Here we share some of the discussion that took place in the roundtable, as well as some of the key findings uncovered in the report.

Pictured above: LEAP CEO Brendan Smart and InfoTrack CEO John Ahern.

PANEL MEMBERS

AV: Aleks Vickovich, managing editor, Lawyers Weekly

JA: John Ahern, CEO, InfoTrack

BS: Brendan Smart, CEO, LEAP

JR: James Ryan, partner, Speirs Ryan

VIEW ALL

RM: Richard Mitry, co-founder and partner, Mitry Lawyers

AV: Welcome to this special episode of The Lawyers Weekly show. This episode is brought to you by our friends at LEAP and InfoTrack.

Today we're going to be talking about regulation technology. We're going to be boiling down into exactly what that means and how it's being used in practices or, perhaps more pertinently, how it's not being used.

John, if I could start with you. We hear the term RegTech thrown around, particularly in start-up circles. This is a buzz term that's emerging. What does regulatory technology mean to you? Do you like the term?

JA: I like the term. I don't think it's in an especially new term, but it's certainly a topical term at the moment. There's a lot of new regulation hitting the industry, especially with Tranche 2 [of anti-money laundering and counter-terrorism financing (AML/CTF) regulations] coming in, hopefully, at the end of this year to early next year.

RegTech is about using technology to satisfy regulatory requirements, specifically to know your clients, understand the risk and understand their source of funding.

AV: Brendan, what are some of the top compliance hurdles that you're hearing from your audience and from your market that they're using technology for?

BS: It's not so much hurdles. I personally think that the legal industry is behind the rest of [the market] when it comes to technology adoption, and RegTech for me is a good thing because it's actually going to force the adoption of more basic technology that should have been adopted a long time ago — things like VOI.

Obviously with Tranche 2 coming out that's really going to drive technology adoption across the board, I think.

AV: Richard and James, what are some of the ways that you're using this regulation technology? Is it something that you think is on the radar of your peers?

JR: We only do property, and for property lawyers, it's been forced upon us. They've put in the VOI, but also PEXA's the obvious elephant in the room when it comes to the requirement that you need to be an adopter of this technology, and it's changing everything. There's a lot of regulation that is still behind the curve and really that's all the old school statutory declaration forms from NSW — they're really creating quite a dichotomy in how you actually tackle it, even just with vanilla campaigns.

AV: What are you guys doing in your firm when it comes to this?

JR: We're embracing it wholeheartedly. After this, I've got a half-day PEXA training course, and we've got every staff member in our office doing that course over the next three weeks.

This is something that we have to get a grip on and we've actually been getting ahead of the curve for months already, but it is very obvious from dealing with other practitioners that there are a lot of practices that are still struggling with this.

AV: Richard, how is it playing out in your firm?

RM: We could separate it into the internal management and the administration of our firm, and the external face of our firm and knowing our client.

In relation to the internal management, we are completely reliant, and I can safely say that about technology, on regulation technology, looking at our trust accounts, and even cost agreements.

For lawyers, not only is there a business incentive to have cost agreements but it's a requirement with all clients to do so, and obviously it can be professional misconduct if you don't.

We now, thanks to our good friends at LEAP, are unable to work on a matter, thanks to something we've set up through the software there, unless it is shown that we have an executed cost agreement.

Now that helps us, as a firm that's growing quite quickly in terms of staff and managing that growth. Having that sort of technology internally to manage that sort of thing is incredibly helpful for us, and we're thriving on it. And as I said, rely on it.

Externally, it's slightly different. We do a lot of work for internationally-based clients who are investing in Australia. Tracing sources of funds and the rest of it is very difficult. I worked on a case some years ago where we had the opposite, where Australian individuals were sending a lot of money through remittance businesses overseas and Westpac Bank decided they would close down five and a half thousand of these accounts in one hit because of AML and CTR.

So, we're very mindful of using sources like InfoTrack and others to try and determine the source of funds and really [know] who our clients are overseas. Within Australia it's hard enough, but when you look abroad, when you're dealing with companies that aren't necessarily large institutions, you really do have to be careful, so RegTech is helpful for us.

AV: John, we've seen both of these principals really engage with the subject — they’re allocating business resources towards it. But do you think that's translating outside of this room to widespread usage? Do you think there's still a lot greater scope?

JA: I think there’s certainly greater scope. Richard is quite advanced in what he is doing. The regulatory requirements extend far beyond firms using electronic conveyancing. In every aspect of your business you need to understand your clients and you need to understand their source of funding. You also need to know who you’re dealing with and then you need to assess the risk of that client and the types of matters they’re engaged in, and then you need to reassess based on the risk level.

What I’m hearing from firms is that a lot of them have a process, but they don’t know if it’s fit for purpose. That process is very lightweight today. They might be scanning driver’s licences, throwing it in the filing cabinet and calling that a KYC process. What they’re really looking for is something that is written down precisely that answers: “What do I need to do to satisfy these regulatory requirements?”

Other firms are quite mature. They’re saying, “we’ve got a great practice management system that enables us to put processes, like Richard mentioned, in place.

"We've got online information sources where we can do AML and CTF checks on our clients where we're electronically recording information, VOI information, and we're using document verification services to ensure that the documentation that we're getting is actually correct."

So, there is a spectrum out there. What I would say though is that what we’re seeing is that most firms are in the early stages of knowing that they need to do something. They’ve got a process in place, it’s fairly lightweight, and they’re wondering what to do next.

AV: James mentioned his firm is a property specialist and they've got specific regulatory issues that they need to consider in parts of the law. Is that something that you're seeing as well? As various firms specialise in different practice areas they've got very different RegTech needs?

JA: Yeah, we get a lot of clients saying to us, “I just do property work that's fairly low-risk so I'm okay with my standard VOI process, it satisfies PEXA. That should be enough.”

I've spoken to those to other firms that say, “well actually, the property market is a very good target for money laundering”. You know, “I'll use legitimate money to buy a house, I'll use illegitimate money to renovate it, and then I will get legitimate money back into my bank account when I sell it”.

What we're seeing is, in the property space, people are grappling with exactly what it is they need to do. What I advise clients is that “it's not just about ticking a box to get over the line”. It's more than that — and using technology is a really smart approach because in the conveyancing world it’s competitive, clients aren't going to suddenly start paying you more money when they see requirements come in as part of Tranche 2. You have to use technology. You can't say “look, my conveyance is $700 or $1000, plus an extra $500 so that I can KYC you”. It just wouldn't fly.

AV: Does that resonate for you, James?

JR: Absolutely. It's been a really interesting process for us. We had a leadership meeting tackling just how we go about VOI, and this is one of many elements that are operating out there. We tried to actually knuckle down a firm policy that we could apply to all matters, but the conclusion we came to is that you really need to have a mix of options. Sometimes a client is not physically available. Other times, because there'll be part of a larger institution, the directors or signatories are a lot more resistant to actually lining up for a face-to-face meeting.

So, we've had to work through that and come up with a number of options. But technology plays a big role in that, and there are obviously a number of third-party providers and other functions out there.

AV: James, having been through that process it sounds like in some ways that's the whole point of experimentation, right? You go through, you try different things, and then you come to an assessment on what works for you, for your client base, and for your firm. Has that been quite a positive experience?

JR: Yeah. We worked through it quite practically. A key message that we really drive is that “this is an important consideration that has to be achieved. How you want to go about that? There are a few options open to you”. So, having regard to the client and the relationship and all those factors, we've sort of left a degree of discretion so that you can contact legal in-house counsel and effectively use in-house counsel as your agent. In other situations, we insist upon a face-to-face. It really depends.

AV: Brendan, when it comes to these verification issues, there’s so much tech out there. How would you advise practices around the country to make sense of it and work out what's right for them? What's some of the thinking they should go through when they want to embrace some of the technology but they're not quite sure how to go about it?

BS: I think the first step is getting on board, and we shouldn't undersell that fact. With a lot of our clients, until they've adopted technologies they'll sit back and watch, and it seems to be quite a common thing.

I often hear our clients go, “I don't need to [VOI], I've known Margaret for 30 years and she's not going to change”. Clients that I speak to then say, “well Margaret refers us people and Margaret's family, and they don't bother to VOI them either”. I think that's a real challenge.

AV: Is regulation a challenge as well?

BS: Well, the [current] regulations leave VOI basically down to common sense. At the end of the day you don't have to use technology at the moment. If you site the person and say this person is who they say they are, that's on you, and if it ever comes into question you've got to say that you've taken reasonable steps to verify the identity, but I do think that's going to change.

Do you VOI everyone using technology?

JR: It's a mix. It certainly is a large part of it, and in fact, one of the benefits that has become very obvious to us is actually the record-keeping element. If you do it electronically it's easily filed - it's attached to your file. And we've already had a PEXA audit. We were fine, but there'll be a lot of firms out there that wouldn't have had the records properly kept, and it certainly is a helpful tool for audit purposes.

JA: Yeah, that's right. What is clear is the storage. It's no longer good enough to just scan driver's licences and passports and leave them in filing cabinets. Now, we've heard from clients that have had filing cabinet contents stolen. Historically, that's one of the reasons behind the idea of building a VOI application.

If identity theft happened today you would need to let all of clients know that their information has been stolen, and that's not a conversation you want to have.

AV: Richard, how are you approaching VOI?

RM: Very much in the same way, I think, as James. Sometimes it's very hard for us to do so, especially with foreign clients. The ability to, in certain parts of the world, do a proper VOI, at least at the level we do in Australia, is very restricted. We’ve had to go to the extent, in one instance, of engaging an investigator, to not bring up dirt on the client, but to bring up as much information so we could in fact to verify where this money was coming from.

We're starting to more and more engage electronic VOI, and we simply have no choice [not to]. We're not as conveyancing heavy or property heavy, but it's still in relation to all of our clients: litigation, transactional or otherwise. We have to. We would have no choice.

AV: In terms of that technology, and your international client base, is it getting easier to do this in a cross-border way, or is it still very much sort of nation-by-nation approach?

RM: Not really. Certainly in places like the United States, yes, I think it's a lot easier because of the state of regulation over there, but there are some parts of the Middle East or south Asia, for example, that are in the dark ages. If I can say that respectfully, it's like what Australia might have been in the early 1900s. Hence the need to engage feet on the ground, physically.

AV: We've just done some bespoke research in partnership with both LEAP and InfoTrack on this topic of regulatory compliance technology and how it's been used in practices.

In terms of the numbers on verification and whether that is a really important part of the onboarding process for clients, it's around 60/40 — about 60 per cent are on board the onboarding process and around 40 per cent still need to see the benefits that both of our principals are clearly outlining here.

A topic that we're not seeing as much good news on is actually risk assessment. Our survey asked respondents how frequently they conduct a risk assessment of their practice and just over 10 to 15 per cent said weekly.

JA: I'm sure that would be global. Larger accounts would conduct weekly assessments. I can't see a firm with under 25 employees conducting weekly risk assessments.

AV: Absolutely. That's why it's a small number there.

BS: It depends how you define risk assessment because I'm sure a number of those boutique firms go right to their partners once a week and go, “Any problems coming up?” Risk assessment done. And the [others] would go “well I'm responsible for the business and I don't see any risks in the next week. Therefore, I have done a risk assessment”.

AV: So, it really depends on your definition.

BS: That's right.

AV: But, of course, the regulators don't think that way, do they? They don't believe in subjective definitions, as we know.

Perhaps most shockingly ... to me anyway, maybe not to you that work in the field every day, but that we had respondents say that they've never conducted a risk assessment, which I think is a good piece of research in that it shows that they answered honestly and probably that they're looking for solutions. But did that surprise you, John?

JA: No, it didn't, and Brendan made a good point there. I think a lot of the firms I speak to are conducting a very lightweight risk assessment, if at all. You know, let's exclude the larger more mature firms, but a lot of the firms I speak to just don't. They ask us, “What do we need to do? Do we just appoint a risk officer and have a meeting every three months saying ‘Are there any risks in the business’. Do we need a policy? Or do we need to engage an accounting firm and pay them $50,000 and get an ISO 31000 compliant risk assessment done?”

So, there are a lot of clients out there saying “Well we don't know what to do. Right now we just do this, is that good enough?”

It is concerning that there are people who were saying they never do it, because Australia is fortunate. Looking at what's going on in the US, the UK and even New Zealand, with regulatory compliance coming in and around Tranche 2, we should be able to sit back and say, “I'm looking forward now, and I know what's coming. There's this problem coming, this train-smash is going to happen if I don't do something about it right now. I'd better get ahead of this” ... and yet, one-third of the clients out there are saying “well, we'll wait”.

AV: To be frank, they could be exposing their business and potentially their clients to harm if they're not doing it. It's really coming through this issue of subjective approaches to all these sorts of policies. Brendan, what does a good risk assessment look like to you? Does it really depend on the firm?

BS: It certainly depends on the firm and the resources, as John mentioned, available to that firm. I think we'll start to see more and more frameworks eventuated within the industry. But I guess you've got to adopt what is more useful to your firm at the time, and I always hear lawyers say to me, “I'm in the business of law. I'm not in the business of technology, and I'm not in the business of risk assessment. I practise law, and I don't have time for this”.

But that is starting to change, and I think the business of law is starting to change to incorporate all of this.

RM: Lawyers are, I think, quite susceptible to working in their business, not on their business. All lawyers have been through a stage where they've worked 16-plus hour days and have been so consumed in the day-to-day work that they're not really thinking about anything beyond the risks of a matter they might be working on at the time.

So, I think this statistic saying that a proportion of practitioners have not performed any risk assessments, whatsoever, doesn't surprise me at all. And I think it will require a real paradigm shift in the industry. Lawyers aren't necessarily technologically savvy. They don't really want anything to do with technology, especially lawyers that have been practising for quite some time, and I think coming into this will really require potentially some regulation forcing people to do things.

AV: James, one thing that we've spoken about in the past is the importance of retaining and recruiting good quality staff, particularly for boutique firms. Are you adopting some of these kinds of processes, in terms of risk assessment and VOI, for your staff onboarding?

JR: Yeah, absolutely. In our workplace, we've intentionally tried to keep it rather unstructured. We've got a really amazing team and we've really tried to encourage everyone to find a voice. There's a constant conversation going on in our office, and our approach to risk assessment is very much the same as innovation and all the firm-building ideals. We really encourage everyone to constantly think about the way they can do things better and also in the same way, if there is a risk to identify it.

We constantly have discussions about potential pitfalls, more efficient ways of doing things, different technologies that people have heard of ... And that's across the firm, it's not just the principals.

JA: Did you have to train them on that?

JR: Not via formal structured training, but we are constantly having group meetings, and when Robert or myself, or any other lawyer for that matter, identify an area of concern, we'll often have a group meeting all together to talk about how we can overcome it, how we can improve things, and it really has become a cultural characteristic.

We also, obviously, have weekly management meetings, and when people identify an issue we definitely jump on the front foot.

AV: I want to flip now to a topic that we’ve touched on several times and that’s around the client specifically. I spent some time in Silicon Valley last year and data is all anybody is talking about.

So, we asked about data in the research that we conducted and really interestingly this is where we saw the biggest split among our respondents. Just over 50 per cent of respondents say that they back up client data daily, but then the second highest result, making up almost a third of respondents, was, “I don’t know how often my client data is backed up”.

What are your thoughts on that Brendan?

BS: Well the component that said, “I don't know”, I interpret that slightly differently. I think that's a good thing. When I first started selling technology in this industry people were very mistrusting of the cloud, and it just became a thing: “where's my data kept? Who's going to hack my data?” etc. The fact that a lot of people don't know where their data is stored is a good thing because in my eyes it means people are starting to trust the cloud.

Technologies in the cloud and practice management systems in the cloud, they're dealing with it, they're encrypting it, they're backing it up, and that's how I interpret that question. So, I think that's actually a good sign. I could be wrong, but —

AV: Can you explain data storage a little bit?

BS: We get clients asking us the same question: “Where's my data held?” They're usually not asking you to point at the disc drive there. They're trying to say, “is it held in a public cloud, or is it held encrypted?” But really what they care about is: “is it held in Australia?” “What's your data privacy breach policy?” is very topical at the moment too.

So, what I would say is if you walked into a firm that was using on-premise software, their emails are probably stored on an email server or they are using the cloud, it won't be encrypted. There'll be no encryption, the network’s not encrypted. They're moving files around freely across their network, unencrypted.

AV: One of the other touch points that we found was that if we look more broadly at the culture of investing in technology and the culture of embracing innovation when it comes to this risk and regulatory compliance discussion, we found in the research that it was really practitioners that have been practising for more than a decade —10 to 20 years — who were found to be by far the most risk-aware. It actually wasn't the ones who have grown up with Google and cryptocurrency.

What are your thoughts on that? Does that surprise you?

JR: It does actually, because lawyers are all over technology and different solutions. We've definitely taken a big interest in different software options and are always trying to find efficiencies. In terms of the practitioners that I've been dealing with, I'm not sure I have found a particular age bracket that is more or less interested, but it does surprise me that that younger people wouldn't be more interested.

BS: Yeah, that'll change. Lawyers of 10 years plus have got used to their workload, they've got their work/life balance going, and they understand how to operate. They, I think, have got more time to adopt and obviously experience goes a long way.

They've seen colleagues fall foul of regulatory compliance issues, etc. But given our regulatory compliance climate at the moment, those younger solicitors coming out of university are predisposed in using technology. They’re what I call digital natives, but they're not going to start to learn all of this RegTech. It’s going to be injected into the syllabus, so they're going to come out not only being predisposed to technology but also it's going to be a prerequisite. It's going to be an absolute requirement of practising law.

So, I think you will see the more experienced continue in that same brand, but the younger lawyers will actually rise to meet them very soon, in three or four years.

AV: Also, I suppose, it's often the more experienced lawyers who hold the greater liability when it comes to the practice and the compliance element. Richard, you've been described throughout this discussion as holding a firm that has really embraced this stuff and is perhaps a bit more advanced with these issues. Any thoughts on how you would advise other principals out there to go about the process that you have?

RM: Looking in hindsight, my views have changed somewhat [since starting the firm] and I would have allocated more resources to this earlier on. Our firm's 10 years old this year.

A big firm’s confidential information is no more confidential than a small firm’s. And right now with data risk and what we've seen with major firms, in Australia and outside of Australia, having their data hacked — there's no reason why small firms’ data might not be hacked too.

If they're not investing in the cloud with much bigger providers who provide better security for them, they might not be investing at all. It's a real risk.

So, I think my advice would be get onto it. Embrace it as early and as quickly as you can, because it will get ahead of you if you're not careful, and you may be exposed.

JR: I think an important characteristic of a true boutique is that they perform on every measure to a large national firm but are more nimble and flexible. And we've certainly taken data security very seriously. We're entrusted as custodians of client data.

We've actually undertaken multiple upgrades the last 12 months. It's cost us a fortune, but we just deemed it so important that we needed to have full security and obviously compliance with the regulation.

JA: Say I was looking to hack a law firm to obtain information, be it identity information or financial information; you wouldn't target a tier 1 firm. You know that they've got dedicated information security professionals there; you would definitely target a smaller boutique firm.

And the smaller boutique firms, you are more nimble, so you know that you've got to realise that in the world we live in, it’s the smaller firms that will be targeted. But you can do something about it and that is just don’t store information insecurely.

Keep your IT up-to-date and frequently assess the risk and include those risk assessments to ask, “where do I store this data?”

AV: We've seen both of our principals here not only embrace this but actually identify that boutiques do potentially face higher risks. Both of our principals have also really identified that it's become a competitive advantage for them to invest in this and to have a meaningful process in place.

Brendan, is that something that encourages you?

BS: Absolutely. But as we sit here having this discussion, I can't help but think we've got two shining examples. Richard's a very good client of ours; he's been very quick to adopt technology. Obviously, James is the same.

I can't help but think we should have found someone to add to this who is absolutely anti-technology, because there are people out there right now going, “Whatever. I practised law for this long. I don't need to do anything”. And I still think there's a big segment there.

AV: Well our research indicates the same, and of course that's why we're having this discussion and we'll continue to have this discussion with principals around the country, but also with our partners at InfoTrack and LEAP.

This is a conversation that is going to only get more and more important as the regulation increases and also as the technology emerges as well.

Thank you all for joining us today.

The above is a condensed excerpt taken from an episode of The Lawyers Weekly Show. To listen to the full episode, check out the link below.

In the videos below, each participant shares their key takeaways from the podcast, including what results from the report surprised them the most.