1. Cybersecurity breaches
2. Artificial intelligence – improper use
3. Uniform Law obligations – non-compliance
4. Failure to comply with fundamental ethical duties
5. Money laundering
6. Inadequate supervision
Commissioner's introduction
Welcome to the VLSB+C’s Risk Outlook 2024, our second annual overview of the risks facing the legal sector in Victoria.
All businesses and service providers are exposed to risks that need to be identified and controlled, and legal practices are no exception.
In a previous life, I was CEO of Justice Connect and before that, General Counsel at World Vision Australia, and Special Counsel at Clayton Utz. So I appreciate the range of risks that lawyers confront and successfully deal with on a daily basis – risks to their organisation’s security, financial viability and reputation, their personnel, their clients and even themselves.
Our objective in publishing this risk outlook is not to exhaustively catalogue all the risks facing the profession, but rather to spotlight certain risks that we, as Victoria’s legal regulator, are most concerned about. These are the risks that are causing consumer harm – or have the potential to cause harm – and therefore have serious regulatory implications.
Some of the risks we explore this year have carried over from last year’s risk outlook. That’s because cybersecurity breaches, non-compliance with core legislative obligations, unethical practice and inadequate supervision in law practices continue to happen, to clients’ detriment. This year we’re also flagging, for the first time, risks associated with the use of artificial intelligence, involvement in certain referral schemes and inadvertent facilitation of money laundering.
Poor or deficient practice in any of these areas is a breach of your professional duties and obligations that may attract regulatory attention. At the practice level, this might mean we undertake compliance audits of firms, inspect trust accounts, and/or issue management system directions. If warranted, we may also investigate individual lawyers’ conduct and act to vary, suspend or cancel practising certificates, or prosecute breaches of the Legal Profession Uniform Law (Uniform Law) or rules made under the Uniform Law.
Fortunately, almost every risk is either preventable, or can be substantially minimised. Taking the time to understand each of these risks and implement measures to avoid or prevent them will help you meet your professional and ethical duties. Keeping up to date with meaningful continuing professional development is also important, as is ensuring you have the professional and personal support you need – our experience is that when lawyers deal proactively with emerging challenges, and seek help early, outcomes are significantly better for all involved. We also have many helpful tips and resources for you.
I welcome your comments on the utility of this risk outlook, including any improvements you may suggest. Please direct feedback to: policy&consultations@lsbc.vic.gov.au.
1. Cybersecurity breaches
The scale and severity of cybercrime continues to increase, adversely affecting individuals, businesses and governments globally. The magnitude of this risk warrants urgent attention, which is why cybersecurity is this year’s priority risk, as it was last year.
In the Australian Signals Directorate’s (ASD’s) most recent Annual cyber threat report, it was noted that a cybercrime is reported roughly every six minutes in Australia – up from one report every seven minutes. In 2022–23, there were nearly 94,000 cybercrimes, 23% more than the previous year. The average self-reported cost of cybercrime was up by 14% to $46,000 for small businesses, $97,200 for medium businesses and $71,600 for large businesses. The professional, scientific and technical services sector reported the highest number of ransomware-related cybersecurity incidents. The top three cybercrimes reported by businesses were email compromise, business email compromise fraud, and online banking fraud.
The prevalence of cybersecurity incidents in the professional sector, and the increase in monetary loss, is consistent with the experience of the Legal Practitioners’ Liability Committee (LPLC). In December 2023, LPLC reported a surge in cyber fraud incidents affecting law practices, including many small firms and sole practitioners. They noted that claim costs for the first five months of the 2023-2024 financial year had already exceeded the entire 2022–2023 financial year, due to larger sums being stolen, and recovery of funds often not being possible.
In last year’s risk outlook, we clearly outlined our expectations for law practices of all sizes and in all practice areas to implement appropriate cybersecurity measures, scaled to reflect their entity’s size and level of risk. We know that law practices are lucrative targets for cybercriminals wanting to steal money or information, and their methods for doing so are sophisticated and continually evolving. The need to take preventative action is vital.
Our Minimum cybersecurity expectations resource, published earlier this year, details the system and behavioural controls that we expect all law practices to implement to help minimise the risk of cyber-attacks. It also highlights three ‘critical controls’ that offer significant protection from cyber-attacks. These critical controls are straightforward to implement, and if you’re a principal of a practice and have yet to put them in place, they should be your highest priority. They are:
- turning on multi-factor authentication (MFA) on all online accounts and services where it’s available
- having strong and unique passwords or passphrases for all devices or accounts used to handle work data, and
- turning on automatic software updates where available, or manually checking for new, improved, or fixed versions at least once a fortnight.
Each of these critical controls is also recommended in the ASD’s 2022–2023 Cyber threat trends for Australian businesses and organisations fact sheet.
While law practice principals are responsible for implementing the system and behavioural controls outlined in our Minimum cybersecurity expectations resource, cyber-safe practice is a crucial professional competency for all lawyers. Our Red flags and good practices resource helps law practice employees and volunteers understand the warning signs of a cyberattack or breach and respond swiftly to mitigate its impact. This resource also includes information about good cybersecurity habits to develop and details our expectation that lawyers verify client identities before acting on email instructions.
Even when appropriate cyber controls are implemented, we appreciate that breaches may occur. A brief checklist we’ve prepared about how to respond to a breach can be found here, and we recommend that you prepare yourself for this eventuality by developing an incident response plan. The LPLC’s Cyber security guide for lawyers and the Law Council of Australia’s Cyber precedent are useful starting points.
In the event of a breach, we expect you to take immediate and proactive steps to stop the threat, secure systems and make relevant notifications. You should report all incidents to our office via our lawyer enquiry form, including near misses. We don’t want to know about obvious spam that you delete, but we do need to know about external attempts to breach your systems (which you avert) or successful breaches that you quickly identify and rectify.
For those law practices using the latest version of Microsoft Outlook, there is now a phishing notification icon allowing direct reporting of phishing emails to your network administrator.
2. Artificial intelligence – improper use
A key risk this year concerns lawyers’ use of artificial intelligence (AI) platforms.
AI’s potentially transformative effect on the profession has been the subject of much media and professional commentary during the past year. This technology clearly offers law practices significant benefits, and consumers increased ways to access help with legal problems. Using AI, law practices can automate labour-intensive and repetitive tasks, triage clients, identify legal issues, and improve the clarity and comprehensibility of legal information and advice. We know the profession is already experimenting with large language models (LLMs) – a form of AI that can process and generate text – and are even developing in-house LLMs using their own data.
Understanding how AI works is an important technical competency that all lawyers should develop. However, while enjoying the benefits of AI, it’s important to remember that you’re obliged to provide competent, ethical and confidential services, irrespective of the tools you use to deliver them. We offer a brief overview of some of the features, risks and limitations of AI in our Generative AI and lawyers resource. The LPLC and the Supreme Court of Victoria have produced useful commentary for practitioners on this topic. The Victorian Bar has also produced four seminars on AI and the legal profession, which are available to be viewed by its members.
If you use AI in your work, we expect you to:
- understand that it is your duty to provide accurate legal information, not the duty of the AI program you use, and therefore you will be held responsible for your output
- never use AI to create outputs you’re not personally capable of validating (e.g. translating legal information into a language you don’t speak)
- properly supervise early career lawyers and legal support staff using AI in the course of their work, and verify their output
- never enter confidential, sensitive or privileged client data into generic LLMs or other AI products
- thoroughly assess whether it’s appropriate to use client data to train in-house LLMs or AI products, noting that regulatory implications will flow if confidential or privileged information is incorporated in a way that breaches client confidentiality, or results in information from a client matter being used to benefit other clients
- understand how your clients may be adversely and unfairly affected by AI (e.g. because of bias or discrimination within automated decision-making platforms)
- be transparent with your clients about your use of AI, and pay regard to any concerns raised by clients, and
- comply with any regulatory guidance that VLSB+C may issue on the use of AI.
Despite the current limitations of AI – and the need to be careful about when and how AI products are used to deliver legal services – we appreciate the benefits this technology will deliver for lawyers and their clients. However, notwithstanding the benefits of AI, it pays to remember that unlike a great lawyer, AI cannot exercise superior judgement. It remains your responsibility to understand a matter in the context of legal principles, the human psychology of its parties, external complicating factors and future possibilities. It’s ultimately your expertise that clients rely upon when they engage your services.
3. Uniform Law obligations – non-compliance
This year, failures to comply with key legislative obligations continue to be a regulatory concern. Of particular concern, and of significant harm to consumers, are breaches of trust accounting requirements and costs disclosure requirements.
Costs disclosure
About one third of all complaints we receive concern legal costs. This is an ongoing trend, and while not all costs complaints we receive involve poor or inadequate disclosure, our analysis shows that many do. As an obvious risk factor for client dissatisfaction and potential disciplinary action, this is something that all lawyers should take steps to avoid.
In 2022, the Victoria Law Foundation (VLF) undertook a Public Understanding of Law Survey (PULS), which explored how people understand, experience and navigate law, and everyday life problems with a legal dimension. This large-scale survey was made up of a predominantly face-to-face sample of 6,008 respondents across Victoria. The PULS found that although an overwhelming majority of survey respondents agreed or agreed strongly that they trusted lawyers to be knowledgeable and skilled in their work (96%), and to act in their best interests (92%), they were far less likely to trust lawyers not to overcharge them (63% agreed or strongly agreed). These results corroborate what we see as the regulator, that a lack of public confidence in the profession is far more likely to centre around costs and charging than the quality or benefit of lawyers’ work.
This finding confirms the importance and value of good costs disclosure – by which we mean compliant disclosure, explained fully and transparently. Good costs disclosure is a valuable tool in establishing and maintaining good working relationships with clients, and gives your practice a significant reputational advantage by encouraging repeat business and word-of-mouth referrals.
We appreciate that good costs disclosure is not always straightforward and in the year ahead we’ll work with the Legal Services Council and regulators in other Uniform Law jurisdictions to identify opportunities to improve the operation of these requirements. We’ll also continue our in-house Costs Support Program, where we provide support to lawyers who generate a high or disproportionate number of costs complaints and who need help complying with their costs disclosure obligations. This is a voluntary program that helps lawyers understand our expectations, provide compliant and effective disclosure, and implement better business practices.
Our website has useful general information about your costs disclosure obligations under the Uniform Law and last year’s risk outlook also has useful tips on providing full, frank and compliant costs disclosure. We also encourage you to consider the examples of good costing practices identified by the VLF and Monash University in recent VLSB+C-commissioned research on pricing practices in Victorian legal services, including:
- using regular billing cycles to prevent bill shock and keep clients informed
- raising the issue of costs directly and up-front with a client at the initial interview, clarifying exclusions and inclusions, and providing price breakdowns in respect of complex or multi-stage work
- setting clear boundaries to help clients understand the service being provided, and
- adopting digital tools to track billing against the estimate provided.
Trust money
In last year’s risk outlook we described the significant harm to consumers when trust money is improperly handled, accurate trust records are not maintained, or lawyers fail to comply with compulsory notification requirements. Despite this, we continue to see lawyers who do not comply with their legal obligations, even though this is on its face unsatisfactory professional conduct – and a relevant consideration for us when determining whether to renew a practising certificate.
The trust money obligations set out in Part 4.2 of the Uniform Law and associated rules are foundational consumer protection provisions that are designed to protect law practice clients from the theft or misapplication of their funds. We expect strict and complete compliance with these obligations if you’re authorised to receive trust money. In particular, we remind you that you must:
- provide trust statements as soon as practicable after 30 June
- meet all end of year trust reporting requirements
- have up-to-date trust account reconciliations
- not withdraw client money from a trust account before clients have had time to review (and object to) their bills
- identify and notify us of trust account deficiencies or irregularities (or suspected irregularities) as required under section 154 of the Uniform Law, using our online trust account irregularity reporting form
- properly supervise trust accounts, and
- implement appropriate cybersecurity to prevent breaches (see our minimum cybersecurity expectations for guidance).
Even if you are not authorised to receive trust money (which is always the case, unless you have a practising certificate that specifically authorises you to receive it), we nonetheless expect you to:
- understand what trust money is and how it should be treated, and
- report any irregularities or suspected irregularities in a trust account to us as soon as is practicable, using our online trust account irregularity reporting form.
If you have recently been granted trust authorisation, or need a refresher about your obligations, you should closely read our information on Managing trust accounts. If you’re concerned about your trust money and trust account management practices, please seek help from the Law Institute of Victoria’s confidential complimentary trust consultancy service, TrustConsult. Email them at trustconsult@liv.asn.au or call 03 9607 9447.
4. Failure to comply with fundamental ethical duties
It’s a fundamental ethical duty of all lawyers to be honest, avoid compromise to their integrity and professional independence, and act in a client’s best interests. These duties are at the heart of what it means to be a member of the legal profession. If breached, they generally attract disciplinary sanctions.
Although most Victorian lawyers acquit their duties admirably, unethical and unprofessional conduct can occur. Sometimes, this can follow a lawyer’s failure to put in place and maintain proper professional boundaries with clients and other parties. More often, it’s linked to poor judgement exacerbated by stress, an inadequate understanding of substantive legal requirements, or simply failing to act fairly, honestly or reasonably in all circumstances.
In this section of the risk outlook, we’ll cover the forms of unethical behaviour that will be a regulatory priority for us in 2024–25.
If you require confidential ethical support, the LIV Ethics helpline is available to all lawyers by emailing ethics@liv.asn.au or calling 03 9607 9336. The Victorian Bar has a Health & Wellbeing Portal for barristers and a dedicated Ethics Committee that provides ethics resolutions and confidential guidance to barristers. More generally, you might like to undertake a guided reflection on your ethical understanding (and identify any skills or knowledge gaps) by using the reflective self-assessment tools we’ve developed for early-career, mid-career, and senior lawyers.
Dishonestly concealing mistakes
We’ve observed an unfortunate trend of lawyers ‘covering up’, disguising or concealing an embarrassing mistake or negligence, instead of being transparent with clients or employers about what’s happened. This includes instances of lawyers falsely witnessing affidavits, forging signatures and creating false documents before filing them at court.
In most cases we’ve investigated, a lawyer’s ethical and professional judgement has been impaired due to extreme pressure or stress caused by a poor working environment. Although we appreciate this context, it’s never an excuse: as officers of the court, dishonesty in lawyers is always unjustifiable. Disciplinary consequences can include being formally reprimanded and penalised, suspended for lengthy periods and even struck off the Supreme Court roll of lawyers.
All lawyers make mistakes. What matters most is how they deal with them. If you make a mistake, we expect you to remedy it properly and honestly. This involves admitting to the mistake (to both your employer and client), taking appropriate corrective or mitigating action and, if necessary, advising your client to seek independent legal advice. As we made clear in a recent Commissioner update, if a mistake is remedied properly and honestly, there may be no need for us to get involved.
Lodging caveats improperly
We continue to observe lawyers lodging caveats without having the proper grounds to do so. This is well-established unethical conduct and causes consumer harm by forcing the owner of an improperly caveated property to apply to the Supreme Court for the caveat’s removal – a process that involves time and expense, and may require legal advice.
Before lodging a caveat, you must ensure you’re up to date on the relevant case law. You should also make sure you have evidence of a proper basis on which to lodge the caveat, and obtain proper instructions from your client.
Gross overcharging
Incidents involving gross overcharging of clients continue to occur, causing significant consumer harm and bringing the profession into disrepute. All lawyers are reminded of their obligation, under section 172 of the Uniform Law, to charge costs that are no more than fair and reasonable in all the circumstances, that are proportionately and reasonably incurred, and proportionate and reasonable in amount.
Motor vehicle claims
We regularly receive a significant number of complaints about lawyers who act in motor vehicle claims. By ‘motor vehicle claims’, we mean matters in which a person is involved in a motor vehicle collision and seeks to recover compensation from the other driver (or their insurer) for expenses such as repair and/or hire car costs.
We have observed that lawyers often become involved in these matters following a referral from another business in the motor vehicle industry (e.g. a repairer or hire car provider). Sometimes, the person involved in the collision may have signed an authority form provided to them by one of these other businesses, without realising that the form purports to authorise a lawyer to act on their behalf in relation to the claim, and/or purports to appoint a third party to provide instructions to the lawyer on the person’s behalf.
Complainants often allege that lawyers have unexpectedly undertaken legal work on their behalf, even to the extent of issuing proceedings without their knowledge or instructions. Other common issues in these complaints include lawyers:
- failing to advise on the risks of litigation, such as the possibility of an adverse costs order
- failing to obtain client instructions before settling the matter, and
- failing to comply with ethical obligations in relation to conflicts of interest, including lawyers putting their own interests ahead of those of their clients.
For many years, we have provided guidance to lawyers and law practices acting in motor vehicle claims, and undertaken outreach activities. If you act in these matters, we expect you to follow this guidance, and be honest in your dealings with your clients, courts and insurers. Failure to do so will attract regulatory attention. VCAT has repeatedly found conduct of this nature to be unsatisfactory professional conduct or professional misconduct.
Claims farming
Serious concerns have been raised with us recently about lawyers’ conduct in relation to government redress schemes designed to compensate individuals who were seriously harmed by government policy or within institutions. There are allegations that lawyers are intentionally targeting vulnerable people to acquire as clients, providing misleading or incorrect information to abuse survivors about access to the redress schemes and grossly overcharging clients for legal advice in relation to redress claims. If proven, this conduct, as with gross overcharging in any context, is capable of amounting to either unsatisfactory professional conduct or the more serious charge of professional misconduct.
We expect any lawyer who is involved in these matters to reflect seriously on their professional obligations and make sure any legal costs are fair and reasonable. Attempted exploitation of vulnerable individuals who seek redress for abuse or harm are anathema to the legal profession’s ethos and obligations and subject to disciplinary action. Our news update on marketing tactics by law practices describes specific professional conduct rules relevant to so-called claims farming, direct marketing and cold-calling.
Failure to exercise professional independence
Recent royal commissions have exposed the complexities inherent in the role of a legal practitioner, and consequences of a failure to exercise appropriate professional independence in the delivery of legal services.
In our recent guidance on professional boundaries, we note that it’s not uncommon for lawyers to represent powerful clients with strong interests in a particular outcome. Nonetheless, it’s a key professional obligation to exercise independent forensic judgement in this situation. A clear sign that you’re not sufficiently independent of your client, and not able to exercise independent judgement, is if you don’t feel like you can advise them on their legal obligations or advise them against breaking the law.
Our expectation is that all lawyers, whether working in the private or government sector, will operate in an environment with appropriate structures and processes to support their professional objectivity and independence. If such structures and processes do not exist and cannot be created, it’s your responsibility to seek an alternative position, where you can properly exercise independent judgement without undue external influence.
5. Money laundering
Money laundering is the process by which money or property is moved through the economy in a way that hides its illegal origins or intended criminal purpose. The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) establishes a regime for combatting money laundering, terrorism financing and other serious financial crimes.
Currently, Australian lawyers are only subject to AML/CTF obligations if they provide a ‘designated service’ as currently defined under the AML/CTF Act – which is not the case for most lawyers. They do, however, have obligations under the Financial Transactions Reports Act 1988 (Cth) (FTR Act) to report all significant cash transactions of A$10,000 or more (or the foreign currency equivalent) to AUSTRAC, in the format of ‘solicitor significant cash transaction reports’. Structuring transactions to avoid reporting requirements is an offence under the FTR Act.
Lawyers must also comply with obligations in the Legal Profession Uniform General Rules 2015 to properly receipt trust money, including by recording the name of the person making the payment, the client and matter for which the payment is made, and particulars sufficient to identify the reason for the payment.
Relatedly, it is an offence to deal with money or property when it is reasonable to suspect the money or property is proceeds of indictable crime. Pursuant to section 400.9(2)(a) of the Commonwealth Criminal Code, it is taken to be reasonable to suspect that funds are proceeds of crime if the conduct constituting the offence (which would include receiving payments of money) involves transactions that are structured or arranged to avoid the reporting requirements of the FTR Act.
The Attorney-General’s Department (AGD) is currently consulting on proposals to expand the AML/CTF regime to capture certain additional ‘designated services’ performed by lawyers and other entities. In anticipation of these likely reforms, we strongly encourage you to develop an awareness of the risks of inadvertently facilitating money laundering on behalf of clients. Case studies of lawyers who have become unwittingly involved in money laundering are set out in the AGD’s most recent consultation paper, published in May 2024.
As well as expecting that lawyers with trust authorisation will strictly comply with the legal requirements relating to the handling of trust money in the Uniform Law and the General Rules, we also expect any lawyer who receives cash from clients to:
- verify the client’s identity
- make appropriate enquiries about the origin of cash payments
- strictly comply with AUSTRAC’s reporting requirement.
The Law Institute of Victoria has created an AML/CTF Hub designed to provide a one stop shop to practitioners to access AML/CTF knowledge and learning resources, and updates on the progress on of legislative reforms.
6. Inadequate supervision
Another key concern of ours is supervision. We are particularly concerned about principals who fail to effectively supervise their law practices, as well as the inadequate and inappropriate supervision of law practice employees.
Supervision of law practices
Section 34 of the Uniform Law imposes important supervisory obligations on law practice principals, in recognition that lawyers who want to run their own legal businesses are responsible for ensuring their staff deliver legal services competently and ethically. It requires each principal of a practice to take reasonable steps to ensure that associates of the practice comply with their professional and ethical obligations, and that the legal services provided by the practice comply with regulatory requirements and professional obligations.
It’s a privilege to be granted a practising certificate, particularly one that authorises you to run your own law practice. Unfortunately, we continue to encounter principals who don’t assume proper responsibility for the conduct of matters in their practice or exercise the degree of oversight required of them.
We are observing an increasing trend involving principals of law practices:
- failing to exercise proper oversight over the activities of employee lawyers, such that the principal is unable to answer basic questions about the conduct of client matters, trust account activity or even identify and access relevant files – sometimes necessitating an external intervention
- allowing themselves to be named as the ‘legal director’ principals in ILP legal service providers, but relinquishing effective control and responsibility over the practice to non-legal directors – in direct contravention of the Uniform Law, and
- failing to have proper oversight of the activities of other principals in the law practice.
Supervisory failures of this kind give rise to two key risks: the risk of clients being exposed to incompetent or unethical legal advice and the risk of the law practice being used to achieve fraudulent ends.
We remind any lawyer who has been granted a principal practising certificate of their unambiguous supervisory obligations. Our expectation is that each principal takes all necessary steps to ensure that the associates in their law practice comply with, and all legal services provided by the practice are provided in accordance with, the requirements of the Uniform Law and rules, and other professional obligations. A failure to uphold this responsibility can constitute unsatisfactory professional misconduct or professional misconduct.
If you’re looking for support, LIV provides a practice management consultancy service (PMConsult) designed to help lawyers develop their practice and risk management skills and comply with regulatory requirements. The service compliments the LIV’s existing Practice support line, providing an additional layer of support via a confidential and complimentary one-on-one consultancy service designed to work with practitioners to strengthen areas of practice management and develop remedial action plans. You can contact PMConsult by email at pmconsult@liv.asn.au, or by calling 03 9607 9329.
Supervision of law practice employees
The Uniform Law restricts new lawyers from engaging in unsupervised practice for a set period, in recognition that lawyers in the early stages of their careers need to be supervised by more senior, knowledgeable and skillful colleagues who can assist them to develop the foundational skills and attributes required for independent practice.
Good supervision has a powerful effect: it lays the foundation for good legal practice, and a sustainable and fulfilling career. Unfortunately, we continue to encounter inadequate – and in some cases, impermissible – supervision arrangements. We’ve encountered supervisees who have been given files well beyond their capability, or who have received too little in the way of instruction, guidance and oversight. We’ve also become aware of lawyers who are themselves subject to a condition requiring supervision purporting to supervise other lawyers, in direct contravention of the Uniform Law.
If you have responsibility for supervising another lawyer, our expectation is that you will be qualified to do so, i.e., you cannot be restricted from engaging in unsupervised practice, or otherwise restricted from supervising other lawyers. We also expect that you’ll provide the degree of feedback and overall oversight necessary to ensure that your supervisee provides quality legal services to clients and develops the skills they require to operate independently in the future.
Appropriate supervision is also relevant in a broader context: rule 37 of the professional conduct rules makes it clear that a solicitor with designated responsibility for a matter must exercise reasonable supervision over solicitors and all other employees engaged in the provision of legal services for that matter.
There are many resources exploring the topic of supervision. Our Guidelines for supervisors offer practical advice about how to supervise newly admitted lawyers. The LPLC has also produced many useful resources, including a podcast on supervision, and articles that explore what effective supervision involves and explain that even experienced staff require supervision.
Published 6 June 2024