Get legal help

Stay Informed With LSC

Program Letter 25-3

Compliance Advisory

TO: All Executive Directors, All Board Chairs, All Chief Financial Officers

FROM: Ronald S. Flagg, President

DATE: October 16, 2025

SUBJECT: Compliance Advisory

Download PDF

This Program Letter summarizes the most frequently observed compliance issues identified by the Legal Services Corporation’s (LSC) Office of Compliance and Enforcement (OCE) over the past 12 months during oversight visits and other monitoring activities. It highlights these issues so you and your staff can avoid or mitigate compliance risks. For more extensive guidance, including examples of effective implementation by grantees, recipients should refer to OCE Final Reports from prior visits to LSC-funded legal aid programs, which are available at Assessment Visit Reports.

I encourage you to share this guidance broadly with staff, along with similar advisories issued in prior years.

Fiscal Management and Internal Controls

45 C.F.R. Part 1630 – Cost Allocation. See also Financial Guide, § 3.7.1

OCE continues to identify deficiencies in recipients’ written cost allocation policies, particularly concerning direct and indirect costs, reconciliation processes, and proper documentation.

Pursuant to 45 C.F.R. § 1630.5(c)(3), "[r]ecipients must maintain accounting systems sufficient to demonstrate the proper allocation of costs to each of their funding sources." Further, pursuant to the LSC Financial Guide, § 3.7, a recipient “must adopt written policies and procedures to guide its staff” in cost allocation procedures. Consistent with the principles of the LSC Financial Guide, § 3.7.1, such policies “must address the following: [...] [d]irect cost methodology(ies)[,] [i]ndirect cost allocation methodology(ies), [and] [d]ocumentation requirements to support the allocation.”1

Recipients are reminded that there must be sufficient documentation for LSC and other third-party reviewers to follow the cost allocation process from start to finish. Additionally, an allocation base must be cost-driven and therefore measure benefits provided to a cost objective. Recipients must implement and document a cost allocation methodology that utilizes a cost-driven allocation base for indirect personnel costs (e.g., program, contract).

Proper cost allocation policies and documentation are essential for financial transparency and to ensure the correct utilization of multiple funding sources. LSC reminds recipients to adopt Board-approved written cost allocation policies detailing direct and indirect cost methodologies, bases for allocation, and documentation requirements.

LSC Financial Guide, § 2.3 – Record Retention

OCE found that some recipients lack updated policies on document integrity, back-up procedures, and internal controls over financial records.

Recipients are reminded that, pursuant to LSC Financial Guide, § 2.3, they are required to retain all financial records, supporting documents, statistical records, and all other records pertinent to an award for a minimum period of three years from the end of the grant term. Some records have a three-year retention period, while others have a seven-year or permanent retention period.2

Maintaining proper documentation supports audit readiness and preserves institutional knowledge.

LSC Financial Guide, § 3.2.1.c – Bank Statements and Reconciliations and LSC Financial Guide, § 2.5.3 – Electronic Data Processing and Cybersecurity

OCE found frequent issues related to missing bank reconciliations, lack of signatures/dates evidencing preparation and review, outstanding stale checks not investigated, and absence of electronic banking risk assessments.

Pursuant to the LSC Financial Guide, § 3.2.1.c, recipients are required to perform bank reconciliations for each bank account on a timely basis after the close of each month. Additionally, the individual who prepares the bank statement reconciliation must document this by including their initials or signature, and the date the task was performed.

According to the LSC Financial Guide, § 2.5.3, “[r]ecipients are required to have written security policies and procedures for physical and digital assets, including all financial data and records in any form (e.g., electronic data processing (EDP) and cybersecurity policies and procedures). These policies and practices should be part of an overall data and records security policy and an annual overall risk-assessment process.” Included in the requirements of the Financial Guide are that the related policies and procedures must require that the recipient perform (and document) an annual risk assessment and develop and periodically test an emergency disaster prevention and recovery plan.3 Recipients are reminded that they must: (1) perform and formally document the risk assessments related to EDP and cybersecurity, and (2) develop and periodically test an emergency disaster prevention and recovery plan.

Regular reconciliations and risk assessments protect against financial errors and fraud.

Regulatory Concerns 45 C.F.R. Part 1604 – Outside Practice of Law

OCE observed recipients with policies that were incomplete or not fully aligned with regulatory requirements. These policies lacked provisions such as permissible activities, restrictions, compensation, use of resources, and monitoring procedures.

Recipient organizations are required by 45 C.F.R. Part 1604 to follow their written policies that detail the organization's internal policies and procedures pertaining to any allowable outside practice of law by full-time attorneys. Recipients are reminded that their policies may permit the outside practice of law by full-time attorneys only to the extent allowed by the LSC Act and Part 1604. However, recipients may impose additional restrictions as necessary to meet the organization’s responsibilities to clients.

Additionally, recipients are reminded of the obligation discussed in LSC Advisory Opinion 2020-002 that Part 1604 policies and practices include methods for monitoring and documenting approved outside practice of law in order to demonstrate ongoing compliance with Part 1604. Such monitoring should include the use of leave time when full-time attorneys are approved for outside practice of law activities (i.e., time taken off to engage in the outside practice activity) and whether the nature of the approved outside practice has changed.

Ensuring clear, comprehensive policies that prevent conflicts and unauthorized legal work is critical for maintaining regulatory compliance and ethical standards. LSC recommends that grantees develop a detailed written policy aligned with 45 C.F.R. Part 1604 that clearly defines permissible outside legal activities, requires prior approval and periodic reporting, and prohibits more than a de minimis or limited use of recipient resources for outside work. As a best practice, the policy would also require notifying grantee management upon completion. All recipient attorneys should be trained on these policies regularly.

45 C.F.R. § 1611.3(d) – Financial Eligibility and Asset Ceilings

Several recipients failed to properly implement and adhere to the regulatory requirements concerning asset ceilings and exemptions in financial eligibility determinations. Case review and staff interviews revealed that grantees do not always adequately screen for exempt assets or fail to document such exclusions appropriately.

Pursuant to § 1611.3(d)(1), “As part of its financial eligibility policies, every LSC recipient shall establish reasonable asset ceilings for individuals and households. In establishing asset ceilings, the recipient may exclude consideration of a household’s principal residence, vehicles used for transportation, ...”

Recipients should revise their financial eligibility policies to explicitly incorporate all required asset exemptions, ensure comprehensive and consistent screening procedures, provide general and targeted staff training, and maintain detailed documentation to support eligibility decisions.

45 C.F.R. Part 1614 and CSR Handbook (2017 Ed.), § 5.6 - Legal Assistance Documentation Requirements

OCE identified deficiencies in documenting the legal assistance provided by attorneys or volunteers, including insufficient case status reporting and a lack of detailed descriptions of the services rendered.

Pursuant to CSR Handbook (2017 Ed.), § 5.6, for each case reported to LSC, the case file or the Case Management System (CMS) must contain a description of the legal assistance provided to the client. Such a description should be sufficient to document that the assistance is a case and to support the level of assistance selected by the program to close the case.

Recipients are required to have procedures in place as well as documentation contained within the case file or CMS, which ensures cases are closed with the CSR Closure Category which most accurately reflects the highest level of legal assistance provided to the client.

Accurate information about staff and Private Attorney Involvement (PAI) activities—and how that information is reported—is essential for ensuring proper allocation of LSC funding and maintaining compliance with LSC regulations.

45 C.F.R. Part 1626 – Restrictions on Legal Assistance to Aliens and CSR Handbook (2017 Ed.), § 5.5 – Citizenship and Alien Eligibility Documentation Requirements

OCE found missing or undated citizenship attestations and incomplete documentation of client eligibility.

Pursuant to 45 C.F.R. § 1626.6 and CSR Handbook, § 5.5, recipients must (1) ensure citizenship attestations are executed when required and in a timely manner (unless the emergency provision of 45 C.F.R. § 1626.8 is properly applied); and (2) implement oversight procedures to ensure that all case files that require one contain a timely and properly executed citizenship attestation.

Complete and timely documentation is necessary to comply with the restrictions on legal assistance to non-eligible persons. Recipients must ensure paper case files or electronic Case Management Systems contain signed and dated attestations verifying citizenship or documentation to support eligibility status. Recipients should train all intake and case handler staff on documentation standards and conduct periodic file reviews to confirm compliance.

45 C.F.R. Part 1631 – Real Property Accounting and Reporting

The Office of Inspector General’s final report on a performance audit of LSC’s Oversight of its Interest in Real Property identified concerns with inadequate financial tracking and reporting of LSC-funded real property.

Recipients owning LSC-funded real property are required to adhere to certain accounting and reporting provisions under 45 C.F.R. Part 1631. Recipients must maintain an accounting of LSC funds related to the purchase or maintenance of real property purchased with LSC funds. The accounting must include the amount of LSC funds used to pay for acquisition costs, financing, and capital improvements. This accounting must be provided to LSC annually, no later than April 30 of the following year or in the recipient’s annual audited financial statements submitted to LSC. 45 C.F.R. § 1631.19.

As a best practice, all recipients owning real property in which LSC has an interest should contemporaneously document property-related expenses and track the amount of LSC funds used over the life of the investment.

45 C.F.R. Part 1635 - Timekeeping Requirements and Payroll Reconciliation

OCE found common deficiencies, including inaccurate time records, a lack of periodic reconciliations between labor distribution reports and individual timesheets, and incomplete supporting documentation.

Recipients must base allocations of salaries and wages on records that accurately reflect the work performed. See 45 C.F.R. § 1635.4.

Recipients may not use LSC funds to pay employees for time not worked and not charged to an appropriate leave category.

Recipients should conduct regular reconciliations between labor distribution reports and timesheets. Any adjustments must be documented and maintained for audit trail purposes. Reliable time records and reconciliations support accurate billings and audit readiness.

OCE recommends daily time tracking. Supervisors should review and approve time records for each pay period.

Student Loan Repayment Programs

The Office of Inspector General (OIG) identified several concerns, including overpayments compared to the actual loan payments made and insufficient documentation for reimbursements.

The OIG and LSC recommend that grantees review their student loan repayment programs. The policies and procedures should: clearly define eligibility, payment limits, and documentation requirements; require employee certification of outstanding loans and repayment obligations on an annual or more frequent basis; and require periodic submission and review of supporting documentation. The policies should also prohibit payments that exceed the actual loan payment amounts. See below for additional recommendations.

New LSC Program Letter

Program Letter 25-2: Use of LSC Basic Field Funds for Disaster or Crisis Needs in OtherService Areas (issued April 9, 2025).

Program Letter 25-2 establishes a temporary, need-driven exception to the usual restriction that Basic Field Grant funds must be used only within a grantee’s own designated service area. It also discusses using Basic Field funds to assist eligible clients who are temporarily displaced between service areas due to a disaster or crisis.

In sum, grantees may, under certain circumstances, use Basic Field Grant funds to support another service area experiencing a disaster or crisis (i.e., provide “surge support”). Examples of surge support include:

  • Staffing intake functions or operating intake in the affected area
  • Deploying attorneys or staff to conduct disaster legal clinics
  • Loaning staff or resources to the impacted grantee
  • Accepting or referring clients from that other area(s)

Additionally, grantees may use Basic Field Grant funds to provide services to LSC-eligible clients who have been temporarily relocated (into or out of) a service area due to a disaster or crisis.

All costs charged must be separately tracked (analogous to how disaster grant funds are documented). Separate cost accounting is required to distinguish between regular service area spending and surge/disaster activities.

Fraud Awareness

The Office of Inspector General ("OIG") issued important fraud advisories over the past year. Highlights include:

Fraud Advisory 25-0098-A-FA: Avoiding Artificial Intelligence (“AI”) Fraud Schemes in Civil Legal Aid (issued March 6, 2025).

This advisory advises grantees of common AI cyberschemes including:

  • Deepfake schemes.
  • Chatbot Schemes.
  • Automated Phishing
  • Data Manipulation and Document Forgery.
  • Malware Attacks.
  • Synthetic Identity Fraud.

Grantees are encouraged to combat AI-driven fraud by taking various actions, including:

  • Educating and Training Staff: Implement regular training sessions on AI fraud schemes.
  • Ensuring Privacy and Confidentiality: Protect employee and client personally identifiable information (PII) and data.
  • Being Wary of Impersonation and Urgent Requests: Remain vigilant with any online interactions and communications, especially those asking you to take immediate action, and always employ two-step verification for any financial transactions or confidential information sharing.
  • Securing Devices: Scan devices for malware using virus scanners and update devices to ensure the latest security features.
  • Utilizing Two-Factor Authentication for Online Accounts: Requiring two identifying factors, such as a password entry and a text sent to a cellphone, would diminish the likelihood of becoming a victim.
  • Reporting Cyber Incidents Promptly to the OIG Hotline: LSC Grant Terms and Conditions require grantees to report cyber incidents to the Office of Inspector General Hotline. As a follow-up to the hotline report, the OIG will request that grantees also complete a form when the OIG requires additional information related to the cyber incident.

Deter Cyberattacks with 10 Essential Safeguards (issued September 3, 2025).

This advisory recommends that grantees work with their Information Technology (IT) staff and/or service providers to enact the following defensive measures:

  • Implementing strong password policies;
  • Keeping software and systems updated;
  • Using Firewalls, Antivirus, and Endpoint Protection.
  • Controlling Access to Systems and Data.
  • Backing Up Data Frequently and Securely.
  • Training Staff and Volunteers on Cybersecurity Regularly.
  • Conducting Regular Security Reviews.
  • Monitoring and Responding to Threats.
  • Developing and implementing formal IT Security Policies.
  • Ensuring Vendor and Third-Party Risk Management.

Fraud Advisory 25-0186-A-FA: Taking Action to Address Frand and Compliance Risks with Student Loan Assistance Programs (issued September 25, 2025).

This advisory informs grantees of the risks associated with student loan assistance programs and offers suggestions for implementing controls to help ensure appropriate use of LSC funds during the administration of these programs.

To proactively mitigate fraud and compliance risks, the advisory suggests that grantees consider taking the following actions:

  • Establish a policy that includes eligibility for participation, required tenure, participation requirements, and limitations on monthly/yearly assistance payment amounts.
  • Ensure that the policy includes a process for fiscal oversight, including the requirement for assistance recipients to provide supporting documentation to verify loan payments made by the employee and retain documentation for an appropriate period of time.
  • Require that employees requesting assistance acknowledge in writing that they have been informed of the grantee’s policy, have read the policy, and understand the terms.
  • Require that employees requesting loan assistance provide documentation supporting that they have existing outstanding student loan debt.
  • Require employees requesting or receiving assistance to disclose whether they are receiving student loan assistance payments from sources other than your program. This includes funds from the LSC-funded Loan Repayment Assistance Program (LRAP) program.
  • Require employees requesting assistance to certify in writing that they will make the appropriate loan payments.
  • Require employees receiving assistance to notify the grantee immediately if their student loans are forgiven so that assistance payments may be discontinued.
  • Establish a mechanism to periodically review the supporting documentation submitted by employees to verify that assistance payments have been substantiated. The supporting documentation should be retained for an appropriate amount of time to ensure the opportunity for inspection by a third-party reviewer.

Additional Information

Stay updated on the latest LSC Office of Inspector General news and receive alerts when new OIG advisories are issued by registering for email updates.

If you have any questions or concerns regarding compliance with LSC regulations, particularly those noted in this letter, please contact Lora M. Rath, Director of LSC's Office of Compliance and Enforcement, at rathl@lsc.gov or by calling (202) 295-1524. In addition, Chief Financial Officers and other financial professionals are encouraged to contact their assigned OCE Fiscal Compliance Analyst for technical guidance. Finally, OCE staff are available to provide recipients with relevant training upon request. Such requests should be submitted to Ms. Rath.