Using Online Banking to Manage a Trust Account
Adopted: January 27, 2012
Opinion rules that a law firm may use online banking to manage its trust accounts provided the firm’s managing lawyers are regularly educated on the security risks and actively maintain end-user security.
Inquiry:
Most banks and savings and loans provide “online banking” which allows customers to access accounts and conduct financial transactions over the internet on a secure website operated by the bank or savings and loan. Transactions that may be conducted via on-line banking include account-to-account transfers, payments to third parties, wire transfers, and applications for loans and new accounts. Online banking permits users to view recent transactions and view and/or download cleared check images and bank statements. Additional services may include account management software.
Financial transactions conducted over the internet are subject to the risk of theft by hackers and other computer criminals. Given the duty to safeguard client property, particularly the funds that a client deposits in a lawyer’s trust account, may a law firm use online banking to manage a trust account?
Opinion:
Yes, provided the lawyers use reasonable care to minimize the risk of loss or theft of client property specifically including the regular education of the firm’s managing lawyers on the ever-changing security risks of online banking and the active maintenance of end-user security.
As noted in [Proposed] 2011 FEO 6, Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property, the use of the internet to transmit and store client data (or, in this instance, data about client property) presents significant challenges. In this complex and technical environment, a lawyer must be able to fulfill the fiduciary obligations to protect confidential client information and property from risk of disclosure and loss. The lawyer must protect against security weaknesses unique to the internet, particularly “end-user” vulnerabilities found in the lawyer’s own law office. The lawyer must also engage in frequent and regular education about the security risks presented by the internet.
Rule 1.15 requires a lawyer to preserve client property, to deposit client funds entrusted to the lawyer in a separate trust account, and to manage that trust account according to strict recordkeeping and procedural requirements. See also RPC 209 (noting the “general fiduciary duty to safeguard the property of a client”) and 98 FEO 15 (requiring a lawyer to exercise “due care” when selecting depository bank for trust account). The rule is silent, however, about online banking.
Nevertheless, online banking may be used to manage a client trust account if the recordkeeping and fiduciary obligations in Rule 1.15 can be fulfilled. The recordkeeping requirements for trust accounts are set forth in Rule 1.15-3. Rule 1.15-3(b)(3) specifically requires a lawyer to maintain the following records relative to the transfer of funds from the trust account:
all instructions or authorizations to transfer, disburse, or withdraw funds from the trust account (including electronic transfers or debits), or a written or electronic record of any such transfer, disbursement, or withdrawal showing the amount, date, and recipient of the transfer or disbursement, and, in the case of a general trust account, also showing the name of the client or other person to whom the funds belong;
If the online banking software does not provide a method for making an official bank record of the required information when money is transferred from the trust account to another account, such transfers must be handled by a method that provides the required records.
To fulfill the fiduciary obligations in Rule 1.15, a lawyer managing a trust account must use reasonable care to minimize the risks to client funds on deposit in the trust account by remaining educated as to the dynamic risks involved in online banking and insuring that the law firm invests in proper protection and multiple layers of security to address those risks. See [Proposed] 2011 FEO 6.
A lawyer who is managing a trust account has affirmative duties to regularly educate himself as to the security risks of online banking; to actively maintain end-user security at the law firm through safety practices such as strong password policies and procedures, the use of encryption, and security software, and the hiring of an information technology consultant to advise the lawyer or firm employees; and to insure that all staff members who assist with the management of the trust account receive training on and abide by the security measures adopted by the firm. Understanding the contract with the depository bank and the use of the resources and expertise available from the bank are good first steps toward fulfilling the lawyer’s fiduciary obligations.
This opinion does not set forth specific security requirements because mandatory security measures would create a false sense of security in an environment where the risks are continually changing. Instead, due diligence and frequent and regular education are required. A lawyer must fulfill his fiduciary obligation to safeguard client funds by applying the same diligence and competency to manage the risks of on-line banking that a lawyer is required to apply when representing clients.