Conveyancing Quality Scheme – the New Provisions
No doubt hoping to address Advertising Standards Authority (ASA) criticisms in the past that it “exaggerated the level of knowledge, skills and experience possessed by a CQS-accredited firm and its staff, and the extent of the checks that a firm had to undergo to receive its accreditation” the Law Society has revealed this month the details of their new Conveyancing Quality Scheme (CQS) Core Practice Management Standards (CPMS).
Clearly compiled in a hurry and with perhaps less quality checking than should have been done before it went live, the new CQS is a mish-mash of elements carried over from the previous version of CQS combined with sections taken from Lexcel v6.1. The result, unfortunately, is a somewhat confusing set of policy, procedure and guidance which results in provisions that are repeated and restated and a numbering system which breaks down when it gets to 5.6.
The new CPMS, combined with the Law Society’s expressed intention to introduce “desk-based assessments and on-site visits”, will no doubt be intended to bolster up the CQS’s flagging reputation. The Society will be hoping that it will garner support from lenders and the public alike and lose the reputation of being a quality standard that is awarded to whoever asks for it. At the time of the ASA finding, they stated that all but two of the 293 firms who applied for the scheme were accepted – in some cases, before relevant staff had been properly trained.
Responding to the changes
Hopefully, the new standard will, when it officially comes into effect on the 1 May, raise the bar in terms of compliance and introduce not only more rigorous standards but also, more rigorous checking of those standards. The Society is in the process of appointing an independent assessment body to carry out the on-site visits and new applications for initial accreditation received from 1 May 2019 onwards must also be able to address the new CPMS.
As already mentioned, most (although not all) of the new requirements have been taken from Lexcel v 6.1, so those firms who have already been accredited to that standard may find compliance with the new CPMS more straight forward. Other firms, who have used only the CQS to support their conveyancing practice – and who may have done little to actually address the requirements of the previous standard – may find themselves with a steep hill to climb before the somewhat tight deadline of 1st May.
Overview of the Changes
The majority of the changes that have been made come in the form of increased responsibility to demonstrate what firms do. This needs to be evidenced by means of written procedures and processes, many of which are more onerous than the previous requirements. Only in a very few cases have requirements been dropped.
The main changes include (references in brackets are to the new CPMS):
- a requirement for firms to have a SDLT policy which includes an audit trail, checks as to level of consideration and verification of the SDLT calculation (1.2);
- the ability to be able to demonstrate compliance with the various requirements of the Money Laundering Regulations 2017 (1.3);
- strengthening the requirements to be included in the firm’s anti-property and mortgage fraud policy (1.4);
- a new requirement for the firm to have a policy in relation to the purchase of a leasehold property (1.5);
- a requirement for a procedure for handling financial transactions (2.2);
- a need for documented management structures (3.1);
- additional requirements in relation to training to address various aspects of the CPMS, National Conveyancing Protocol and conveyancing generally (3.4 and 3.7 (f));
- enhanced requirements in relation to risk assessment and handling (3.8);
- more detailed requirements in relation to the handing of conflicts (3.9)
- increased detail in terms of what firms must do in relation to client care and what their policy must contain (4.1);
- enhanced requirements in relation to complaints procedures (4.3);
- a requirement for a documented procedure for reporting matters to lenders (4.5);
- a more detailed requirement for the firm’s policy on the acceptance and refusal of instructions (5.2);
- increased requirements in relation to the information communicated to clients (5.3).
- a requirement to have a procedure for ensuring the SRA’s price and service transparency requirements are met (5.4);
- enhanced provisions as to how the firm deals with the end of matters (5.8 – although the Law Society refer to this as 5.6 which is also the number on the undertakings provision)
In addition to these general changes and enhancement, the new CPMS also makes provision for a whole new set of information management standards.
The previous version of the CPMS required that firms had an email policy (3.8) and a policy dealing with internet use, website management and social media (3.9). These have been replaced with a new section dealing with information management.
This requires firms to have a policy for the management of personal data that is compliant with data protection legislation (taken from section 3.1 of Lexcel v6.1). This focuses on issues such as keeping data processing records, having a procedure for dealing with subject access requests and for managing and reporting data breaches and so forth.
Somewhat more controversially, although possibly not for those who are familiar with Lexcel v6.1, is the requirement for the firm to appoint a Data Protection Officer (DPO) whether or not they are obliged to do so. However, the guidance notes to the CPMS do state that “If a voluntary appointment is not made, practices must document why they have not made such an appointment and the suitable alternative arrangements they have put into place.” This is a caveat virtually identical to that to be found in section 3.1 of Lexcel v6.1.
This could prove to be a difficult provision for many firms who will need to find a way to opt-out of the requirement.
The problem here is that If an organisation appoints a DPO voluntarily then they must comply with the same requirements as if it were a mandatory appointment. That means that not only will the DPO need to be registered with the ICO but they will also need to comply with the other requirements that apply. One of those requirements is that further tasks and duties can only be assigned to a DPO provided they do not result in a conflict of interests with the DPO’s primary tasks. Because of the nature of the tasks that most of the likely candidates for the role of DPO would undertake, no existing person could be appointed as a DPO as there would be a potential for conflict. Inevitably, if someone of sufficient seniority within the firm were to be appointed a DPO then that role would conflict since that person’s other responsibilities would involve putting the interests of the business before the protection of personal data – for example a partner, senior manager, office manager or even someone involved in marketing or IT.
Possibly just as controversial is the requirement that firms have an information management and security policy which is accredited against Cyber Essentials – a government scheme designed to help businesses deal with cyber security issues. It normally requires that a business be audited against a set of external criteria. Whilst the Law Society are not specifically requiring firms to have an external audit of their information management and cybersecurity provisions, they do require that firms undertake a “self-assessment” against the Cyber Essentials criteria to check that they are compliant.
Given the complexity of the Cyber Essentials requirements, this could mean that many firms feel obliged to pay external auditors to carry out the exercise for them. The CPMS also requires that firms employ firewalls, have secure configuration of network accounts, have procedures to detect and remove malicious software and train staff in cybersecurity issues.
How are firms to respond?
So, what do firms need to do in the light of the new requirements?
The short answer is respond, or risk losing their CQS accreditation and therefore risk losing potential work and possibly their place on lender panels.
Firms who have Lexcel v6.1 will probably be able to address most of the requirements without too much of a problem. They just need to make sure that the conveyancing specific elements such as training, SDLT procedure and leasehold procedures are in place and that staff both know what is required of them and how to achieve it.
For those who do not have Lexcel but who have put in place provisions to deal with earlier versions of CQS, then there may be more of a challenge ahead of them. They need to look at the new CPMS and work out where the requirements that it contains exceed those of the previous version of the CPMS. They then need to put in place provisions to deal with the compliance gap.
For those firms who have certified that they comply but who in reality do not comply at all, then they need to be aware that they could, at some point after 1 May, be subject to a check by the Law Society and could, as a consequence, lose their CQS status. For them, they have no option but to start at 1.1 and work through the new CPMS putting in place appropriate policies and procedures as they go.