You are here:
  1. Home
  2. Support services
  3. Advice
  4. Practice notes
  5. Compliance officers

Compliance officers

Last updated: 25 November 2019
This practice note explains who can be a compliance officer for legal practice (COLP) or a compliance officer for finance and administration (COFA). It also covers what these roles entail, and recording and reporting requirements.

Legal status

This practice note is our view of good practice in this area. 

We issue practice notes for the use and benefit of our members. They represent our view of good practice in a particular area. They’re not intended to be the only standard of good practice that solicitors can follow. You’re not required to follow them but doing so will make it easier to account to oversight bodies for your actions.

Practice notes are not legal advice, nor do they necessarily provide a defence to complaints of misconduct or of inadequate professional service. While care has been taken to ensure that they’re accurate, up to date and useful, the Law Society will not accept any legal liability in relation to them.

The Solicitors Regulation Authority (SRA) Standards and Regulations 2019 replaced the SRA Handbook (2011) from 25 November 2019. Accordingly, this practice note is relevant to all law firms and sole practitioners authorised by the SRA. It is also relevant to individual solicitors, registered European lawyers (RELs) and registered foreign lawyers (RFLs), wherever they practise.

For queries or comments on this practice note, contact the Law Society's Practice Advice Service.

SRA Principles

There are seven mandatory principles which apply to all those the SRA regulates and to all aspects of practice. The principles can be found in the SRA Standards and Regulations 2019.

The principles apply to all authorised individuals (solicitors, RELs and RFLs), authorised firms and their managers and employees. They also apply to individuals and the parts of a licensed body involved in delivering the regulated services.

Terminology

 

Must - A specific requirement in legislation or of a principle, rule, regulation or other mandatory provision in the SRA Standards and Regulations. You must comply, unless there are specific exemptions or defences provided for in relevant legislation or the SRA's Regulatory Arrangements.

Should - Outside of a regulatory context, good practice for most situations in the Law Society's view. In the case of the SRA Standards and Regulations, a non-mandatory provision (such as may be set out in notes or guidance).

These may not be the only means of complying with legislative or regulatory requirements and there may be situations where the suggested route is not the best possible route to meet the needs of your client. However, if you do not follow the suggested route, you should be able to justify to oversight bodies why the alternative approach you have taken is appropriate, either for your practice, or in the particular retainer.

May - A non-exhaustive list of options for meeting your obligations or running your practice. Which option you choose is determined by the profile of the individual practice, client or retainer. You may be required to justify why this was an appropriate option to oversight bodies. 

1 Introduction

1.1 Who should read this practice note?

Compliance officers for legal practice (COLPs) and compliance officers for finance and administration (COFAs).

Solicitors involved in the appointment of COLPs or COFAs and anyone considering taking on a compliance role may also find it useful.

1.2 What's the issue?

All practices authorised by the Solicitors Regulation Authority (SRA) must appoint a COLP and a COFA. Practices authorised by the SRA include recognised bodies (partnerships, LLPs, companies), recognised sole practitioners, and licensed alternative business structures (ABSs). 

The SRA Authorisation Rules for Legal Services Bodies and Licensable Bodies outline the requirements for the roles of COLP and COFA. The responsibilities of compliance officers are set out in Paragraph 9 of the SRA Code of Conduct for Firms.

back to top

2 Who can be a COLP or COFA?

The role of COLP and COFA can be carried out by the same individual. In practice, this is only likely to be workable in smaller firms.

2.1 Who can be a COLP?

A COLP must be an individual who:

  • is a lawyer of England or Wales; a registered European lawyer (REL) or European lawyer regulated by the Bar Standards Board
  • is an employee or manager of the practice
  • is approved by the SRA for that role (either expressly or by deemed approval – see 2.3 below)
  • has consented to undertake the role
  • is authorised to do one or more of the reserved activities specified in the practice's certificate of authorisation 
  • has not been disqualified from acting as a head of legal practice (HOLP) - as defined in the Legal Services Act 2007
  • is of sufficient seniority and in a position of sufficient responsibility to fulfil the role

There is no definition as to what sufficiently senior or responsible might mean. However guidance indicates that COLPs should have:

  • clear reporting lines between themselves and the governing body of the practice, that is, the partners, members or directors
  • access to all management systems and arrangements and all other relevant information

If there’s no individual of sufficient seniority with detailed knowledge of compliance systems, the COLP may delegate some of the day-to-day functions (but not responsibility) to other members of staff. However, the COLP should monitor any work they delegate and maintain clear reporting lines with those carrying out day-to-day functions on their behalf.

2.2 Who can be a COFA?

A COFA must be an individual who:

  • is an employee or manager of the practice
  • is approved by the SRA for that role
  • has consented to undertake the role
  • has not been disqualified from acting as a head of finance and administration (HOFA) - as defined in the Legal Services Act 2007
  • is of sufficient seniority and in a position of sufficient responsibility to fulfil the role

As noted in section 2.1, there is no definition as to what sufficiently senior or responsible might mean.

Unlike a COLP, the COFA does not need to be a lawyer. This allows practices greater flexibility about who they can appoint. 

The role relates to the SRA's Accounts Rules. Therefore the COFA will need a good understanding of the rules applying to solicitors, rather than just a general financial understanding.

2.3 Nomination of COLPs and COFAs

All practices authorised by the SRA must appoint a COLP and COFA. The same individual may be appointed to carry out both roles.

ABSs need to have individuals appointed to the roles of COLP and COFA when they are licensed by the SRA.
Authorised bodies must apply to the SRA for COLPs and COFAs to be approved (Rule 14 SRA Authorisation Rules 2011), except in the case of sole practitioners and firms with an annual turnover of no more than £600,000, where deemed approval applies (Rule 13.3).

Deemed approval means that the SRA must be informed of the nomination before the person takes up their post, but the SRA does not undertake an approval process in relation to these individuals.

If an individual who requires approval is not approved by the SRA, the firm has a right of appeal against that decision. 

back to top

3 The role of compliance officers

Compliance officers are a fundamental part of a practice's compliance and governance arrangements. They are instrumental in creating a culture of compliance throughout the firm.

The responsibilities placed on compliance officers are broad. While the responsibility for compliance ultimately rests with the managers of a practice, compliance officers may be liable for regulatory action if they fail to meet their responsibilities. However, the SRA will not use COLPs and COFAs as 'sacrificial lambs' for lack of a practice-wide compliance culture (see section 6 on personal liability)

Even though compliance ultimately rests with the managers of a practice, there may be situations when a compliance officer reports issues to the SRA which may be against the wishes of the managers of the practice. 

3.1 The role of the COLP

In essence, the role of the COLP is to:

  • take all reasonable steps to ensure compliance with the terms and conditions of their practice's authorisation
  • take all reasonable steps to ensure compliance with any statutory obligations for example, the duties imposed by the Legal Services Act 2007, the Solicitors Act 1974 and the Administration of Justice Act 1985
  • take all reasonable steps to record failures to comply, in order to be able to recognise material failures that must be reported to the SRA
  • report material failures to comply to the SRA as soon as reasonably practicable. Only ABSs are required to report non-material breaches as part of the Information Report required under Rule 8 of the Authorisation Rules

3.1.1 SRA regulatory arrangements

COLPs should note that compliance with the conditions of the practice's licence includes compliance with all the SRA's regulatory arrangements including those within the SRA Standards and Regulations 2019. The SRA regulatory arrangements include all rules and regulations set by the SRA in relation to:

  • authorisation
  • practice
  • conduct
  • discipline
  • qualification of persons carrying on legal activities
  • accounts
  • indemnification and compensation arrangements.

With the exception of the Accounts Rules, COLPs must be in a position to be able to discharge these responsibilities.

3.1.2 General conditions of authorisation

General conditions are applied to all practices' authorisation (set out in  Rule 8 of the Authorisation Rules). These include conditions in relation to:

  • compliance with regulatory arrangements
  • suitable arrangements for compliance
  • management and control of a practice including approval of managers and owners
  • provision of information to the SRA

The range of general conditions placed on a practice's authorisation means that a COLP's responsibilities relate to a broad range of requirements. COLPs should become familiar with the general conditions as well as any additional conditions placed on their practice's licence.

3.1.3 Compliance systems

COLPs are responsible for ensuring systems are in place for compliance. COLPs may wish to consider systems that ensure: 

  • undertakings are given appropriately, monitored and complied with
  • appropriate checks are conducted on new staff or contractors
  • regulatory deadlines are not missed, for example arranging indemnity cover, renewal of practising certificates and registrations, renewal of all lawyers' licences to practise and provision of regulatory information
  • risks are appropriately monitored, reviewed and managed
  • issues of conduct are given appropriate weight in decisions the practice takes, whether on client matters or practice-based issues such as funding
  • file reviews are conducted as required
  • staff are developed and trained as necessary to carry out their role.
  • necessary approvals of managers, owners and COLP/COFA are obtained
  • arrangements are in place to deal with planned or unplanned staff absences
  • compliance with General Data Protection Regulations

The existence of the COLP does not detract from the practice's and managers' responsibilities and their obligations to comply with the SRA's regulatory arrangements.

3.2 The role of the COFA

  • Take all reasonable steps to ensure compliance with the SRA Accounts Rules
  • Take all reasonable steps to record failures to comply, in order to be able to recognise serious breaches of the SRA Accounts Rules that must be reported to the SRA
  • Report serious breaches to the SRA promptly. Only ABSs are required to report non-material breaches as part of the Information Report required under Rule 8.7 of the Authorisation Rules (Rule 8 guidance note vii)

To be in a position to discharge their role fully, the COFA's must consider whether they:

  • have access to all accounting records
  • carry out regular checks on the accounting systems
  • carry out file and ledger reviews
  • ensure that the reporting accountant has prompt access to all the information needed to complete the accountant's report
  • take steps to ensure that breaches of the SRA Accounts Rules are remedied promptly
  • can report all breaches which are serious, either on their own or as part of a pattern, to the SRA
  • can monitor, review and manage risks to compliance with the SRA Accounts Rules
  • monitor constantly the financial stability and viability of the practice

To implement and oversee systems for compliance in relation to the SRA Accounts Rules, the COFA should consider:

  • having a system for ensuring that only the appropriate people authorise payments from the client account
  • having a system for monitoring, reviewing and managing risks
  • ensuring that issues of conduct are given appropriate weight in decisions the practice takes, whether on client matters or practice-based issues such as funding
  • obtaining the necessary approvals of managers, owners and COLP/COFA and
  • making arrangements to ensure that any duties to clients and others are fully met even when staff are absent

In addition to the COFA's role in relation to the SRA Accounts Rules, Outcome 10.3 of the SRA Code of Conduct implies that there is a role for COFAs to report to the SRA when the practice is in serious financial difficulties. COFAs therefore also need to consider whether they are able to access information on the practice's overall financial status and be in a position to make an assessment of that status.

3.3 The role of the COLP and COFA in smaller practices

The roles of COLP and COFA can be fulfilled by one person and this may be appropriate in smaller practices. 

However, as non-lawyers can take on the role of COFA,. smaller practices have greater flexibility over who they appoint.as long as those appointed have the relevant experience and knowledge.

What needs to be covered by a practice's compliance plan will depend on factors such as the size and nature of the practice, its work and its areas of risk.

Smaller practices should consider carefully where there are risks to compliance and how these can be mitigated. Systems and processes should be proportionate. Overly complex systems are often by-passed and can become ineffective.

back to top

4 The reporting requirements

COLPs and COFAs are required to report serious breaches in compliance to the SRA promptly. The SRA has indicated that as soon as reasonably practicable in most cases means immediately.

However, as is noted in 3.1 and 3.2 above, ABSs are required to report all breaches as part of the Information Report required under Rule 8.7 of the Authorisation Rules

4.1 What is 'serious'

When deciding if a breach or series of breaches are serious the COLP or COFA should consider:

  • the detriment, or risk of detriment, to clients
  • the extent of any risk of loss of confidence in the practice or in the provision of legal services
  • the scale of the issue
  • the overall impact on the practice, its clients and third parties.

It is important to note that while a single breach may be trivial, if it part of series then it may be serious. For this reason, a compliance officer will need systems to identify patterns of breaches.

The SRA Code covers a wide range of issues including business management and financial stability. Compliance officers should notify the SRA if they believe the practice is in serious financial difficulty.

4.2 Other reporting requirements

There is a series of other reporting requirements such as informing the SRA about changes to the practice. While these requirements are placed on the practice it is likely that in many cases the COLP will take on the role of reporting these issues to the SRA.

4.3 Keeping records

COLPs and COFAs should keep a record of breaches in compliance, in order to be able to recognise a serious breach which must be reported to the SRA.

It’s for the firm to decide how breaches are recorded and monitored. Practices may consider having a centralised reporting system to capture and record breaches in compliance.

While data on all breaches may be difficult to collect, particularly in larger organisations, it can be valuable. The data may highlight areas where the risk of non-compliance is higher and allow the practice to put in place measures to mitigate against the risk of further non-compliance. The data can also be used to measure the effectiveness of interventions to improve compliance.

It’s important that the data captured identifies any patterns of breaches which may be serious and must be reported to the SRA. This will be easier in smaller practices, where there are likely to be fewer breaches reported.

back to top

5 Contingency planning

The SRA guidance highlights the need to have in place arrangements to ensure that any duties to clients and others are fully met even when staff are absent. As with all areas of the business, practices should give consideration to how they will manage the absence of a compliance officer (for example, due to holiday, illness or retirement). There’s no requirement for firms to appoint deputy compliance officers but this may be appropriate, depending on the size of the firm.
 If the practice ceases to have a compliance officer, it will need to:

  • inform the SRA
  • designate another manager or employee to replace its previous compliance officer
  • make an application to the SRA for temporary approval of the new COLP or COFA, as appropriate.

This should be done immediately or in any event within seven days. Where a compliance officer is likely to be absent for a significant length of time they may need to be replaced. The practice should discuss whether replacement is appropriate action with their supervision team at the SRA.

back to top

6 Your personal liability

As noted in section 3 above, the SRA has made statements to the effect that COLPs and COFAs will not be used as 'sacrificial lambs' where there is a lack of a firm-wide compliance.

Rather, the SRA sees compliance officers as the formal points of contact for compliance in a practice. While the managers of a practice continue to bear the ultimate responsibility for a practice's compliance, compliance officers may also face regulatory action personally where they fail to meet their responsibilities.
For this reason, it’s important that compliance officers consider their personal liability and are satisfied that appropriate safeguards are in place. Individual compliance officers should reach an agreement with their practice as to the best way to protect against any potential liability.
There are a number of potential options to consider, including:

  • an indemnity agreement
  • an amendment to your employment contract
  • an endorsement on the practice's professional indemnity insurance (PII) policy or
  • an insurance product (for example, Directors' and Officers' (D&O) cover or a specific COLP/COFA product)

6.1 Indemnity agreements

Many compliance officers enter into indemnity agreements with their practice to document their role and clarify how it will operate. This agreement can include a list of the compliance officer's duties and confirmation from partners that the officer can access relevant business information. These clauses could also be added to your employment contract.

You may also want to consider obtaining an indemnity agreement from your practice stating that you have a right to seek independent external legal advice, for your personal use, at the expense of the practice.

Another provision that could be included is an indemnity from the practice for liabilities arising from the role to the extent permissible by law, including payment of the compliance officer and third party's legal costs.

6.2 Professional indemnity insurance

It’s also important to consider your potential exposure and check coverage already offered by your practice's insurance. Every practice must have professional indemnity insurance (PII), in accordance with the SRA's minimum terms and conditions (MTCs).

Firms are required to assess and purchase the level of PII that is appropriate for the firm (SRA Code, outcome 7.13). The total amount of PII you need will depend on your firm's size and exposure to risks. You should seek advice from your broker and/or insurer to ensure that you have a sufficient level of cover for your firm. 

For further information our PII overview.

As a compliance officer for the practice, you will be 'insured' under the MTC policy and therefore will be covered for any civil liability (for example, professional negligence) arising from your work in private legal practice to the extent that any such liability is covered by the MTCs.

The MTC provides a broad range of cover, however, there are a number of significant exclusions that may expose compliance officers to liability. For example, defence costs for disciplinary proceedings by the SRA or Solicitors Disciplinary Tribunal (SDT) are not covered by the MTCs.
Some insurers are prepared to include cover for these defence costs in addition to the MTCs policy. Therefore, compliance officers should check, first, whether their practice has this additional cover either as an endorsement on its PII policy or as part of its D&O insurance policy; and secondly, whether your role as compliance officer is covered under that policy.

For further information about the scope of the MTC, see the Law Society's PII practice note.

6.3 Other insurance products

There are a number of specific insurance products that target compliance officers. You should read carefully the terms of any insurance policy and satisfy yourself that the policy will cover a potential risk to which you are exposed that is not covered by any indemnity agreement or other insurance policy provided by your practice.

There is an open question as to the extent to which any of the above options will be able to protect a compliance officer against fines and penalties to which they may be exposed. There is a general legal principle that no person should recover an indemnity against liability resulting from their own unlawful conduct.

There is no simple way to determine whether a particular fine or penalty will be covered by an insurance policy or indemnity agreement as each case will turn on its own facts. You may want to bear this principle in mind when considering whether a fine or penalty is insurable under law.

For further information about professional indemnity insurance see our see our PII overview.

back to top

7 More information

7.1 Law Society services 

Practice Advice Service   
Law Society Risk and Compliance Service 
Reliance

7.2 Law Society products 

COLPs Toolkit 
COFAs Toolkit

7.3 Solicitors Regulation Authority  

Professional Ethics Helpline for advice on conduct issues.
Information about COLPs and COFAs

back to top

Did you find what you were looking for?
What were you looking for?
Did you use the site search?

Feedback from you will help us improve out website. If you would like us to contact you please leave your contact details.

Update your contact preferences

Update your details in My Law Society and tell us how you want to hear from us.

Practice Advice Service

The Practice Advice Service provides a dedicated support line for Law Society members and employees of law firms. Call us on 020 7320 5675.

> Contact the Practice Advice Service

Recommended

Professional Development Centre logo
Cyber security update 2020

On Wednesday 25 March 12:30 join us as we discuss the five most prevalent cyber threats to law firms and how you can reduce your firms risk.

Cyber security update 2020 > More
Professional Development Centre logo
The challenges facing small legal practices – what you need to know

On Friday 27 March 12:30 join us as we discuss the challenges of running a small legal practice and how to remain competitive.

The challenges facing small legal practices – what you need to know > More
Professional Development Centre
New Accounts Rules – How is it for you so far?

On Thursday 20 February 12:30 join us as we discuss the impact of the New Accounts Rules and the potential risks involved for firms who fail to comply.

New Accounts Rules – How is it for you so far? > More
keyloock
Risk and Compliance annual 2020

Join this conference to keep up-to-date on hot topics in legal risk and compliance.

Risk and Compliance annual 2020 > More
Professional Development Centre logo
Sexual misconduct in law firms

On Thursday 5 March 12:30 join us as we discuss the impact of recent sexual misconduct cases on the legal sector, the SRAs approach to such cases and practical advice on handling complaints.

Sexual misconduct in law firms > More