Following a consultation process throughout the earlier part of the year, the Law Society has now unveiled its latest version of its flagship Lexcel standard.
Lexcel 6.1 is already optional at new and continuing assessments but it will be mandatory from November this year. As the title suggests, this is an interim updating version of the standard rather than the more radical overhaul of the standard which many had hoped for. In addition to the GDPR, the recent changes mostly address various areas of financial crime such as money laundering, facilitating tax evasion and sanctions controls. Other than this the requirements on accredited firms remain much the same.
The first of the major changes is to be found at section 3.1 which is a new provision dealing with the GDPR as it affects law firms. This provides that a data protection officer must be appointed if required by law, and if not (as will be the case with almost all law firms) such an appointment “should” be made. To reinforce this it is provided that any practice not appointing a DPO will be required to justify their decision and explain the “suitable alternative arrangements” that they have put into place.
Unfortunately this new requirement seems to have been drafted with little understanding of this part of the GDPR in that anyone described as DPO, whether they had to be appointed as such under Article 37 or have been designated as such on a voluntary basis, is then potentially liable for non-compliance with Articles 38-39 which set out the various legal obligations that then arise. Our advice on this point would therefore be to appoint someone in the firm as having responsibility for data protection compliance but then describe them in terms other than a DPO and explain why this has been done at the next Lexcel assessment.
The other GDPR changes are more clear-cut:
- keeping appropriate records,
- dealing with breaches and data subject access requests, and
- conducting data protection impact assessments when required by law.
Training in data protection compliance remains a requirement (as was already the case) and notifying data subjects of their rights is added to the long list of issues to be confirmed to the client in the retainer process at section 6.2(m). On the other hand the section in Lexcel on outsourcing (5.2) has not been amended to take into account the important new requirements in relation to the instruction of data processors at Article 28 and the new obligations that all firms are now under, as data controllers, in relation to the use of outside agencies.
The other area of significant change is financial crime compliance in general, and the anti-money laundering regime in particular. Section 5.13 has seen various additions in relation to the “policies controls and procedures” required by rr.19 and 21 of the Money Laundering Regulations 2017, including the need for the appointment of a compliance officer as well as a reporting officer, employee screening and regular audits of the AML controls that are in place. The revised version of the standard seems still not to recognise that not all firms are subject in law to the regulations, meaning that a litigation only practice will have to comply with obligations (unless a waiver is granted) even though the regulations are recognised by the professional guidance contained in the Legal Sector Affinity Group AML Guidance not to apply to them.
The new requirements in this area could be viewed as a rather clumsy “bolt-on” which have been made with little thought as to how they will actually be managed in practice. Why, for example, are the regulatory requirements for screening of employees dealt with here rather than in section 4 on People Management, and the internal audit of money laundering compliance here and not in section 5 where file reviews (5.11) and the risk assessment process (5.18) appear? As to the other new areas of financial crime there is little more coverage than merely to require that policies to prevent the facilitation of tax evasion (5.16) and sanctions (5.17) should be adopted.
It is disappointing that other drafting problems that have been identified in recent years have not been addressed. Section 4.2, dealing with equality and diversity, includes an obligation to make reasonable adjustments but does not clarify this by limiting it to disabled people. Section 6.4.b continues to oblige firms to inform clients if they will receive a financial benefit “as a result of accepting instructions”, but this seems to confuse introducing work to others under chapter 6 of the Code of Conduct and paying for referrals from elsewhere under chapter 9. Section 5 on risk management is untidy at best by including a requirement for arrangements to be made when high risk instructions are accepted at 5.4 before the need to undertake risk assessments at all has appeared at 5.12.
All in all Lexcel does appear to have lost its way. Originally introduced as the “practice management standards” during the recession of the early 1990s, it remains quite deliberately a management standard first and foremost. Increasingly, however, it is compliance obligations that have become the more significant concern for most firms and the standard seems to have merely added new provisions in this regard as they have emerged in a rather piecemeal fashion. The most recent additions could be seen to oblige firms to comply with statutory or regulatory provisions that they are required to address by law in any event, in which case why not include the more detailed requirements of other legal responsibilities such as health and safety and not just data protection and money laundering? Why also omit altogether the main elements of the SRA Accounts Rules given their importance to practice in both regulatory and disciplinary terms?
Lexcel remains the obvious choice as a management badge for most firms and accreditation to the standard will still provide benefits – all the more disappointing, therefore, that a more thorough review of its purpose and contents has again been shelved.