Guest article by Charles Drayson *
Chatting to exhibitors and attendees at the LawTech Futures event earlier this year, it was surprising to find so few vendors familiar with the impact of the requirements mandated by the Solicitors Regulation Authority for law firms who outsource. Some of the attendees representing the IT function of law firms were also unaware of the specific requirements which their organisations should be meeting despite now being in the period when the SRA expects law firms to have assimilated the requirements. The SRA’s concept of outsourcing is wide, and the requirements are significant.
The SRA adopted ‘outcomes-focussed regulation’ in October 2011, resulting in a new Code of Conduct with ten mandatory ‘principles’, numerous required ‘outcomes’ and non-mandatory ‘indicative behaviours’. Outcome 7.10 refers specifically to outsourcing “legal activities or any operational functions which are critical to the delivery of any legal activities” and says that law firms must ensure that outsourcing:
(a) does not adversely affect your ability to comply with, or the SRA’s ability to monitor your compliance with, your obligations in the Handbook;
(b) is subject to contractual arrangements that enable the SRA or its agent to obtain information from, inspect the records (including electronic records) of, or enter the premises of, the third party, in relation to the outsourced activities or functions;
(c) does not alter your obligations towards your clients; and
(d) does not cause you to breach the conditions with which you must comply in order to be authorised and to remain so.
One suspects that many law firms will be quick to say that they have few, if any, arrangements which they would regard as outsourcing services critical to the delivery of any legal activities, and it would appear that many service providers do not perceive they provide such services. While there is no definition of ‘outsourcing’, the SRA has provided a non-exhaustive list of examples. Those examples include “IT functions which support the delivery of legal activities”. That would include most, if not all, of the services offered by exhibitors at LawTech Futures.
The SRA has provided guidance on the items to be considered before entering into an outsourcing arrangement:
• Is it in your client’s interests to outsource?
• Informing clients of your arrangements and the risks attached
• Obtaining clients consent and if necessary informed consent
• Billing appropriately
• Do not rubber stamp, take ownership of the outsourced work
Further guidance about undertaking risks assessments shows that this is no tick-box exercise. And, some of the requirements are specific and require proper scrutiny of the Code of Conduct if they are not to be missed. How many firms have, for example, ensured that the contract with their service provider includes provision to ensure that the arrangement allows the SRA and its agents to obtain information and inspect records (including electronic records) and enter third party premises in relation to outsourced services?
The author’s own experience (acting for IT service providers who have significant business in the legal sector) is that the application of the SRA outsourcing requirements is going to be particularly interesting in relation to cloud-based services, which for current purposes means just about anything not installed on-site at law firm premises. It remains to be seen whether service providers highlight their industry credentials by proactively anticipating law firms’ needs (terms of business, independent risk assessments etc) or whether law firms have to bludgeon service providers into compliance. When the SRA recovers from its own adventures with internet-based services, will it be sympathetic?
* Charles Drayson is a solicitor who specialises in IT law but has a particular interest in the use of IT in the practice of law. His law firm, Drayson Law, has built its Lexcel accreditation around the pervasive use of IT. He was previously General Counsel for an outsourcing services provider, when he won a legal IT award for mitigating risk through the use of IT.