Skip to Content

2023 Risk Outlook

On this Page

Commissioner's foreword

Welcome to the VLSB+C’s Risk Outlook 2023, which highlights five risks for the Victorian profession that will be areas of regulatory focus for us in the coming year. It describes issues and conduct associated with each risk – all of which have the potential to cause consumer harm – and explains our planned response to them. It also contains some useful tips about how to avoid these risks.

One of our organisational goals is to improve our communication with lawyers. I hope that you take the time to read this publication, consider its relevance to your workplace and, if necessary, follow our tips.

We plan to publish a Risk Outlook annually, so we're interested in whether you find it useful and any improvement suggestions you may have. Please send any feedback to: policy&

Key risks for the legal profession in 2023

1. Cybercrime

Globally and domestically, cybercrime is surging.

Hackers and cybercriminals are constantly alert to vulnerabilities that allow them to steal money or sensitive and/or confidential data. Recent events at Optus and Medibank show the scale of reputational and personal damage that successful cyberattacks can cause businesses and their customers.

Law practices are holders of often-significant client funds and sensitive information. They are an obvious and rich target for cybercrime. This is borne out by both the number and quantum of cybersecurity claims processed by the Legal Practitioners’ Liability Committee, which continues to increase year on year.

For this reason, preventing cybercrime in law practices is one of our five key regulatory focus areas for 2023.

When considering the possibility of a cybercrime incident affecting their operations, law practice principals need to be aware that cybercriminals do not just target large or medium-sized law firms, or specialist conveyancing practices. Irrespective of size or area of practice, all law practices are likely to store sensitive client information that, if released, could compromise a client’s business activities or personal privacy. Smaller law practices and sole practitioners often handle large money transactions in high-value property transfers, deceased estates, and family law settlements, making them lucrative targets for cybercriminals to infiltrate. 

Specific issue/conduct of concern and our regulatory response

In terms of cybersecurity breaches, we have recently seen phishing (including voice impersonation fraud and phone hacking), email modification/redirection frauds (involving compromised email accounts and fraudulently altered bank account payment directions on emails) and ransomware attacks on law practices. Attacks on third party service providers, for example on IT platforms used by law practices, have also occurred.

Our observation is that cybersecurity breaches are typically the result of insufficient systems and/or behavioural controls in law practices.

Systems controls include having strong passwords, multi-factor authentication, prompt security updates, appropriately secure technology platforms and experienced IT support.

Behavioural controls are controls on the actions of individuals. They include protocols or procedures requiring staff to, for example, confirm bank details in person before authorising payment, never rely on email authorisation for electronic funds transfers and add a “call before you pay” notice to email footers. Other behavioural controls involve educating clients and staff about security risks, building a culture in which people can quickly raise security breaches, and clearly explaining to employees why certain security protocols are required.

We expect principals in law practices of all sizes and in all practice areas to implement appropriate systems and behavioural controls, scaled to reflect their entity’s size and level of risk. We will support the profession in this endeavour by working with the Legal Practitioners’ Liability Committee and Law Institute of Victoria to:

  • help the profession deal with known cyber risks
  • share intelligence about emerging risks and potential cyberattacks, and
  • develop minimum cyber risk management standards.

Our regulatory response to this issue will also involve:

  • undertaking compliance audits of at-risk law practices – using our powers under section 256 of the Legal Profession Uniform Law (LPUL) – where there are reasonable grounds to do so based on the conduct of, or a complaint against, the practice or one of its associates
  • where relevant, issuing management system directions under section 257 of the LPUL to ensure that a law practice implements the necessary cybersecurity procedures to competently provide legal services
  • inspecting trust accounts, and issuing management system directions, where we have reason to believe – based on information received from banks, external examiners, clients or mandatory reports – that there is a security threat to a law practice’s trust account, and
  • where necessary, taking disciplinary action against individuals regarding failures to implement appropriate cybersecurity measures, leading to actual or potential consumer harm.

Tip: Our guidance to the profession on the minimum cybersecurity expectations for law practices can be found on our website, as well as information for lawyers on the common warning signs of a cyberattack and good cybersecurity practices for lawyers to adopt in their day-to-day work.

2. Costs disclosure non-compliance

In Australia, as in many other countries, there has been a tightening of monetary policy in response to inflationary pressures, with successive rapid interest rate rises affecting both retail and commercial borrowers’ ability to service debt. In addition, labour shortages are making it harder for businesses to hire and retain personnel with the required experience to undertake profitable work.

Financial and staffing pressures that affect law practices’ operations and viability may exacerbate the risk of non-compliance with important legislative obligations. One such obligation is costs disclosure that complies with the LPUL.

Unfortunately, we continue to receive a high volume of complaints from consumers about their lawyers’ bills, many of which could have been avoided had the appropriate disclosure been provided. The resulting harm caused to consumers is the reason non-compliance with costs disclosure obligations is our second key area of regulatory focus in 2023.

Costs disclosure is a critical consumer protection. Not having transparent information about their estimated legal costs causes clients distress, diminishes their ability to make informed decisions about whether and how to proceed with their matter, and fractures their trust in their lawyer. Conversely, full and effective costs disclosure is a valuable tool in establishing and maintaining good working relationships with clients – relationships that are likely to enhance a law practice’s sustainability by leading to repeat business and word-of-mouth referrals.

Specific issue/conduct of concern and our regulatory response

The types of non-compliance, or inadequate compliance, with costs disclosure obligations that we see most often relate to LPUL requirements to:

  • provide an estimate of a client’s total legal costs
  • update costs disclosure as soon as practicable
  • take reasonable steps to ensure a client understands and consents to proposed costs, and
  • notify clients of their rights in a costs dispute.

We have also observed concerning failures by lawyers to comply with disclosure requirements regarding conditional costs agreements, including the requirement for a client to sign these agreements.

Our own and others' research suggests that disclosure can be challenging, particularly in matters that are complex or which involve multiple stages. Therefore, we will work to educate the profession about our expectations, and assist lawyers to provide disclosure that is both compliant and effective. We will also participate in the Legal Services Council’s review of costs disclosure obligations and advocate to make aspects of disclosure more straightforward for lawyers.

We will also respond to non-compliance using regulatory powers where appropriate. In certain circumstances, a warning may be sufficient, but if non-compliance is recurring, substantial or egregious, we may:

  • determine that a lawyer has engaged in unsatisfactory professional conduct, or
  • prosecute the lawyer for professional misconduct.

Tip: Understanding the work likely to be involved in a matter – and any contingencies – will assist you to provide full, frank and compliant costs disclosure. It is crucial that you detail the assumptions on which your costs estimate is based, the normal scope of work that would be expected in a client’s matter, and the variables that might cause your costs estimate to change. Having this information front and centre will also help you to update your disclosure in a timely and informative way.

Tip 2: Law practices can reinforce costs disclosure discipline by putting in place processes that require employees to undertake detailed scoping work and regular reviews. Costs disclosure precedents, such as those published by the Law Institute of Victoria, may be useful.

Tip 3: If you’re not particularly experienced in a particular area of law, there’s a risk you won’t fully understand the complexity of a matter or anticipate the work involved, which in turn makes it harder to provide proper costs disclosure (as well quality advice). This risk is significantly lower if you do work you know and understand.

3. Non-compliance with trust money obligations

The same kind of business pressures that may lead to, or exacerbate, law practice non-compliance with costs disclosure requirements may also result in increased non-compliance with trust money obligations.

The importance of complying with trust money requirements – and the risk to consumers when this does not happen – is hard to overstate. It is reflected in the legislative protections that apply to money held on trust. Only principals or legal directors authorised to receive trust money may do so, and they must comply with the extensive provisions designed to guard against misuse of trust money set out in Part 4.2 of the LPUL. All lawyers have obligations to understand key trust money obligations, not to cause deficiencies in trust accounts, and to report any irregularity or suspected irregularity in a trust account to us.

Many client harms can occur when lawyers:

  • do not have trust authorisation but nonetheless accept and deal with trust money
  • have trust authorisation but do not understand their trust account obligations
  • fail to keep proper records of the money that they deal with
  • fail to notify us when they cause a deficiency in a trust account, or
  • fail to notify us of irregularities or suspected irregularities.

Client harms range from stress caused by delays and difficulties in locating or understanding where their money has gone, to the loss of significant amounts of money due to negligence or fraud perpetuated or aggravated by the law practice. A lawyer’s non-compliance with trust money obligations also makes it harder for us to assist clients to access the protections that may be available to them under the Fidelity Fund.

Despite the critical importance of ensuring that trust money is treated in a way that protects the interests of the persons for whom it is held, we continue to see lawyers who do not comply with their regulatory obligations. Accordingly, and given what we see as an increased risk of non-compliance, trust money non-compliance is our third key area of regulatory focus for 2023.

Specific issue/conduct of concern and our regulatory response

The types of non-compliance with trust money obligations that we have identified range from lower-end (but still concerning) breaches of accounting requirements to significant contraventions of what should be well-understood obligations. Matters of particular concern to us involve:

  • not sending trust statements as soon as practicable after 30 June
  • not having up-to-date trust account reconciliations
  • withdrawing a client’s money from a trust account before they have had time to review (and object to) their bill for legal costs
  • failing to identify and notify us of trust account irregularities or suspected irregularities, as required under section 154 of the LPUL
  • not properly supervising trust accounts, and
  • failing to implement basic measures to prevent cybercrime.

We are also particularly concerned about lawyers seeking payment in advance of providing legal services and claiming – erroneously – that the money is not trust money, because of the terms on which the legal services are to be provided.

Our approach to dealing with these issues is multi-faceted.

Because we want practitioners to be well-placed to understand their legislative obligations, we plan to work with legal education providers to improve education outcomes regarding trust obligations. We will also develop an information pack on trust obligations to be sent to lawyers after they obtain a principal practising certificate, and create clearer pathways for lawyers to report trust irregularities or suspected irregularities.

We will respond to every reported breach and, if necessary:

  • investigate or conduct an audit of law practices’ record keeping, in circumstances where their external examiner report identifies significant or systemic breaches in their management of trust money
  • use our powers under section 257 of the LPUL to issue binding management system directions directed at ensuring better trust account management, and
  • take disciplinary action against holders of trust account authorisation.

Tip: If you’re unsure of your trust money obligations or concerned about your trust account management practices, seek help from the Law Institute of Victoria’s confidential trust consultancy service, TrustConsult, which supports lawyers to implement sound trust money and trust record management practices, or validate existing practices. Our website has a good overview of your obligations in managing a trust account.

4. Unethical conduct

Two of a lawyer’s fundamental ethical duties are to act with honesty and integrity, and to act in their clients’ best interests. Lawyers are also ethically obliged not to place their own interests above those of their clients.

These basic ethical obligations are a cornerstone of the profession. Unfortunately, there is a concerning trend of a small number of lawyers acting unethically and/or improperly to protect either their own or a client’s interests, and in doing so causing significant consumer harm.

Unethical and improper conduct is our fourth area of regulatory focus for 2023.

Specific issue/conduct of concern and our regulatory response

It is well-understood among the profession that lodging caveats without having proper grounds to do so is unethical. Unfortunately, we have identified several instances in which lawyers have improperly lodged caveats. We have encountered lawyers who have lodged caveats over their client’s property to secure their own costs, despite not having a charging clause in their retainer. We have also observed lawyers lodging caveats on behalf of their clients, without having sufficient instructions and/or a proper basis to do so. As well as being unethical, conduct of this kind forces applications to the Supreme Court of Victoria for the caveat’s removal – a process that involves time and expense, and may require legal advice.

Similarly, we have observed increasing numbers of lawyers claiming liens over client files to secure outstanding legal costs without ensuring they have a proper basis to do so. In some cases, liens have been claimed without a lawyer having given their client a bill. Although technically permissible, this is usually unfair. We are also aware of lawyers claiming liens over wills for unpaid legal fees when there is no right to do so.

Dishonest attempts to conceal mistakes is an increasing problem. This conduct may often be the product of extreme pressure and stress, which reduce a lawyer’s wellbeing and professional judgement. Nonetheless, it is an unjustifiable ethical breach.

Incidents involving gross overcharging of clients are also of critical concern to us, as they cause serious consumer harm and bring the profession into disrepute.

We will respond to these issues using several regulatory tools at our disposal. We will:

  • undertake targeted communications campaigns for the profession
  • attempt to informally resolve complaints – noting that these issues raise the prospect of a finding of professional misconduct, and are more likely to be escalated for formal investigation
  • where appropriate, formally investigate complaints and take disciplinary action.

We may also pursue disciplinary charges against law practice principals if the relevant conduct reflects poor practice management.

Tip: Before lodging a caveat over property, familiarise yourself with the relevant case law. Ensure you have evidence of a proper basis to lodge the caveat. Obtain proper instructions from your client.

Tip 2: Rules 14 and 15 of the Legal Profession Uniform Law Australian Solicitors’ Conduct Rules 2015 set out your obligations when claiming a lien. If, after reviewing these rules, you remain unsure whether you have the proper grounds to do so, you should review relevant commentary (see Handy Hints on Legal Practice and Law of Costs), guidance and case law or seek assistance from the Law Institute of Victoria’s Ethics line by phoning 03 9607 9336.

Tip 3: If you make a mistake in your practice, resist the urge to conceal it. Mistakes happen to everyone. They can usually be rectified and are unlikely to lead to the cancellation of your practising certificate. Once dishonesty occurs, the situation becomes much more serious, and you risk losing your right to practise. If you need help sorting out a mistake, the Law Institute of Victoria’s Ethics Line is a good place to start.

5. Inadequate supervision and oversight

The meaningful supervision of lawyers in the early stages of their careers, and the diligent oversight of law practices, are necessary pre-conditions for good client outcomes. This is recognised by the LPUL, which restricts new lawyers from engaging in unsupervised practice for a set period and makes principals responsible for taking reasonable steps to ensure that the legal services provided by – and the conduct of employees at – their law practice comply with regulatory requirements.

Unfortunately, we have encountered matters in which early career lawyers have not been adequately supervised in their delivery of legal services. We have also identified law practices in which the required legal directors have been unable answer questions about the practice’s operation, due to a lack of insight into the responsibilities of a principal. Accordingly, inadequate supervision and oversight is our fifth area of regulatory focus for 2023.

Specific issue/conduct of concern and our regulatory response

We urge lawyers to understand the risks of failing to appropriately supervise early career lawyers. Supervising lawyers should ensure that they provide the degree of feedback and overall oversight necessary to ensure that supervisees provide quality legal services, and progressively develop the type of skills they need to operate independently in the future. Specific arrangements should be put in place to ensure that early career lawyers who are not physically co-located with their supervisor are supervised effectively.

We also remind lawyers of the significant risks to clients, and their own associated disciplinary risks, of acting as a principal or legal director for law practices over which they do not have the required oversight. The risk to clients of being exposed to incompetent legal advice, or the risk of the law practice being used to achieve fraudulent ends, is clear.

Our regulatory response to these issues in 2023 will involve:  

  • talking to principals and/or supervising lawyers to determine whether there has been any failure to properly supervise new or inexperienced lawyers, in circumstances where we have concerns about the quality of legal services provided or the conduct of the lawyers in question
  • undertaking targeted discussions with principal lawyers/legal directors of multiple law practices, to confirm that appropriate oversight is being provided
  • if required, using our compliance audit powers under section 256 of the LPUL to examine the practice management of law practices whose principal lawyers/legal directors act in that capacity for multiple practices
  • if necessary, issuing management system directions to law practices under section 257 of the LPUL, and
  • taking any other disciplinary action we consider appropriate.
Last updated on
* Indicates required field
Back to top