Compliance Advisory 23-3
Ronald Flagg, President
October 16th, 2023
This Program Letter describes the most common compliance issues that the Legal Services Corporation's ("LSC") Office of Compliance and Enforcement ("OCE") has observed during compliance oversight visits in the past 12 months or which have otherwise come to LSC Management's attention. This Program Letter highlights these issues so you and your staff can avoid or mitigate compliance risks. More extensive guidance, including examples of how LSC grantees have implemented the compliance requirements listed below, can be found in OCE Final Reports from visits to LSC-funded legal aid programs. Final Reports can be found online under Assessment Visit Reports by visiting this link: https://www.lsc.gov/i-am- grantee/assessment-visit-reports.
I encourage you to share this guidance, along with the guidance LSC has provided in previous years, with your staff.
Fiscal Management and Internal Controls
45 C.F.R. Part 1630 – Determination of Costs. See also Program Letter 18-2.
Pursuant to 45 C.F.R. § 1630.5(c)(3) and LSC Program Letter 18-2, "[r]ecipients must maintain accounting systems sufficient to demonstrate the proper allocation of costs to each of their funding sources," including where one or more funding source refuses to pay for indirect costs. Recipient organizations receiving funds from multiple sources should ensure that all costs that support work performed under more than one grant, contract, or other funding agreement are allocated among the relevant funding sources.
LSC regulations at 45 C.F.R. § 1630.5(g) explain that "[s]ome funding sources may refuse to allow the allocation of certain indirect cost to an award. In such instances, a recipient may allocate a proportional share of another funding source's share of an indirect cost to LSC funds, provided that the activity associated with the indirect cost is permissible under the LSC Act, LSC appropriations statutes, and regulations." Indirect costs are allocable to LSC if they are incurred specifically for the grant, benefit both the grant or contract and other work, and can be distributed in reasonable proportion to the benefits received or are necessary to the recipient's overall operation. Such costs include but are not limited to, costs of operating and maintaining facilities and general administrative expenses.
Grantees are further reminded that pursuant to 45 C.F.R. § 1630.7, LSC funds cannot be used to pay membership fees or dues to any private or nonprofit organization.
LSC Financial Guide, § 2.5.3 – Electronic Data Processing and Cybersecurity
Pursuant to the LSC Financial Guide, § 2.5.3, recipients must include a requirement in their Emergency Disaster Plan to perform periodic testing and update their written policies to include an Electronic Data Processing and Cybersecurity risk assessment.
LSC Financial Guide, § 3.2.1.c – Bank Statements and Reconciliations. See also LSC Program Letter 2020-04 and Accounting Standards Update 2018-08.
Pursuant to the LSC Financial Guide, § 3.2.1.c, recipients are required to perform bank reconciliations for each bank account on a timely basis after the close of each month. Monthly reconciliations must be performed by an individual who does not initiate or transmit electronic transactions, has no access to cash, is not a check signer, and has no bookkeeping duties. Additionally, the individual who prepares the bank statement reconciliation must document this by including their initials or signature, and the date the task was performed. Bank reconciliations must contain a clear indication of effective review and approval by management, as evidenced by signature or initials and date.
Signatures or initials must be via a physical or electronic system providing a reasonable indication of authenticity.
Any checks identified as outstanding for six months or more are required to be investigated and resolved. Voided checks must be recorded, retained, and entered in the general ledger as "VOID." The reconciliation documentation must include evidence that identified adjustments were promptly made to the general ledger.
Recipients must adopt written policies and procedures to guide their staff in complying with § 3.2.1.c.
LSC Program Letter 2020-4 further explains that LSC Basic Field Grant awards are non- exchange transactions/contributions with conditions, and therefore, unexpended grant amounts should be reflected in the grantee's liability account (e.g., deferred revenue) in accordance with Accounting Standards Update ("ASU") 2018-08.
Automated Case Management System
CSR Handbook (2017 Ed.), § 3.6 – Financial Eligibility Screening. See also LSC Program Letter 02-06.
Pursuant to the requirements of CSR Handbook (2017 Ed.), § 3.6 and LSC Program Letter 02-6, grantees must remove all defaults from the financial eligibility screen of its automated case management system ("ACMS") to ensure the accuracy of all entered financial eligibility information. When paper intake forms are used for full intake screening, recipients must ensure they are sufficient for conducting a complete and compliant intake screening. These paper forms must contain all mandatory questions and record data in a manner that closely reflects the ACMS data entry.
Regulatory Concerns 45 C.F.R. Part 1604 – Outside Practice of Law
Recipient organizations are required by 45 C.F.R. Part 1604 to adopt written policies that detail the organization's internal policies and procedures pertaining to any allowable outside practice of law by full-time attorneys. According to the regulation, a compliant "outside practice of law" policy must articulate: (1) the permissible activities outlined in 45 C.F.R. § 1604.4; and (2) the restrictions listed in 45 C.F.R. §§ 1604.5, 1604.6, and 1604.5(a)(2). LSC has published several resources to support recipients in complying with this regulation and other similar regulations, all of which can be found by following this link: https://www.lsc.gov/about-lsc/laws-regulations-and-guidance/lsc- regulations/lobbying-and-political-activities.
45 C.F.R. Part 1610 – Program Integrity and Use of Non-LSC Funds. See also Program Letter 22-3.
Under 45 C.F.R. Part 1610, important restrictions and requirements exist regarding the use of non-LSC funds to ensure grantees maintain program integrity. Pursuant to Part 1610, "no recipient may accept funds from any source other than LSC unless the recipient provides the source of the funds with written notification of LSC Prohibitions and conditions that apply to the funds, except from receipt of any single contribution of less than $250."
Recipients are reminded that, under § 1610.8, their governing body must certify annually that "the recipient is in compliance with the requirements" of that section as described by Program Letter 22-3. The Certification Form and a description of recipients' required annual obligation to report compliance with Part 1610 can be found by referencing Program Letter 22-3.
45 C.F.R. § 1611.3(e) – Financial Eligibility and Victims of Domestic Violence
Pursuant to the requirements of 45 C.F.R. § 1611.3(e), recipients must specify in their financial eligibility policy that income and assets held jointly between an applicant and the alleged perpetrator of domestic violence or between a member of the applicant's household and the alleged perpetrator of domestic violence must not be included when calculating the applicant's asset or income totals.
45 C.F.R. § 1611.6 – Representation of Groups. See also LSC Advisory Opinion 2016-003.
Section 1611.6 sets forth financial standards for groups, corporations, small businesses, etc., seeking legal representation that requires the entity to demonstrate, prior to receiving legal assistance, that it "lacks, and has no practical means of obtaining, funds to retain private counsel and either: (1) the group, or for a non-membership group the organizing or operating body of the group, is primarily composed of individuals who would be financially eligible for LSC-funded legal assistance; or (2) the group has as a principal activity the delivery of services to those persons in the community who would be financially eligible for LSC-funded legal assistance and the legal assistance sought relates to such activity."
Pursuant to LSC Advisory Opinion 2016-003, groups, corporations, small businesses, etc., seeking legal representation are required to show, prior to receiving such assistance, that the group, or for a non-membership group, the organizing or operating body of the group, is "primarily composed of individuals who would be eligible for LSC-funded legal assistance" under 45 C.F.R. Part 1626; or "the group has as a principal activity the delivery of services to those persons in the community who would be eligible for LSC- funded legal assistance" under Part 1626 and the legal assistance sought relates to such activity. Grantees should revise small business intake forms to ensure sole proprietors are properly screened as individuals, not as group applicants.
45 C.F.R. § 1611.9 – Retainer Agreements. See also CSR Handbook (2017 Ed.), § 8.3.
Pursuant to 45 C.F.R. § 1611.9, written retainer agreements must identify the legal problem for which representation is sought and explain the nature of the services to be provided. Such agreements must be executed when recipients provide extended legal services to a client. Grantees are reminded that extended service case categories are defined at CSR Handbook (2017 Ed.), § 8.3.
45 C.F.R. Part 1612 – Restrictions on Lobbying and Certain Other Activities
Pursuant to 45 C.F.R. Part 1612, recipients of LSC funding and their employees cannot engage in certain prohibited activities, including, but not limited to, direct lobbying activity and grassroots lobbying. Therefore, recipients must maintain lobbying policies and procedures that sufficiently reflect the spirit of 45 C.F.R. Part 1612, including the recordkeeping and accounting requirements listed in § 1612.10.
45 C.F.R. Part 1614 – Private Attorney Involvement
To ensure compliance with 45 C.F.R § 1614.2(a)(1), recipients must separately track
LSC-eligible PAI matters activities and not use the same code for ineligible activities. For example, recipients operating pro se clinics staffed by law school students can only report cases as PAI-eligible if supervised by a private attorney as required by Part 1614.3(a).
45 C.F.R. Part 1626 – Restrictions on Legal Assistance to Aliens and CSR Handbook (2017 Ed.), §§ 5.5 and 5.6 – Legal Assistance Documentation Requirements.
Recipients must ensure that all clients, including those receiving extended services, provide a citizenship attestation or demonstrate alien eligibility. CSR Handbook (2017 Ed.), § 5.5 requires that all case files contain timely executed citizenship attestations, including the necessary citizenship documentation or proof of alien eligibility. Therefore, to avoid erroneous denial of services to eligible individuals, including aliens, recipient organizations should consult CSR Handbook (2017 Ed.), § 5.5, and ensure their citizenship attestation forms match the language requirements articulated. In addition, recipients are reminded that under 45 C.F.R. § 1626.4, victims of domestic violence do not have to be citizens of the United States or eligible non-citizens for their cases to be deemed eligible for services funded by LSC.
45 C.F.R. Part 1631 – Real Property Accounting and Reporting
Recipients owning LSC-funded real property are required to adhere to certain accounting and reporting provisions under 45 C.F.R. Part 1631. Recipients must maintain an accounting of LSC funds related to the purchase or maintenance of real property purchased with LSC funds. The accounting must include the amount of LSC funds used to pay for acquisition costs, financing, and capital improvements. This accounting must be provided to LSC annually, no later than April 30 of the following year or in a recipient's annual audited financial statements submitted to LSC. 45 C.F.R. § 1631.19. As a best practice, all recipients owning real property in which LSC has an interest should contemporaneously document property-related expenses and track the amount of LSC funds used over the life of the investment.
Fraud Awareness
On March 13, 2023, LSC's Office of the Inspector General ("OIG") issued a Hotline Advisory notifying grantees of a U.S. Government resource helpful in protecting businesses and communities from ransomware attacks. The resource, which can be found by following this link: https://www.cisa.gov/stopransomware, includes content about tackling ransomware from various federal agencies, including the Federal Bureau of Investigation and the U.S. Secret Service.
LSC grantees might also find the following content on ransomware useful:
Section 2.5.3 of the LSC Financial Guide requires grantees to establish policies specifically addressing cybersecurity and the risks associated with cyber incidents. In addition, due to the large amount of personally identifiable information ("PII") stored within grantee databases, the OIG suggests that grantees adopt policies and oversight practices that ensure the client information is secure from internal and external threats. A breach of systems, files, or unintended sharing of PII can produce damaging effects, including financial loss, identity theft, weakened client confidence, and diminished grantee reputation.
To protect client PII, LSC encourages grantees to review this fact sheet released by the Cybersecurity and Infrastructure Security Agency ("CISA"). In general, CISA recommends that organizations:
-
Know what personal and sensitive information is stored in your systems and who has access to it. Limit the availability of data by only storing information needed for business operations. Finally, ensure that data is properly disposed of when it is no longer needed.
-
Implement physical security best practices. CISA recommends visiting the Federal Trade Commission's ("FTC") Guide for Businesses on Protecting Personal Information and the FTC's resource on Security for Small Businesses.
-
Implement cybersecurity best practices by:
-
Identifying the computers and servers where sensitive personal information is stored.
-
Note: Do not store sensitive or personal data on internet-facing systems or laptops unless it is essential for business operations. If laptops contain sensitive data, encrypt them and train employees on proper physical security on the device.
-
Encrypt sensitive information at rest and in transit.
-
Implement firewalls to protect networks and systems from malicious or unnecessary network traffic.
-
Consider applying network segmentation to further protect systems that store sensitive personal information.
-
Ensure your cyber incident response and communications plans include response and notification procedures for data breach incidents. Also, ensure the notification procedures adhere to applicable state laws by referring to this guide from the National Conference of State Legislatures.
Additional guidance on protecting PII can be found by consulting this CISA-recommended guide. In addition, please refer to the OIG's cybersecurity site, found here, for additional information on cybersecurity resources.
Additional Information
Stay updated on the latest LSC Office of Inspector General news and receive alerts when new OIG advisories are issued by registering for email updates.
Recipients are reminded that, as of January 1, 2023, the LSC Financial Guide replaced the LSC Accounting Guide.
If you have any questions or concerns regarding compliance with LSC regulations, particularly those noted in this letter, please contact Lora M. Rath, Director of LSC's Office of Compliance and Enforcement, at rathl@lsc.gov or by calling (202) 295-1524. In addition, OCE staff are available to provide grantees with relevant trainings upon request. Such requests should be submitted to Ms. Rath.