Under the SRA Accounts Rules introduced on 25 November 2019, law firms are allowed to use third-party managed accounts (TPMAs) as an alternative to using client account. According to an article published in the Law Society Gazette exactly one year later, only around 60 of the 10,000 law firms in England and Wales have started to use TPMAs.
We have all heard the headlines where the unsuspecting head of accounts authorises a payment out of client account of a large sum of money only to discover that the money never arrived at its intended destination, but instead ended up in the hands of fraudsters.
According to the SRA’s Risk Outlook published in July 2017, £11m was stolen from law firms’ client accounts in 2017. The Financial Times reported in March 2016 that law firms lost £85m to cybercriminals in an 18 month period. As a part of its Cyber Security Thematic Review published in September 2020, the SRA selected a sample of 40 law firms who reported that either they or their clients had been targeted by cybercriminals. 23 of the firms who were targeted lost £4m, with £400,000 paid directly by the firms and the remaining £3.6m paid by their insurers.
It is obvious then why the SRA wishes to take steps to protect the public and keep client money safe and this was the focus of the new SRA Accounts Rules. TPMAs are seen by the SRA as a tool for increasing the level of protection for clients, but are there any potential downsides for law firms and their clients?
What are the advantages of TPMAs?
The potential benefits for law firms and their clients have been suggested to include:
- reduced risk of cybercrime and money laundering – particularly where the TPMA carries out its own (possibly more stringent) identification checks and has robust processes in place for making payments;
- the law firm does not have to file an accountant’s report or pay the law firm contribution to the SRA Compensation Fund if they do not hold client money;
- money held by an FCA regulated TPMA does not fall within the definition of client money under the SRA Accounts Rules; and
- potential reductions in the firm’s professional indemnity insurance (PII) premium as a result of a reduction to its risk profile and fewer claims.
When can you use a TPMA?
According to the SRA’s November 2019 Guidance on TPMAs, law firms may enter into an arrangement with a client to use a TPMA in respect of services they deliver to the client, but only if they take “reasonable steps” to ensure that the client understands the arrangement including:
- how their money will be held and how the transaction will work;
- their right to terminate the agreement and dispute any payments made by the law firm;
- who will be responsible for the fees for using the TPMA;
- that the TPMA is FCA regulated and any complaints about the TPMA should be dealt with under the provider’s complaints procedure; and
- the regulatory protections available to those using TPMAs and how these differ to client money held in a law firm’s client account (paragraph 8.11 of the SRA Code of Conduct for Solicitors).
From a contractual perspective, the client will usually sit within a triangular relationship with separate terms governing the relationship between the client and the law firm, the client and the TPMA and terms between the law firm and the TPMA. This will need to be explained to the client under SRA Accounts Rule 11.1(b)(i). It is probably more easily understood by way of a diagram. This begs the question though: is there a risk that the nuances of the contractual, regulatory and insurance nexus, may be too complicated for the client (even a relatively sophisticated one) to fully appreciate when deciding whether to use a TPMA?
Who is responsible if the worse should happen?
Under the SRA minimum terms and conditions of professional indemnity insurance (MTCs) the definition of a “Claim” includes any obligation to remedy a breach of the SRA Accounts Rules. The mere fact of paying client money to the wrong account will represent a breach under the SRA Accounts Rules, irrespective of fault or the firm’s intention. It also triggers an obligation under Rule 6 of the SRA Accounts Rules to “promptly” replace the misdirected funds upon discovery of the mistake or fraud.
Let us assume a law firm is targeted by fraudsters with the result that they end up paying their client’s money from client account into a fraudster’s account, with the money lost forever. If there are no concerns about the client and the law firm and whether they were complicit in the fraud, then the law firm’s PII will promptly replace (subject to any excess) the misdirected funds to ensure the law firm complies with its obligations under Rule 6 of the SRA Accounts Rules. The Law Society Guidance to solicitors suggests that insurers should confirm cover and reinstate the funds within two days.
How would the situation differ though if a TPMA had been used? TPMAs must comply with the Payment Services Regulations 2017 (PSRs), which implement the revised Payment Services Directive 2015. Within the PSRs there is a requirement for TPMAs to refund an “unauthorised payment” no later than the next business day after becoming aware of it.
What about where a payment has been made following an instruction given to the TPMA by the client (or an authorised law firm on their behalf) where those instructing the TPMA have been duped by fraudsters? Where the TPMA acts on those instructions and makes a payment out to the fraudsters, it is unclear if any liability will attach to the TPMA under the PSRs.
The PSRs state that where a client denies having authorised an executed payment it is for the TPMA to prove the payment was authenticated. TPMAs will presumably seek to demonstrate this by showing that the payment instruction was received by a user who logged on in the normal way. They can then potentially argue that no refund should be given because they were acting on instructions received in the proper way.
What if there is a rogue employee working at the law firm who provides the firm’s TPMA login details to a fraudster, who then logs in and gives what will inevitably be a fraudulent instruction? The PSRs say that where the client (and presumably the law firm) deny authorising the payment, the use of the login details is not in itself necessarily sufficient to prove the payment was authorised. This will probably give the client some reassurance in the event the login details were lost or stolen. However, the position is unclear as to whether the TPMA will be liable to the client under the PSRs, and required to hold them harmless, where the login details are given away by a rogue employee of the law firm. On one reading of the PSRs they will not be liable.
One can envisage a scenario where the TPMA, the law firm and the client end up in a dispute about who is liable for the transfer of funds to an incorrect recipient i.e. to a fraudster. The answer may also depend on the scope of the services the TPMA was being asked to provide. Was the TPMA only instructed to provide payment services and associated anti-money laundering (AML) checks, or were they also instructed to provide enhanced compliance support to be relied upon by the law firm?
In such a scenario, the client is probably unlikely to care and will understandably only be interested in getting their money back and as soon as possible. The loss of funds and a delay in them being replaced, whilst liability and even apportionment issues are resolved between the law firm and TPMA, could have potentially catastrophic consequences for the client.
TPMAs v client account – some concluding thoughts
Law firms will need to be confident that the use of a TPMA will benefit their client. Assuming they offer the use of either a TPMA or their own client account, law firms will need to exercise caution when explaining the options to the client and the pros and cons of each. There are some obvious benefits to clients and law firms of using TPMAs. However, there are some potential downsides if the contractual, regulatory and insurance protection in place, where a TPMA is used, does not match or better those provided by an SRA regulated law firm with MTC compliant PII in place.
As well as regulatory obligations, law firms also owe contractual, tortious and fiduciary duties to clients. Therefore, law firms should consider the extent to which they need to explain to clients that, by using the TPMA for payments (and to provide AML and possibly customer due diligence services too), instead of the law firm’s client account and own in-house compliance function, the firm may stand to benefit from various costs savings including a potential saving in their professional indemnity insurance premium and the reasons why.
In the absence of such an explanation, one can foresee situations where clients later complain (if their money is lost) that if they had fully understood all of the implications they would have chosen for the funds to go through the law firm’s client account, or opted to instruct a different law firm if the option of using a client account was not offered. In such circumstances, law firms (and their insurers) could still end up facing claims relating to cybercrime and misdirection of funds, as well as for losses flowing from delays in the replacement of those funds.
That said, there is a bigger picture here. If instances of fraud are reduced, that has to be a good thing for everyone concerned – clients, law firms and insurers. If TPMAs, law firms and their respective regulators and insurers can ensure that, should the worse ever happen, clients are subject to the same level of protection, as those who instruct law firms and use client account in the traditional way, then TPMAs are more likely to be embraced by all.