The Law Society have introduced a new set of Core Practice Management Standards (CPMS) for their Conveyancing Quality Scheme – standards that go considerably further in terms of what it requires of those wishing to obtain and maintain the CQS mark than the previous CPMS.
Coming into effect on 1 May 2019 CQS Accredited solicitors will need to ensure they are compliant and can demonstrate compliance from that date onwards. The Law Society will be introducing a small number of on-site visits each year and increasing the number of desk-based assessments to ensure compliance. They are process of appointing an independent assessment body to carry out the on-site visits. Additionally, applications for initial accreditation received from 1 May 2019 onwards must also be able to address the new CPMS.
Many of the new requirements have been taken from Lexcel, so firms already accredited to that standard will not be unduly surprised by these new requirements. For others who have limited themselves to the CQS to support their conveyancing practice, however, there will be a good deal to do in the next two months and for these firms the 1st May is likely to prove to be a tight deadline to achieve all that is required.
Overview of the Changes
The changes are mostly in the form of increased responsibility upon firms to demonstrate what they do by way of written procedures and processes with many of the procedural requirements that previously existed being strengthened. Only in a very few cases have requirements been dropped.
Those who are members of Infolegal and have access to the Infolegal Solicitors Office Procedures Manual (which is available on the Infolegal Compliance Hub) will find that the manual has been updated to take account of the changes. Infolegal will also be putting together a revised checklist of where elements in the CPMS can be found in the Manual, and adding a factsheet giving an explanation of the changes. These will also be made available to all members via the Compliance Hub.
The main changes to note include:
- The addition of a requirement that firms put in place a policy in relation to SDLT which must include an audit trail, checks as to level of consideration and verification of the SDLT calculation.
- Being able to demonstrate compliance with the various requirements of the Money Laundering Regulations 2017.
- A ramping up of the requirements to be contained in the firm’s anti-property and mortgage fraud policy.
- The introduction of the need for policy in relation to the purchase of a leasehold property.
- Additional requirements in relation training to address various aspects of the CPMS.
- An expansion of the requirements in relation to risk assessment.
- The introduction of a new requirement for a documented procedure for reporting matters to lenders.
- Increased requirements in relation to the information communicated to clients.
- A requirement to have a procedure for ensuring the SREA’s price and service transparency requirements are met.
Other additional features taken from Lexcel include greater requirements for handling financial transactions and more detailed provisions dealing with risk management, client care, complaints handling and matter planning.
Additionally, the CPMS contains a whole new section dealing with information management. This essentially requires firms to have policies to manage personal data which take account of recent regulatory and legislative changes and provisions relating to cybersecurity which are taken from section 3.1 of the most recent version of Lexcel – v6.1 – in relation to compliance with data protection requirements in the light of the GDPR and the Data Protection Act 2018, along with the more detailed requirements that already formed part of the standard in relation to information security.
Again those not familiar with Lexcel v6.1 might find that the requirement for the appointment of a Data Protection Officer (DPO) whether or not they are obliged to do so a somewhat daunting one. However, the guidance notes to the CPMS do state that “If a voluntary appointment is not made, practices must document why they have not made such an appointment and the suitable alternative arrangements they have put into place.” This is a caveat virtually identical to that to be found in section 3.1 of Lexcel v6.1
Possibly even more controversial, however, is the suggestions that firms have an information management and security policy which is accredited against Cyber Essentials – a government scheme designed to help businesses deal with cyber security issues. It normally requires that a business be audited against a set of external criteria. Whilst the Law Society are not specifically requiring firms to have an external audit of their information management and cybersecurity provisions, they do require that firms undertake a “self-assessment” against the Cyber Essentials criteria to check that they are compliant.
Given the complexity of the Cyber Essentials requirements, this could mean that many firms feel obliged to pay external auditors to carry out the exercise for them. The CPMS also requires that firms employ firewalls, have secure configuration of network accounts, have procedures to detect and remove malicious software and train staff in cybersecurity issues.