Arguably, the model by which we manage legal risk in Financial Institutions is no longer fit for purpose.

The current model assumes that regulatory change can be accommodated “off the side of the desk” of the legal department using outsourced project teams to do the bulk of the work.  This model may not only be inappropriate in the current deluge of regulation and business generated data, it may actually introduce further risk.

As firms grow and change, they amass an enormous quantity and variety of contracts.  These contracts, coupled with regulations, form an array of legal obligations, which the firm attempts to track. The numbers surrounding regulation and legal data are astronomic:

  • Spending on regulatory compliance is now around 200 to 300 billion US dollars[i]
  • Hundreds of acts are promulgated in the EU alone every year[ii]
  • There are an estimated 50 million words in the UK statute book, with 100,000 words added or changed every month[iii]
  • 250  number of regulatory alerts issued daily  by over 900 regulators globally

And, when firms get into litigation, the figures boggle the mind:

“We’re now working on a case more than twice that size, with 65m [documents], and there’s one on the way with over 100m. It’s impossible to investigate cases like ours without technology.”[iv]

It is not all about the numbers either.  Each piece of new legislation, i.e. new law, is linked somehow with a number of existing laws so it is not just a matter of treating each one in isolation.[v]

In addition, there are self-made “laws” in the shape of legal agreements (contracts) which set out the respective obligations agreed between the parties entering into the agreement.  Both types of law need to be mapped and tracked throughout the contract lifecycle.  Data on this flow management is difficult to come by as many firms do not (or are not able to) collect management information about legal activity.

 

MANAGING LEGAL RISK IS A HUGE UNDERTAKING

Lawyers are working ever harder both in-house and in law firms than ever before.[vi]

It is difficult to generalise about the way in-house legal departments[vii] within financial services firms are run but two general themes are discernible.  General Counsel (GCs) are expected to run their departments aligned to business strategies with budgets provided by the Business[viii]; and, they are expected to manage regulatory and legal risk.

Managing Legal Risk for a large Financial Institution is huge undertaking. Ensuring that a firm tracks emerging regulation, operationalises compliance with new law, educates the workforce (and its clients) on compliance, agrees with its clients in writing how their relationship needs to change in response to new law, ensures that daily business activities are structured to be compliant and are recorded accurately in writing – all this is the management of regulatory and legal risk[ix].

There is no standard definition of legal risk, but can be defined as ‘the risk of loss to an institution that is primarily caused by’:[x]

  1. a defective transaction;
  2. a claim (including a defence to a claim or counterclaim) being made or some other event occurring that results in a liability for the institution or other loss (for example as a result of the termination of the contract);
  3. failing to take appropriate measures to protect assets (for example intellectual property) owned by the institution;
  4. a change in law.

The repercussions for failure to manage legal risk are many and varied.  One of the tools used by the regulators is to “name and shame” non-compliant firms.  Not only does a firm receive a fine but it is also publicly named in the Final Report[xi] and in the press as having failed to comply with the relevant regulation.

This has a direct impact on a firm’s reputation (hence the term “reputational risk”) – current and prospective clients will ask awkward questions or even leave the firm; the firm may lose credibility in the marketplace; the balance sheet and profitability will be impacted.  It also has an adverse impact on a firm’s ability to attract and retain staff.  Employees may ask awkward questions (in some cases whistle blow), leave the firm, or occasionally be able to claim compensation.

All this is in addition to whatever fine is levied which will have balance sheet and prudential management implications.  The firm may need to hold additional capital against the risk of future failure.  And the regulators, globally, will now be acutely aware of a firm’s failings and will be more watchful.

All four of these pillars of legal risk could potentially be in play in each regulatory change project, i.e. when a new law is introduced or an existing law has changed, because with every regulatory change there is always a document change. This means that as regulation evolves, and contracts continue to be developed, there are a myriad of obligations to manage and analyse.

Each regulatory change project, which is conducted in addition to a lawyer’s usual (BAU) duties, produces a plethora of new documents. Lawyers need to analyse each one to figure out how the introduction of new obligations impacts the old ones.  In addition, every new piece of legislation means more reading, more rethinking of business strategy, resulting in more paperwork.

 

IN-HOUSE LEGAL IS UNDER PRESSURE

Despite the scale and complexity of this task, as well as the negative consequences of getting it wrong, the legal department is generally regarded as a cost centre and may be underfunded.

The current model has the legal department in a more or less successful partnership with the Business providing advice on existing and new activities and projects, advising on existing law and new regulations, documenting the intent between the business and their counterparties, i.e. creating/updating legal agreements, negotiating those contracts, advising on strategy and execution when things go wrong.

The legal department is “paid” for its time by way of a budget provided by the business which covers the salaries of lawyers and support staff.  For more difficult matters, the advice of external counsel is sought – again paid for by the Business.

With budget constraints and cost cutting in firms, legal departments don’t have the staff numbers they used to. Like all other functions in-house legal departments are under pressure to cut costs and improve efficiency, transparency, user experience and access to data. Sometimes, more junior lawyers have been retained while seniors have been let go on the basis that external counsel can fill the gap.

If the Business increases its activity level or if there are a number of non-BAU projects then, clearly, these fewer resources are less likely to cope.  This results in slower service to the Business and, sometimes, increased costs as work needs to be outsourced.

The decrease in budget and lawyer numbers are likely to result in increased legal risk because:

  • Delays impact new business as Business may go ahead without legal documentation because they cannot afford to wait. When the deal is finally documented, the documentation may not accurately reflect what was agreed between the parties
  • Tired lawyers make poorer decisions
  • Institutional memory loss as staff leave and legal knowledge pertaining to the Business is lost
  • Increased opportunity costs as prioritisation means that urgent issues may be addressed while the important are left unaddressed[xii]
  • Legal tools which might alleviate some of the above are unavailable or poorly understood or unable to be used.

The result is an environment where legal functions spend the highest proportion of time (and budget) reacting to compliance breaches, misconduct, litigation and arbitration, rather than anticipating risk and prevention – leaving the legal department is unable to adequately support the business’ needs.

So, either the legal department needs more lawyers to keep up with demand or it needs to figure out how to use the lawyers it has more effectively so that they are not spending their time on low level, repetitive tasks which might more efficiently be done by a legal tool.

The model needs to change.

 

[i] KPMG RegTech – There’s a revolution coming puts the figure at $270bn – https://home.kpmg/content/dam/kpmg/uk/pdf/2018/09/regtech-revolution-coming.pdf

[ii] https://eur-lex.europa.eu/statistics/legislative-acts-statistics.html

[iii] https://gtr.ukri.org/projects?ref=AH%2FL010232%2F1

[iv] Ben Denison, Serious Fraud Office chief technology officer, https://www.ft.com/content/7a990f1a-d067-11e8-9a3c-5d5eac8f1ab4

[v] See, for example, John Sheridan’s visualisation of the interconnectedness of one piece of UK legislation (the Companies, Audit, Investigations and Community Enterprise Act 2004)

[vi] https://www.legalcheek.com/2018/11/revealed-law-firms-average-arrive-and-leave-the-office-times-2018-19/

[viii] Legal is perceived as a cost centre not a revenue generator.  The Business is a catch all term which refers to the revenue generating portions of a financial institution

[ix] Legal risk is a subset of operational risk under Basel II

[x] Cited in Legal risks and risks for lawyers, Herbert Smith Freehills and London School of Economics Regulatory Reform Forum, June 2013

[xi] The paper produced by the FCA setting out the details of the firm’s failings and the fine

[xii] President Eisenhower quoting a college president to the Second Assembly of the World Council of Churches: “This President said, “I have two kinds of problems, the urgent and the important. The urgent are not important, and the important are never urgent.””  https://www.presidency.ucsb.edu/documents/address-the-second-assembly-the-world-council-churches-evanston-illinois

 

legal functions spend the highest proportion of time (and budget) reacting… rather than anticipating risk and prevention

 

“We’re now working on a case … with 65m [documents], and there’s one on the way with over 100m. It’s impossible to investigate cases like ours without technology.”

 

Despite the scale and complexity of this task, as well as the negative consequences of getting it wrong, the legal department is generally regarded as a cost centre and may be underfunded.

 

either the legal department needs more lawyers to keep up with demand or it needs to figure out how to use the lawyers it has more effectively  

 

in-house legal departments are under pressure to cut costs and improve efficiency, transparency, user experience and access to data.