the EU on 1st January 2021. For ease of reference we have published the links to them below. A lot of important issues. 

Some require urgent action - such as if you are an EU qualified lawyer who owns a UK law firm. It seems to indicate that you will have to requalify!

Legal Services Business Owners:

https://www.gov.uk/government/publications/legal-services-business-owners-from-1-january-2021/legal-services-business-owners-after-1-january-2021

General Guidance here for lawyers:

https://www.gov.uk/government/collections/changes-to-legal-practice-from-1-january-2021-guidance-for-legal-professionals?utm_source=9b45471f-cd7c-4e3c-8d84-5edb73b4e98d&utm_medium=email&utm_campaign=govuk-notifications&utm_content=daily

Cross-Border Civil & Commercial Cases:

https://www.gov.uk/government/publications/cross-border-civil-and-commercial-legal-cases-guidance-for-legal-professionals-from-1-january-2021/cross-border-civil-and-commercial-legal-cases-guidance-for-legal-professionals-from-1-january-2021

Divorces involving the EU:

https://www.gov.uk/government/publications/divorces-involving-eu-from-1-january-2021/divorces-involving-eu-from-1-january-2021

Maintenance Cases involving the EU:

https://www.gov.uk/government/publications/maintenance-cases-involving-eu-from-1-january-2021/maintenance-cases-involving-eu-from-1-january-2021

Parental Responsibiliuty involving the EU:

https://www.gov.uk/government/publications/parental-responsibility-involving-eu-from-1-january-2021/parental-responsibility-involving-eu-from-1-january-2021

Family Law Disputes in general:

https://www.gov.uk/government/publications/family-law-disputes-involving-the-eu-guidance-for-legal-professionals-from-1-january-2021/family-law-disputes-involving-the-eu-guidance-for-legal-professionals-from-1-january-2021

From 2nd November 2020 it will be complusory for solicitors applying for Probate to use the on-line portal. At present only about a third of such applications are made through the portal - so this will be a big change for the profession. Here's a link to the Statutory Instrument if you are interested: https://www.legislation.gov.uk/uksi/2020/1059/pdfs/uksi_20201059_en.pdf

SRA Guidance: Taking money for your firm's costs

It is very helpful for the SRA to publish this. Of course it may be viewed on their website, but for ease of reference we have reproduced it here as well.

Published: 14 September 2020

Status

This guidance is to help you understand your obligations and how to comply with them. We may have regard to it when exercising our regulatory functions.

Who is this guidance for?

This guidance is for all SRA-authorised firms and individuals that receive money and assets from clients and third parties and use that money to pay fees and disbursements.

Reporting accountants will also want to consider this guidance when assessing whether a firm has put a client’s money at risk.

Purpose of this guidance

This guidance is to help you understand what we expect when you are:

• receiving money for your costs
• transferring money for your costs from your firm’s client account
• reimbursing your firm for money spent on behalf of the client

and how obligations set out in the SRA Accounts Rules (the Accounts Rules) must be read in light of your wider obligations set out in the SRA principles and codes of conduct.

The SRA’s Standards and Regulations

Consumer confidence in the legal services market is underpinned by an expectation that all money and assets that has been entrusted to a law firm or an individual we regulate will be properly safeguarded.

This obligation is reflected in paragraph 5.2 of the Code of Conduct for Firms and equivalent provisions in paragraph 4.2 of the Code of Conduct for solicitors, RELs and RFLs.

You must also act in accordance with our principles. These and our codes of conduct are underpinned by our Enforcement Strategy, which explains in more detail our approach to taking regulatory action in the public interest. The following principles are most relevant to this guidance:

Principle 2: You act in a way that upholds public trust and confidence in the solicitors' profession and in legal services provided by authorised persons.

Principle 4: You act with honesty.

Principle 5: You act with integrity.

Principle 7: You must act in the best interests of each client.

You are expected to be open and transparent in your dealings with the client or third party who has entrusted you with their money.

We expect firms to make sure that clients receive the best possible information about how their money will be used or is being used during the course of a matter. The codes of conduct makes it clear that you must give clients information in a way they can understand so that they can make informed decisions about the services they need, how their matter will be handled and the options available to them (paragraph 8.6 of the Code of Conduct for solicitors, RELs and RFLs and paragraph 7.1 of the Code of Conduct for Firms).

Paragraph 2.1 of the Code of Conduct for Firms sets out that you should have effective governance structures, arrangements, systems and controls in place that ensure compliance with all of the SRA's regulatory arrangements. We therefore expect you to have in place systems and procedures which help achieve the objective of safeguarding money and assets entrusted to you. These obligations apply regardless of the size and makeup of your firm. The effective controls and procedures a firm has in place should act as an assurance for consumers and give them confidence that money that they have entrusted to you will be kept safe.

In many firms those responsible for compliance with the Accounts Rules might sit in a finance team that focuses solely on compliance with the Accounts Rules. All those in a firm that are responsible for dealing with money and assets entrusted to a firm must understand their wider obligations as set out in the Principles and the codes of conduct as well as ensuring compliance with the Accounts Rules.

General: receiving money from clients

Firms can receive money in advance from clients and third parties for a range of reasons.

For example:

• for their legal fees, based on an estimate of their likely costs or as a fixed fee
• for unpaid disbursements, such as Counsel’s or expert’s fees, or
• in relation to the transaction on which the firm is acting for a client, such as money for the deposit on a house purchase to enable contracts to be exchanged.

All of these types of money are client money (as defined in the Accounts Rules) and need to be held in a client account (subject to some exceptions - see rule 2.2 and 2.3 of the Accounts Rules). The money must be kept separate from the firm’s own money which will be held in its own business account (rule 4.1).

In the majority of transactions, firms send a bill of their costs to the client after completion of the matter on which they are instructed or as an interim bill, if the matter is likely to be a lengthy one. When payment in settlement of that bill is received, the firm can properly pay that money into the firm’s business account. As our codes make clear and prior to the delivery of any such bill, we expect the firm to have informed its client about how their matter will be priced and, both at the time of engagement and when appropriate as their matter progresses, the likely overall cost of the matter. The bill should not come as a surprise to the client.

In some cases, however, firms may request payment of their costs in advance of work being done. It is acknowledged that cash flow issues are a common challenge which many firms have to deal with on a daily basis. Requesting or billing for costs in advance is permissible under our Accounts Rules, provided the firm is always acting in accordance with our Standards and Regulations and in particular safeguarding money that it has been entrusted with.

We set out below the factors that you should bear in mind when requesting payment for costs in advance and dealing with such payments subsequently.

 Billing in advance for costs

 A firm might wish to consider sending a bill to a client for their anticipated fees and disbursements – i.e. not limited to incurred costs – with a view to paying the money received in payment of that bill into the firm’s business account (see rule 2.1 (d) of the Accounts Rules).

Our Accounts Rules provide a degree of flexibility on this issue to enable firms to consider the most effective way to deal with their client’s matter and how to run their business. Such flexibility, however, has to be operated in the context of the wider obligations set out our Standards and Regulations and as set out above.

There are clear risks to your client if you bill for, and then pay into your firm’s business account, money for legal work that you have not yet done or for disbursements that have not yet been incurred.

These risks include, for example, if:

• The client decides to terminate their retainer with you and asks you to repay the money they have paid you. Can you pay it back immediately?
• The matter on which you are instructed does not proceed, for example the other side pulls out of a transaction. Can you pay back the money you have received immediately?
• Your firm suddenly has to close due to incapacity or the death of the sole practitioner. Will those dealing with that closure be able to immediately repay the client?
• Your firm becomes subject to an insolvency event - and the client’s money is absorbed into the insolvent’s estate as it is not held in a ringfenced client account. How will the client be able to progress their matter or pay any disbursements due if they have already paid in advance for these and the insolvency practitioner refuse to repay the client’s money because it is held in the firm’s business account?

You have an ongoing duty to safeguard money and assets that have been entrusted to you and not prefer your own interests, for example in maintaining cashflow, over those of your clients. The obligation to safeguard money entrusted to you is not limited to only that money which is held in a client account.

You will need to think very carefully about the reasons why you are billing for these sums in advance and the risks to your client in your paying these monies into your firm’s business account. It is important to remember that the sending of a bill in these circumstances does not mean that this money is no longer a client’s money and it does not need to be safeguarded because it does not sit in a client account.

In all cases, you will therefore need to think carefully about whether your broader obligations properly allow you to bill for such payments and receive money into your business account.

We would not expect firms to bill for advance disbursements that the client will remain liable to pay for such as Stamp Duty Land Tax, and to receive such money into the firm’s business account. In our view, this would be improper and a breach of our Standards and Regulations. Until the disbursement is paid the client remains liable for it, and this may be for a significant sum. Therefore, any risk to your firm’s business account could result in the transaction failing or the client having to pay twice. Billing to receive money in these circumstances is likely to fail to meet obligations to act in the best interests of your client, safeguard their money or possibly act with integrity.

In all cases where you may be considering billing for such advance payments, you will therefore need to think carefully about whether your broader obligations properly allow you to do this.

If you do consider it is proper, you will need to make sure that your client is fully informed of the risks around their money being received into your firm’s business account. How you explain the risks to clients may depend on the nature of your client and any vulnerability they may have.

Knowing these risks, your client might only be prepared to pay a bill sent for work that has been done and disbursements for which you are liable and have been incurred by you.

You will also need to consider the VAT implications of having money in your business account if you have not yet rendered any services to your client.

Your Reporting Accountant is also likely to qualify its report if their view is such that money belonging to your client is, has been or may be, placed at risk.

Transferring money for your costs

 It is usual for firms to ask for money on account of their costs from a client, based on an estimate of those costs but where no bill has been delivered. This money has to be paid promptly into a client account as set out in rule 2.3 of the Accounts Rules.

Rule 4.3(a) sets out that when a firm is holding client money and the firm wants to use that money to pay the firm’s costs then the firm:

…must give a bill of costs, or other written notification of the costs incurred, to the client

or the paying party…

If you want to move money for your costs into your firm’s business account, you will need to comply with rule 4.3(a). This is intended to provide a safeguard to the client or paying party.

We would expect you to make sure that the bill sets out only those fees and disbursements that have been incurred. Where the bill does include anticipated disbursements which have not yet been incurred, you will not be considered to be in breach of rule 4.3 by leaving the money associated with those billed anticipated disbursements in the client bank account until such time as they are paid.

As discussed above, there are risks to your client if you bill for legal work that you have not yet done or for disbursements that have not yet been incurred and as a result, you take the client’s money into your firm’s business account. You will need to bear in mind the risks and factors mentioned above.

Your Reporting Accountant may qualify their report if they think these risks are serious or not justified by the circumstances of the case.

Reimbursements for money spent on behalf of the client

Some firms have asked us whether they need to deliver a bill or written notification of costs incurred if they are looking to move money from the client account to reimburse themselves for disbursements which have already been paid on behalf of the client. For example, where the firm has paid for Land Registry search or court fee using their own money (often by a direct debit from the firm’s business account).

Rule 5.1(a) of the Accounts Rules allows money for paid disbursements to be transferred from the firm’s client account to the business account as the money is being used for the purpose for which it is being held.

We would expect you to explain to your client how and when payments might be made on their behalf from your business account and that you will then be seeking a reimbursement from the client account in accordance with Rule 5. You could do this in your client care letter, terms of engagement or in other communication with your client.

Providing your client understands how their money will be used and has confirmed their instructions, we see no risks to the client in your reimbursing your firm for payments you have already made.

This is different to the scenario where disbursements have not yet been incurred or have not been paid by your firm.

Related documents

See our guidance on Planning for and completing an accountant's report.

Further help

If you require any further assistance, please contact the Professional Ethics

helpline https://www.sra.org.uk/home/contact-us

This arises out of a discussion with the ILFM.

Unfortunately, it’s not as straight forward in drawing up a list of what is and what isn’t material breach. Our view is that materiality can be very subjective and often left to interpretation.

To assist practices, they suggest you ask yourself the following questions in order to quantify if a breach is material or not;

• Was the breach an isolated incident
• How severe is the problem
• Was the breach an innocent mistake
• Was it discovered promptly and without delay
• Was there any loss to the client
• Can you still say that you are being open with your regulator if you keep this information to yourself

If you are satisfied with your answers to all of the above questions, then it is likely to be viewed as a minor breach.

Some examples of what might lead to a qualified report;

• A significant and/or unreplaced shortfall (including client debit balances or business credit balances) on client account, including client money held elsewhere, for example a client's own account, unless caused by bank error and rectified promptly
•  Evidence of any disregard for the safety of client money and assets
•  Actual or suspected fraud or dishonesty by the managers or employees of the firm (that may impact upon the safety of money belonging to clients or third parties).
•  Accounting records not available or significantly deficient or bank accounts/ledgers failing to include reference to a client (rule 8.1, 8.2 and 8.3).
•  A failure to provide documentation requested by the reporting accountant (rule 12.8).
• Client account bank reconciliations not carried out.
•  The client account is improperly used as a banking facility (rule 3.3). 
• Any other significant breaches not already reported to the SRA in accordance with the obligations placed on firms and their compliance officers under the SRA Code of Conduct for Firms.

We provide a remote monthly COFA & COLP Review service to several firms. Whilst we cannot be the Compliance Officers, we can help doing some of the spade work for them - providing a report for the COFA & COLP and highlighting issues that they should address. https://hunningsconsultancy.co.uk/colfa-colp-assistance/

Whilst on this page may we invite you to take a look at our other services (see the drop downs at the top of this page). We provide all round Business Support for Law Firms, everything to allow a busy partner to get on with the client work. We have assisted over 350 law firms, direct access barristers and in house-legal. Everything from Compliance to on your Case Management System (LEAP, Proclaim & Clio), from Mentoring to Setting Up a New Law Firm. Ask about running your firm and we're probably able to help. 07887 524507 or [email protected].