Category: Financial Management

Law Firms on the Edge

Loans to law firms used to be a “no brainer” until some spectacular failures created losses in the millions.  Now, law firms are watched and analyzed carefully by banks.  An article entitled “Consultant Has ‘Somewhat Robust’ Watch List of Law Firms in Possible Danger” which was appeared in ABA Journal Law News Now, included a video of an interview of Dan DiPietro, chairman of the Law Firm Group at Citi Private Bank.  I was impressed with the interview, and the fact that Dan uses “real” indicators of whether a law firm is in trouble, rather than just focus on the P&L.  He knows that underbidding jobs, partner defections, and excess capacity are all surer advance indicators that a law firm is heading for the fiscal cliff’s edge.  He rightly recognizes that only later do these trends reflect in the bottom line.

His view is that transactional work is strong in a few industries, but otherwise is mostly still flat, causing financial hardship at large law firms.  And that trend will continue for the foreseeable future.  Although his focus seems to be exclusively with “BigLaw” I can confirm that this trend is affecting mid-size firms as well.  Especially because of increased competitive pressure from larger firms now focusing marketing attention on smaller clients than normal, in an attempt to increase utilization of professional staff. 

I convey these increasing competition principles to attorneys by using a fishing analogy.  Think of the BigLaw firms as the deep sea fishermen.  They’re after the big scores.  But when their favorite locales are overfished, they look for new spots.  Next thing you know, they invade the waters formerly favored exclusively by the mid-size firms. Smaller fish, but still reasonable size and quantity.  They make up for the size difference in fishing for greater volume.  So what do the smaller firms have to do, faced with better-equipped increased competition that outclasses their operations?  They come and fish off the local pier of small-firm.   Firms that never expected competition; firms that always felt that larger firms were not interested in their clients.  They are now facing increased and daunting competition. 

When you know that you are or will shortly face steep competition where there was little or none before, it’s time to bring on your A-game.  Excellent service — defined from the perspective of the client, not the law firm — will be the number one determining factor of who gets or keeps the client.   Cost management and innovative pricing strategies will be another.  The days of clients rewarding inefficiencies are over.  If you haven’t taken quality-control measures to leverage your firm with knowledge management and workflow innovations, you will be unable to remain competitive.

What’s Your Fraud Vulnerability Score?

There are a lot of pervasive myths regarding fraud in law firms.  Most of them have been around so long that lawyers believe them to be fact.  The more of them you believe, the higher your vulnerability score.  Over the years I have written and spoken quite a bit about Fraud Prevention.  And having done accounting work for many years in the corporate world before joining my first law firm, I feel I have a particularly insightful perspective.  Truth be told, were I not an innately honest person, I could have stolen from most if not all of my employers.  And for the most part it’s because they don’t pay attention, and make it too easy.

You may want to read “Is Your Firm Safe From Fraud” which was originally published in 2005, but is still highly on point.  I have also blogged previously on this topic in “Fraud on Lawyers – A Small Measure of Satisfaction“‘;  “More on Bad Check Frauds“; “SC Law Firm Loses $390k in Bogus Check Scam“; “More on Lawyers as Fraud Victims . . . With a Twist“; “Fraud Prevention and Online Banking Scams“; and “Fraud Prevention Rules No. 1 and 2“.  Let’s review just a few of the top myths which can cost you if you still believe in them.

  1. GOOD PEOPLE DON’T DO BAD THINGS.    The simple truth is that good Church-going God-fearing people do bad things under at least two circumstances.  First, when it seems that is just too easy to get away with it, and the constant temptation becomes too strong to resist without perceived consequences.  Second, when exigent circumstances create a desperate need for money.  I witnessed first-hand how a staff employee whose son was dying of Aids, and how a partner with an alcoholic husband, each stepped over a line they would have never crossed absent the circumstances in which they found themselves.
  2. LOYAL LONG-TERM EMPLOYEES ARE NOT THOSE WHO COMMIT FRAUD.  IT’S THE NEW EMPLOYEES WHO DO.  The truth is the exact opposite.  Those long-term employees are the ones who are trusted without question.  They have proved themselves.  And in doing so, they have managed to bypass the normal scrutiny and good business oversight practices one normally employees.  A recent article in ABA Journal Law News Now entitled “Former Office Manager Gets 10 Years for Embezzling More Than $500K from Suburban Chicago Law Firm” illustrates this point perfectly.  I have dozens of articles with similar stories that I have saved over the years.  The former office manager “apologized in court on Friday to attorney [ABC] for violating his trust. She had worked for a decade as his receptionist and office manager.”  By the way, this theft occurred over a four year period.  You might ask yourself how a small firm could lose that much money in a short period of time before it drew their attention.
  3. LARGE LAW FIRMS ARE THE MOST VULNERABLE, BECAUSE THEY ARE SUCH COMPLEX ORGANIZATIONS, AND THERE IS SO MUCH MONEY MOVING ABOUT.   Nope.  Wrong again.  Large firms are indeed complex organizations with lots of money moving about.  However, they have developed a high level of separation of duties, checks and balances, and direct oversight.  In short, it’s a lot harder to steal from such organizations without getting caught.  In small firms there is often one person who handles money both in and out, as well as handles monthly reconciliations.  This is one of the first areas a forensic accountant will advise to separate duties.  Those divided responsibilities and checks and balances are essential.  But in a small firm which is fortunate just to have someone to help carry the load when it comes to bookkeeping and billing, the thought of adding additional personnel is cost-prohibitive. 

Ok, these are just the top three myths.  What was your score?  Did you believe 3 out of 3?  If so, your vulnerability score is high.  Here’s what you have to do:

  1. TRUST NO ONE COMPLETELY OTHER THAN YOURSELF.   
  2. You need to make sure to ask questions.  Even if  you don’t really care why your firm has paid for so much toner in the past 6 months, the fact that you will periodically be a pain in demanding to see “back-up” for who knows what.
  3. You need to keep your eyes open for things like changes in lifestyle, working hours, family or credit problems of employees. 
  4. You need to be unpredictable about what you will look at, so that there is never an expectation on an employee’s part that there is somewhere they can hide their deception without your possibly stumbling across it.
  5. OCCASIONALLY ANSWER YOUR OWN PHONE AND OPEN YOUR OWN MAIL.
  6. Make employees take vacation.  Those who never take a day off aren’t loyal in my book, they’re scary.  Fraudsters have to stay vigilant in order to intercept the letter or phone call that could reveal their wrongdoing.
  7. Don’t use signature stamps.  Never.  It lets the bank off the hook for validating signatures.
  8. Don’t allow a non-attorney the ability to write checks on IOLTA or client Estate bank accounts.
  9. PERIODICALLY RECEIVE ALL BANK STATEMENTS FOR THE MONTH AND OPEN THEM YOURSELF.  Fraudsters cover their deeds by shuffling money from one account to another, or from one client’s credit to another.  It’s a house of cards they keep rebuilding higher and higher.  Look for checks to people that don’t make sense.  Look for endorsements on the back that don’t match the payee on the front.  Don’t check everything, just pull a random number out and look them over.  Pull one deposit and make sure that each check was credited to the proper client.  If your stuff doesn’t come in your statement but is visible online, make sure you visit periodically, and let your employee who handles the money know you are doing so. 
  10. BEWARE DISREGARDING NORMAL PROCEDURES JUST BECAUSE YOU STAND TO GAIN A WINDFALL.  Every single instance of the substantial check fraud losses suffered by attorneys around the nation and in Canada have resulted from ignoring the “it’s too good to be true” voice screaming inside your head.

For those of you in PA, you may want to consider asking your county bar association to bring me in to present my “Fraud Prevention” seminar.  Hearing the amazing real stories of actual cases of fraud in law firms, committed by people at every level, from file clerk to partner, is sheer scary entertainment.  Hearing the simple methodologies which could have prevented it is priceless, and worth an Ethics credit as well.

Checklist to Make Sure Your Firm Isn’t Dewey

Every once in a while I read a blog post or article which is so spot-on I am compelled to share it.  That’s the case with “A (Don’t Be) Dewey Dozen: Use This Checklist to Make Sure Your Firm Isn’t Dewey” which was written by Paul Lippe.  It appeared in ABA Journal Law News Now.  If you’re wondering why Lippe’s name is familiar, he’s the guy that worked hard to get Gary Hart elected President — twice.  The insightful comments at the end of his post  (over 25) add much food for thought on top of this excellent post.  No matter what the size of your firm, this should be on your must read list.  Following I highlight and comment on a couple of points I feel strongly about.

4. Do mergers and acquisitions advance the strategy? Whether it’s merging with another firm or bringing in a lateral partner, law firms are constantly engaged in some form of M&A. When I was running M&A for my old company, our one-question test was” “What do we say to our top 20 customers the morning after the deal is announced explaining how they are better off?”

If you look at some of my past posts and articles regarding mergers, you’ll see me ruminating about this same point.  [See, for example, “Post Merger Economics“.]  It’s not simply about size or economies of scale when it comes to mergers; it’s about synergy.  One plus one better equal more than two, or the merger has no external value, and probably even less internal value.  Lippe really nails it with his one-question test.  Simple and eloquent.  He really says a  lot  in few words.  I’m thinking about printing this and adding it to the very few items on the tack-it board above my monitors — reserved for especially cogent thoughts.  I consider it my business haiku bulletin board.  Earning a spot on there means a lot.  I’m sure I will be sharing this one-question test with clients in the future.

6. Does management render unto Caesar? Lawyers use logic and reason to argue indeterminate facts, and they do it well. . . .but at minimum firms need to recognize that there are some inarguable facts. As my old boss Sen. Daniel P. Moynihan said: “Everyone is entitled to his own opinion, but not his own facts.”

The old adage, “figures lie, and liars figure” came immediately to mind when I read this.  I continue to encounter attorneys who somehow manage to dismiss what I find to be self-evident facts which are as plain as, well, the nose on their face.  It’s one thing to play devil’s advocate for love of the debate.  It’s great at the dinner table with cherished guests, during a round of golf, or over drinks at ones favorite establishment.  But it’s not so great when it’s a never-ending process at the firm.  It wears the heck out of your partners and administrative management.  It seriously impairs the firm’s ability to evolve and realign to a constantly changing marketplace.  It creates dissension and dissolves the glue between partners which many firms work so hard to develop. In short, it’s detrimental to the health and vitality of the firm. 

I’m not suggesting that you blindly accept numbers put in front of you.  Far from it.  But there has to be collaborative effort to allow and enable objective analysis, and let the chips fall where they may once that is done.  Stop arguing endlessly just because you don’t like the numbers.  Put that same energy into improving them through some innovative thinking,  difficult discussions and decisions, and an action plan to implement change.

 

Fraud on Lawyers – A Small Measure of Satisfaction

I’ve written numerous warning posts about the email scams which have left lawyers throughout the U.S. and Canada out millions from their trust accounts.  See, for example,

Another Attorney Trust Account Hit By Online Fraud

It’s so hard to believe that lawyers — smart people all — continue to fall victim to this scam.  But the glamour of fast and easy money is too much and overrides the common sense of many.

When my latest issue of my ABA electronic news arrived, I was delighted to find a headline entitled “Nigeria Extradites Man Accused of Scamming Firms Out of 31M” — yes, folks, he’s on his way to the U.S. to face many counts of fraud.  Get out the pitchforks and torches, folks, this is going to be interesting.

Unfortunately, this is just scratching the surface of rounding up the evil-doers who have recently targeted law firms — particularly smaller firms.  Remember, it’s a dangerous world out there.  If it seems too good to be true, it probably isn’t!  Keep your guard up, and your trust account funds safe.

Process Credit Card Payments from Clients on Your Smart Phone or iPad

My colleague at the Law Society of British Columbia, David Bilinsky, has a much better title on his Thoughtful Legal Management blog post about a new phone app: “It’s Cool to Be Square“.  In it he describes a new application called Square.  He describes Square as “a revolutionary service and device that turns a smart phone or iPad into a credit card point-of-sale terminal.” (It works on Android OS in addition to the Apple iOS.)  David encourages us to imagine the possibilities of being able to take credit card payments – anywhere, anytime – such as at the courthouse, at the client’s home, or at the client’s office.   

“Launched by Twitter founder Jack Dorsey and Jim McKelvey, this little device stands to change how lawyers get paid.”  I couldn’t agree more, David.  In fact, after reading David’s post, I followed the provided link to Square’s security policy.  I was delighted to find they are fully PCI Compliant.  Some of you may recall my post this past July entitled “PCI Compliance for Firms Which Accept Credit Card Payments” which detailed the requirements created by recent federal legislation regarding credit card companies.  The new standards apply to anyone who accepts credit cards, including lawyers and law firms. 

The fees for processing payments through Square are incredibly reasonable.  The app is free.  Check it out for yourself.  Unfortunately for David and most of his subscribers, the service is not yet available in Canada, which makes me even more grateful that he shared the information on his blog.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

More on Bad Check Frauds

I read a blog post today written by one of my peers.  Sheila M. Blackford, the author,  is an attorney and Practice Management Advisor for the Oregon State Bar Professional Liability FundSo here I come to post a link to it, and find that the last thing I wrote about on this blog was exactly the same topic.   Yes, it’s that important, or we wouldn’t keep repeating it.

I’ve been absent from the blog for a while.  A sudden need to provide care for a loved family member, on top of everything else, changed a few priorities in the interim.  Sadly, this blog had to wait for some semblance of normalcy to return; achieved by hiring 24-hour at-home caregiver service.  I make no apologies — I did what I had to do.

I will be blogging more about contingency plans, disaster prevention and recovery, and overload issues in upcoming posts.  The recent experiences have reminded me that there are certain areas which need to be talked about repeatedly, in order not to lose our vigilance and preparedness.  (And that means having “Plan B” is not optional!)

Returning to the topic of this post, I suggest you take a moment to read Sheila Scanlon’s post entitled “Bad Check Frauds: ‘Tis the Season for Lawyers to Be Wary” because it’s loaded with very practical information and suggestions on protecting your practice.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

SC Law Firm Loses $390k in Bogus Check Scam

Lawyers continue to fall victim to check fraud.  Smart lawyers.  Don’t be one of them.   My peers from various U.S. state bars and Canadian provinces are reporting that their members are regularly receiving invitations to become the next victim.  Right now collaborative law attorneys are targeted.  But that can change in a heartbeat to virtually any practice area.  These are well-designed socially engineered schemes with fake bank cashier checks which are of very high quality.  Read more about it in a recent post on the “Avoid a Claim” Blog of PracticePro, the professional liability insurer for  Ontario Canada.

Remember, if the deal seems too good to be true, e.g. you’re about to earn a huge fee for virtually no work from an unknown client, step back, take a deep breath, and check very carefully before disbursing any money from your trust account. 

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

PCI Compliance for Firms Which Accept Credit Card Payments

Does your firm allow or require clients to pay by credit card?  If so, you want to make sure you’re meeting the requirements created by recent federal legislation regarding credit card companies.  The new standards apply to anyone who accepts credit cards, including lawyers and law firms.  Montgomery County attorney Deborah Zitomer has generously allowed me to share her explanation regarding this topic, which is as follows:

 The person who manages my credit card payments told me that the compliance is a new requirement under the recently passed federal legislation regarding credit card companies.  If you take credit cards, you need to be in compliance with the credit card company’s standards and regulations or they can refuse to process payments for you, or can fine you. The standards apply to anyone who accepts credit cards for payments, so lawyers and firms need to be compliant!

Below is an excerpt about compliance and standards for those who accept credit cards as part of their practice.  You can also take a look at the website for PCI.

The major credit card issuers created PCI (Payment Card Industry) compliance standards to protect personal information and ensure security when transactions are processed using a payment card.   All members of the payment card industry (financial institutions, credit card companies and merchants) must comply with these standards if they want to accept credit cards.  Failure to meet compliance standards can result in fines from credit card companies and banks, and even the loss of the ability to process credit cards.

There are six categories of PCI standards that must be met in order for a retailer to be deemed compliant.

1.   Maintain a secure network

 

This standard refers to the actual network that cardholder data resides upon. In the case of an online business, the most obvious vulnerability for this standard is the web server. Luckily, most hosting companies take responsibility for ensuring the security of their networks. However, there is more to this standard than meets the eye.  Do you keep cardholder data (even just names) on a laptop that you use on public networks?  Does your office network have a firewall installed and reasonable security measures in place?

In short, whenever any personal information about a cardholder is stored on a computer (which is also connected to a network), that computer should be behind a firewall and all reasonable measures should be taken to protect that particular network.

2.    Protect Cardholder Data

 

This category focuses on how cardholder data is stored and transmitted. Business owners that choose to store cardholder information have an obligation to protect that data. Protecting information means that not everyone can have access that it. Businesses that store actual credit card numbers will often store them as encrypted data, so that even if someone got access to the database they still could not decipher the information in it.

E-commerce businesses need to be especially attentive to the way that cardholder data is transmitted. When a customer makes a purchase on a website, his/her cardholder information is sent across the Internet. During that transmission, cardholder data must be encrypted with at least a 128 bit SSL certificate in order to meet this standard.

3.   Maintain a Vulnerability Management Program

 

This one is relatively simple, and translates to keeping up-to-date with your protection systems. Vulnerability exposure can be minimized by regularly updating computer hardware, operating systems and software. Keeping up-to-date anti-virus software, as well as running regular virus scans, is another requirement to meet this standard if your systems are susceptible to such vulnerabilities.

4.  Implement Strong Access Control Measures

The most exploited breach in security is the human element, which is harder to protect. Part of meeting PCI compliance means limiting access to cardholder data to only those persons that need to use it. In addition to restricting physical access to cardholder information, business owners are also responsible for assigning a unique identification to each person that does have access.

5.  Regularly Monitor and Test Networks

Networks that store cardholder data must be monitored and tested regularly. Regular scans of security measures and processes, and  monitoring and tracking of network access to cardholder data are required to satisfy this standard. Consider signing up for a security testing and auditing service, such as ScanAlert’s Hacker Safe program, which can help you to identify and fix potential security problems as they arise.

6.  Maintain an Information Security Policy

Considering that humans are generally the easiest part of a system to hack, and also that ignorance does not relieve liability, it’s important to draft and implement a company-wide information security policy. Make sure that your employees know and understand their responsibilities with regards to cardholder data before it becomes an issue.

The first step in PCI compliance is to meet the above standards.  Credit card companies and financial institutions validate that vendors are abiding by the regulations, giving them ratings based on their volume of transactions. The rating that a company receives determines the process that they must go through in order to be validated.

Deborah promises to take a closer look at the four validation ratings in the future, and when she does, she will hopefully allow me to share them as well.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

Another Attorney Trust Account Hit By Online Fraud

Wow, I can’t believe it’s been more than two months since I’ve had a chance to post to the blog.  I want to thank those subscribers who wrote to me to inquire whether I was still alive and well, given my online absence.  Yes, I’m fine.  I’ve just been on the road a lot more than usual.

Is it coincidence that the last post concerned a fraud attempt upon an Oregon attorney, and I’m following up with another?  I don’t think so. 

The Florida attorney had her trust account hit for a significant sum.  She was willing to engage in online banking thinking that the several layers of security provided by the bank itself would be sufficient to protect her accounts.  What she did not take into consideration was the very real possibility and threat of scumware (a/k/a spyware) being installed on her computer — coming in hidden in an email — capturing her logon ID and passwords, which the criminals then used to access and make wire transfers out of her trust account.  The actual implementation of the transactions were done surreptitiously through her computer, so that the computer’s ID identification (e.g. IP address) would match that which the bank’s system recognized as legitimate. 

You should read this story which appeared in the June 15, 2010 edition of The Florida Bar News.  If you’re presently doing online banking, it will certainly give you pause.  It will also give  you some food for thought about how to tighten security.  I noticed that the victimized attorney stated she had anti-virus software, but did not acknowledge having anti-spyware software.  And that’s the culprit that breached her security. 

Anti-virus software alone isn’t sufficient protection.  It’s like brushing your teeth but never using dental floss or mouth wash.  Your dentist will tell you that the combination is what provides maximum protection.  Similarly, your firm should utilize a firewall, anti-virus and anti-spyware software, and should keep all up to date.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

More on Lawyers as Fraud Victims . . . With a Twist

It’s getting harder to keep track of the many frauds which are impacting lawyer practices.   You certainly have to remain vigilant.  I’ve just been informed of a new scheme.

 This fraud alert is just in from Oregon. It seems a fraudster has appropriated an attorney’s name, firm name, phone number, and address and then has debited 3 different bank accounts of individuals in different states with $10 debits purportedly from her.

 The FTC advised the attorney that the $10 charges are test charges to see if the bank account holder is alert. The fraudster then would clean out the bank account of anyone not paying attention. The attorney found out about the charges when she was called by the individuals wanting to know what her debit was for. 

 Since the attorney is not herself a victim of theft, she was told nothing can be done on an official basis to protect herself.  Likewise, the local police cannot assist because the financial victims are out of state.   Of course, the attorney is concerned about damage to her reputation, and the time and expense of dealing with all the issues which may crop up until her identity can be secured once again.

 It seems that taking all the necessary steps to further protect herself from this identity theft is about the only avenue to pursue for this lawyer.  At least thus far.  For some excellent information on how to deal with identity theft, check out the information on the web site of the FTC.

==========

To return to the main page of the blog, click here.  To return to the blog  Index, click here.

WordPress Themes