Clients are increasingly seeking to validate law firms' risk management and compliance methods in their selection processes. According to Richard Daniel, chief operating officer of legal and compliance at Barclays Bank, this includes conflicts management and confidentiality. He says: "Protection of a law firm's reputation is what keeps them in business and this tends, therefore, not to be a source of competitive advantage but a core value."

Apart from higher client expectations and increased competition, tighter regulations mean that law firms must adjust to address their compliance obligations.

The Solicitors' Code of Conduct 2007 represented a significant overhaul of the regulations affecting solicitors, particularly in the areas of client relations, business management, conflicts of interest and confidentiality. Most law firms already use technology to some extent to help them identify conflicts and protect client confidentiality. Some risk managers will even state that compliance cannot be achieved without technology to complete necessary processes faster and more reliably than people.

The key is to use the right technology but also use the appropriate people where judgement is required.

Rule three of the code defines a conflict of interest as existing if "you owe, or your firm owes, separate duties to act in the best interests of two or more clients in relation to the same or related matters, and those duties conflict, or there is a significant risk that those duties may conflict". Where a conflict has been identified, a firm can only act for both clients with informed consent and if one of the exceptions applies, namely the different clients have a substantially common interest in relation to that matter, or are competing for the same asset.

Law firms that do not have the benefit of conflict-checking teams often use traditional round-robin emails to identify potential conflicts before accepting a new instruction from a client. Such emails are a good way to identify commercial as well as ethical conflicts and can be a useful way of raising internal awareness of the work the firm is undertaking. However, they have two key risks:

• they can miss their target through absence or be overlooked; and
• if they contain content material to an existing client, they can cause issues under rule four of the code which requires a lawyer to disclose to a client all information of which they are aware is material to that client's matter, regardless of the source of the information (subject to their duty of confidentiality).

Software solutions to identify actual or potential conflicts are designed to overcome these problems. To be effective, conflict-checking software must:

• interact with the firm's human resources, finance and business development systems to gather internal information on existing and potential clients;
• take into account client group structures and affiliates (particularly key for US conflicts where affiliates of clients may be classified as clients);
• interact with external databases such as World-Check to allow assessment of a new client's reputation;
• record tentative conflict checks made in anticipation of being instructed, as well as completed checks;
• have the capacity to search terms of engagement to review a firm's contractual duties towards its clients as well as its ethical obligations. For example, when permitted to act for two competing bidders for an asset, did your clients provide consent in respect of each other only, or are you open to take on additional bidders? Has the ability to represent a potential new client been carved out as adverse to a key existing client in that client's terms of engagement (particularly key in the US where the conflicts rules dictate that a firm cannot represent a client if the representation of that client will be directly adverse to another client)?; and
• provide workflows to act as a brake to prevent a lawyer from taking on an undesirable client, ensuring that crucial decisions are not made solely by the lawyer receiving the instructions, whose vested interest could result in the required protections being circumvented. Technology can prevent a file being opened before important information is obtained and routed to others in the firm, ensuring a collective client engagement decision-making process.

Rule four of the code sets out provisions for the protection of clients' confidential information and the duty of disclosure owed to those clients. It states that you should not normally act on a matter where material confidential information is held elsewhere in the firm and where the matter would be adverse to the interests of the client/former client to whom the duty of confidentiality is owed. Rule four, however, also provides two scenarios where a firm may be able to act in such circumstances; the first being where the informed consent of both clients is obtained and appropriate safeguards are put in place; the second being where a firm is already acting and consent has not been given or cannot be sought. In both scenarios, the rules recognise it can be acceptable to use information barriers in limited circumstances.

However, it is felt that rule four goes beyond the common law position set out in Prince Jefri Bolkiah v KPMG by requiring 'informed' consent as well as effective information barriers. Proposed amendments are currently being considered by the Solicitors Regulation Authority (SRA) to mirror the common law position in the Code.

Irrespective of these proposed amendments, rule four permits the use of information barriers in certain situations.

Several law firms have developed in-house technology solutions to support their information security policies and address the confidentiality of electronic information. Such solutions allow confidential information to be secured across the firm's document management, financial and knowledge management systems (if required), as well as access to such information to be audited. Firms have, however, found it difficult to:

• link matters on each side of an information barrier to automatically identify each matter involved;
• automatically exclude team members working on one matter from accessing information relating to the other matters(s) involved;
• automatically send and track acknowledgements from matter team members to ensure that they understand the terms of the information barrier and agree to comply with them – in many firms this is a cumbersome manual process administered by associates or secretaries;
• automatically override document access permissions when document access is widened by a matter team member to team members working on the other side of a barrier, and
• set up exclusionary, as well as inclusionary barriers; for instance, where a lateral recruit holds confidential information relating to former clients who are on the opposing side of matters involving clients of the firm they are joining.

Technology suppliers are starting to enter the market with tools that address these issues as well others, for example, easing the ability to monitor access to confidential information to assist with the maintenance of insider lists on price-sensitive matters. John Hall, chief executive officer of IntApp, explains: "Standards mandated by the SRA and Financial Services Authority are driving firms to adopt more stringent confidentiality and auditability practices. Firms are turning to technology as a way to ensure compliance and reduce risk. For example, electronic information barriers automatically enforce access restrictions, manage notifications, track acknowledgments and streamline reporting."

An assumed prerequisite to the ability to set up effective information barriers (as well as appropriately supervise matters in accordance with rule five of the code) is the maintenance of complete matter files with all documents and emails profiled to the matter. Email and electronic document management issues have long troubled both IT and risk management teams and technology solutions such as electronic matter centric filing have gone a significant way to address this issue.

For firms with offices in multiple jurisdictions, both the business processes and technical solutions need to be more sophisticated. Many jurisdictions in which UK firms operate do not apply the same practices as a matter of local law. The definition of a conflict of interest differs between continental Europe, the UK and the US, as do the circumstances under which firms are able to obtain a conflict waiver. The interpretation of client confidentiality also differs throughout Europe, with breach resulting in criminal sanctions in some jurisdictions.

There is very little authority on which conflicts rules a firm should apply on a multi-jurisdictional matter. General practice in the UK tends to be to apply the conflicts rules of the countries in which the work is being done and look at the rules of the jurisdiction in which the lawyers have been admitted. Business intake systems should allow for as much information as possible to be included during the matter inception process and if another jurisdiction becomes involved in the matter, post inception, the firm should review whether that jurisdiction's conflicts rules can be complied with before agreeing to act locally.

Technology can go a significant way to assisting compliance with the code's requirements on conflicts and confidentiality. However, inappropriate technology solutions can create additional problems if they overwhelm lawyers with forms that they cannot understand, misinterpret or can circumvent. Choosing a solution that is appropriate for the firm is key. Implementing IT systems is, however, not the complete answer. It is vital when implementing any technical solution that associated policies, which reflect the structure and business needs of the firm, are also put in place. Appropriate measures must also be taken to ensure that the firm's staff understand any changes to their working practices and find it easy to adopt the technical solution. n

Sam Suri is a director at It Matters Consulting.