2022 Compliance Advisory

2022 Compliance Advisory

Ronald S. Flagg, President
November 10, 2022

 

This Program Letter describes the most common compliance issues that the Legal Services Corporation's ("LSC") Office of Compliance and Enforcement (OCE) has observed during compliance oversight visits in the past 12 months, or which have otherwise come to LSC Management's attention. This Program Letter highlights these issues so that you and your staff members can avoid or mitigate compliance risks. More extensive guidance, including examples of how LSC grantees have implemented the compliance requirements listed below, can be found in OCE Final Reports from visits to LSC-funded legal aid programs. Final Reports can be found online under Assessment Visit Reports: https://www.lsc.gov/i-am-grantee/assessment-visit-reports.

I encourage you to share this guidance, along with the guidance LSC has provided in previous years, with your staff.

 

Nepotism and Conflicts of Interest

LSC recently enhanced its oversight of workplace arrangements that give rise to the appearance of nepotism, which is a type of conflict of interest that occurs when business decisions, such as hiring or purchasing, are based on family ties or close personal relationships rather than objective merit.

Common examples of nepotism include:

  • Hiring a relative for a job without publicly posting the job opportunity.
  • Hiring a family member without objective consideration of all applicants for the position, with the goal of hiring the most qualified person.
  • Supervising a family member's job performance.
  • Awarding a services contract to a close friend without exploring alternative options that may be more cost effective or better suited to the organization's needs.
  • Buying office supplies from a family member when another vendor offers a lower price for the same supplies.

Clear conflicts of interest policies help recipients prevent nepotism and make sound business decisions that promote organizational effectiveness. LSC requires grantees to have a written conflicts of interest policy that addresses nepotism and covers both staff and board members or separate conflict of interest and nepotism policies that cover the same.

 

Fiscal Management and Internal Controls

LSC Accounting Guide, § 2-3.2; 45 C.F.R. Part 1630 – Cost Allocation; and Program Letter 18-2. See also Sections 3.7.1 Cost Allocation and 2 Accounting Systems and Governance, LSC Financial Guide (effective January 1, 2023).

Pursuant to 45 C.F.R. § 1630.5(c)(3), recipients must maintain an accounting system with fund accounting capabilities sufficient to demonstrate the proper allocation of costs to each relevant funding source. The system must accurately reflect final cost allocations for the year. A lack of fund accounting in the system risks diminishing the accuracy of accounting data and the reliability of management reports the data is used to generate.

Pursuant to LSC Program Letter 18-2, a recipient must confirm non-LSC funders' refusal to expense indirect costs before such refused costs may be proportionally allocated to LSC funding sources. Recipients should ensure the written policies that govern the allocation of indirect costs among multiple funding sources comply with 45 C.F.R. § 1630.5 and Program Letter 18-2. Relevant policies and procedures must address instances where non-LSC funding sources disallow or limit the expenditure of funds on indirect expenses. The draft policy should be reviewed and adopted by the recipient's Board before it is implemented, consistent with the principles of the LSC Accounting Guide, § 1-7.

Unrestricted funds must be included as a source of funds available to pay for indirect costs. While there are several reasonable ways to calculate the proportion of excess indirect costs that could be allocated to LSC funds, the language of 45 C.F.R. § 1630.5(g) is clear: another funding source must refuse to pay some or all of its share of indirect costs before a recipient may charge any portion of those costs to its Basic Field Grant. If the recipient did not first ask whether the funder was willing to pay for indirect costs, it is not sufficient for purposes of § 1630.5(g) that the recipient failed to include a budget amount for indirect costs when initially applying for the grant.

Historically, costs determined to be unallowable by LSC have included flowers, alcohol, holiday cards, and gifts for staff, board members, and/or private attorneys such as cakes, shot glasses, or other promotional items or tokens of appreciation such as pens, t-shirts, or coffee mugs. The new Financial Guide, which goes into effect on January 1, 2023, introduces limited flexibility as to when some of these items might be allowed in some circumstances. For example, flowers, cakes, and promotional items or tokens of appreciation may be allowable in certain circumstances, such as fundraisers or recognition events for volunteer attorneys. Recipients should consult with LSC or seek an advance understanding under 45 C.F.R. § 1630.6 for situations that might justify using LSC funds for these expenses.

LSC Accounting Guide, § 3-5.4 -- Cash Disbursements. See also Section 3.2.4 Cash Disbursements, LSC Financial Guide (effective January 1, 2023).

Recipients must establish cash disbursement procedures to ensure proper documentation and recordkeeping. All invoices and all supporting documents should be marked and recorded as paid or cancelled to avoid duplicate payment. All property purchased should be recorded in a property subsidiary record, which must include all necessary documentation and must agree with the general ledger property accounts.

Approval of any proposed cash disbursement should be required at an appropriate level of management before a commitment of resources is made. Insufficient advance approval or internal verification increases the risk of unauthorized disbursements, or the disbursement of funds in the wrong amount.

LSC Accounting Guide § 3-5.16 -- Contracting. See also Section 3.5 Procurement and Contracting, LSC Financial Guide (effective January 1, 2023).

Recipients must have written procurement policies in place to ensure compliance with 45 C.F.R. § 1631.7 on purchasing and property management. Improper contracting actions increase the risk that agreements may be entered into without sufficient approval, subjecting the recipient to questioned cost proceedings and increasing the risk of fraud. Failure to enforce established policies and procedures weakens the system of internal controls.

 

Regulatory Concerns

45 C.F.R. Part 1604 -- Outside Practice of Law

A compliant "outside practice of law" policy must articulate: (1) the permissible activities listed in 45 C.F.R. § 1604.4; and (2) the restrictions listed in 45 C.F.R. §§ 1604.5, 1604.6, and 1604.7(a)(2). The LSC regulation related to the outside practice of law by employees of the recipient organization, 45 C.F.R. Part 1604, requires each recipient to adopt written policies that comply with Part 1604 and details the organization's internal policies and procedures pertaining to any allowable outside practice of law by full-time attorneys. Refer to the Fraud Awareness section below for additional guidance.

45 C.F.R. Part 1608 and C.F.R. Part 1612 -- Political Activities and Lobbying

Pursuant to 45 C.F.R. Part 1608, LSC resources may not be used to support political activities. Guidance detailed therein should be applied to further this purpose without infringing upon the constitutional rights of employees or the professional responsibilities of attorneys to their clients. 45 C.F.R. § 1608.1.

Similarly, 45 C.F.R. Part 1612, addresses restrictions on the use of LSC funds to support lobbying activities. Recipients' lobbying policies and procedures must contain the recordkeeping and accounting requirements listed in 45 C.F.R. § 1612.10. LSC has published several resources to support recipients in complying with these important regulations, all of which can be found online under Lobbying and Political Activities: https://www.lsc.gov/about-lsc/laws-regulations-and-guidance/lsc-regulations/lobbying-and-political-activities.

45 C.F.R. Part 1614 -- Private Attorney Involvement ("PAI")

If any direct or indirect time of staff attorneys or paralegals is to be allocated as a cost to PAI, such costs must be documented by time sheets accounting for the time those employees have spent on PAI activities. The timekeeping requirement does not apply to such employees as receptionists, secretaries, intake personnel or bookkeepers; however, personnel cost allocations for non-attorney or non-paralegal staff should be based on other reasonable operating data which is clearly documented. 45 C.F.R. § 1614.7(a)(1). Recipients should refer to 45 C.F.R. §§ 1630.5(d) and (e) when determining how to document direct and indirect costs associated with PAI. When calculating the time that staff members spent facilitating PAI, the applicable pay rate is not the relevant staff member's pay rate at the end of the fiscal year; rather, the calculation should be based on the individual's pay rate at the time the PAI work was performed. The PAI hourly wage rate should be calculated to exclude the effect of paid leave on a determination of the staff member's hourly wage rate. The practice of subtracting leave from the program's annual allowable work hours significantly inflates the hourly wage rates used to determine PAI costs and results in an over-reporting of personnel compensation expenses charged to PAI.

LSC's method for calculating the PAI hourly rate was previously provided in Program Letter 17-1.

45 C.F.R. Part 1626 -- Restrictions on Legal Assistance to Aliens

Pursuant to 45 C.F.R. §§ 1626.6 and 1626.7, all recipients must ensure that clients who are seen in person, as well as those receiving extended services, provide a citizenship attestation or demonstrate alien eligibility. Under CSR Handbook (2017 Ed.), § 5.5, all case files must contain the necessary citizenship documentation. Recipients should confirm that template citizenship attestation forms contain language that is consistent with the language requirements articulated in CSR Handbook (2017 Ed.), § 5.5.

Incomplete screening practices under 45 C.F.R. Part 1626 risk the erroneous denial of services to eligible individuals or non-compliance with the prohibition of 45 C.F.R. § 1626.3 that "recipients may not provide legal assistance for or on behalf of an ineligible alien."

45 C.F.R. Part 1635 -- Timekeeping

Recipients must have adequate systems and internal controls for collecting timekeeping records as required by 45 C.F.R. Part 1635 for any attorney, paralegal, or other recipient employee who performs work that is charged to one or more awards as a direct cost (as defined in 45 C.F.R. § 1630.5(d)). Under 45 C.F.R. § 1635.4(a)(2), time spent by attorneys and paralegals must be documented and incorporated into the recipient's official records by no later than the end of the employee's pay period, generally every two weeks. Because timekeeping reports are the basis for determining the allocation of costs among funding sources, inconsistent or non-compliant timekeeping practices may result in the incorrect allocation of LSC funding. 45 C.F.R. Part 1635 and LSC Accounting Guide Section 1-7. See also Section 2.2 Timekeeping and Time and Attendance, LSC Financial Guide (effective January 1, 2023).

 

Fraud Awareness

Per guidance issued on July 13, 2021 by LSC's Office of Inspector General ("OIG"). LSC reminds grantees to be aware of the growing threat posed by phishing schemes and ransomware attacks targeting employees and organizational IT systems:

  • BEC Schemes: In a Business Email Compromise (BEC) scheme, the cybercriminal creates spoofed email domains that closely resemble those of LSC (e.g., @lscgov.com vs. @lsc.gov). The criminal uses the spoofed domain to impersonate LSC and subsequently request grantee bank account details.
  • Phishing Schemes: Cybercriminals send emails to grantee employees that contain links embedded with malware. Upon clicking the link, the phished employee grants the perpetrator access to the grantee's computer system, allowing the perpetrator to encrypt the program's data and demand compensation for its restoration.
  • Gift Card Schemes: Perpetrators send emails to employees requesting the purchase of gift cards using personal credit card information. The employee is then directed to forward the gift card codes to the perpetrators' spoofed email address.

To avoid falling victim to these common cyber schemes, grantees are urged to train employees to follow these best practices:

  • Add spoofed email domains, such as @lscgovt.com, to your organization's blocked domain list.
  • Disable automatic forwarding and deleting email rules, especially those related to external addresses.
  • Prohibit international IP addresses from accessing your systems, especially email systems.
  • Ensure that staff, especially finance staff, are aware of BEC scams and other common types of cyber threats.
  • Require at least a two-part identity verification for all payments and purchase requests, as well as for all changes to existing payments or purchases.
  • Enable automated notifications for changes to bank accounts, contact name, email address, phone number, physical address, etc.
  • Employ multi-factor authentication on grantee accounts.
  • Adopt an incident response plan.
  • Consider purchasing cyber insurance.

LSC-OIG Hotline Advisory: Recent Ransomware and Phishing Attacks.

As outlined in the May 6, 2021 LSC-OIG Hotline Advisory Success Story: Grantee Mitigates Impact of a Ransomware Attack, grantees can mitigate the potential impact of phishing and ransomware attacks by taking the following steps:

  • Maintain multiple server backups by regularly backing up all organizational servers to local hard drives and a daily backup to an online cloud service.
  • Protect client data by storing such information in a case management system (CMS) on a cloud-based hosting service maintained separately from the organization's network.
  • Invest in a cyber insurance policy to cover the cost of such an attack, including restoration of the network, recovery of key data, and subsequent investigation of the attack.

In a subsequent advisory issued on February 18, 2022, LSC-OIG Hotline Advisory: BEC Schemes Targeting Grantee Financial Institutions, the OIG noted a recent increase in BEC schemes targeting the financial institutions where grantees maintain accounts. While BEC schemes against LSC grantees have long targeted grant remittances, payroll, and gift card purchases, the BEC scheme noted in this advisory was the first known attempt by a cybercriminal to identify and target an LSC grantee's financial institution in an effort to gain unauthorized access to the grantee's banking and investment accounts.

Grantees can take the following measures to prevent perpetrators from identifying and infiltrating their financial institutions:

  • Ensure staff members are aware of social engineering techniques used to deceive employees into disclosing sensitive business information
  • Ensure your program's information technology (IT) security can promptly detect network breaches, such as compromised staff email accounts.
  • Do not name the financial institution you work with in public documents, such as annual reports or online financial statements.
  • Conduct periodic checks with your financial institution to identify any recent unauthorized changes to the organization's account administrator or signatory authority.
  • Discuss with your financial institution options to require two-factor authentication in order to request changes to your accounts.
  • Schedule regular monitoring of accounts by fiscal staff to check for unauthorized fund transfers.
  • Implement procedures to ensure the secure receipt and storage of all electronic banking documents and check periodically for intrusion.

LSC reminds grantees that the suspected cyber incidents are potential fraud activities that LSC's Basic Field Grant Terms and Conditions require a grantee to notify the LSC-OIG Hotline of within two business days of learning of the event. On September 20, 2021, LSC's Inspector General issued Fraud Alert 21-0154-A-FA: Prompt Reporting of Potential Fraud Indicators to the Office of Inspector General highlighting cyber threat indicators that suggest the types of schemes that you and your staff should report to OIG if you suspect your organization has becomes a target:

  • Suspicious or unjustified requests to change payment or money transfer information.
  • Hyperlinks that contain misspellings or changes to the actual domain name.
  • URL spoofing, which occurs when a fraudulent link is masked to look like a legitimate or familiar source.
  • Urgent or unusual requests from a person of authority at the organization.
  • An email or text message requesting personal or sensitive information.
  • An email or text message asking an employee to click on a link.
  • An email or text message requesting verification of direct deposit information.
  • Evidence that international IP addresses are accessing your systems.

To guard against successful infiltration of your system through the use of these schemes, your internal controls should include multi-factor authentication to verify the legitimacy of requests like those listed above.

As a reminder, the 2022 Basic Field Grant Terms and Conditions require your staff to have cybersecurity training. Previous communications also informed you that LSC will provide access to and pay for that training.

Following the widespread shift to remote work during the Covid-19 pandemic, LSC's Inspector General investigated a case in which an attorney was found to be employed simultaneously (full-time) at two different LSC-funded programs. LSC-OIG Hotline Advisory: Outside Employment During Remote Work, published on May 11, 2022, notes the following red flags that may indicate an employee is working separate full-time jobs during the same core hours:

  • The employee may decline meeting invitations or refuse to turn on the video function for virtual meetings.
  • The employee may have a decrease in work product.
  • The employee may increase their use of paid time off to focus on projects at the other job.
  • There may be an increase in client complaints regarding the services provided by the employee.
  • The employee's contact with supervisors, staff, and clients may decrease.
  • The employee may not respond to calls or emails within a reasonable timeframe.
  • The employee may increasingly work outside of core work hours or conduct work on weekends.

Grantees are encouraged to revisit past OIG fraud alerts noted in the Hotline Advisory pertaining to outside employment by non-attorneys and the unauthorized practice of law, as well as guidance in Program Letter 18-1 addressing outside employment.

 

Additional Information

Stay updated on the latest LSC OIG news and receive alerts when new OIG advisories are issued by registering for email updates.

If you have any concerns or questions regarding compliance with LSC regulations, particularly those noted in this Letter, please contact Lora M. Rath, Director of LSC's Office of Compliance and Enforcement, at rathl@lsc.gov or by calling 202-295-1524. In addition, OCE staff are available to provide grantees with relevant training upon request. Training requests should also be submitted to Ms. Rath.