- Who should we appoint as our COFA (compliance officer for finance and administration)?
- Other than compliance with the Solicitors Accounts Rules, what other examples of financial non-compliance may occur in law firms?
- What are the most common breaches of the rules in law firms?
- What do fee-earners need to do about financial compliance?
- What breaches should a COFA record in their breach register?
- How should the COFA be notified of breaches?
- What format should the breach register take?
- When do we need to report a breach to the SRA?
- How do we make sure the firm’s accounting systems are robust?
- How are cyber security issues affecting accounting systems in law firms?
- What compliance checks should the COFA undertake?
- How often should the COFA undertake internal reviews for Accounts Rules compliance?
- How should the COFA select which files they should review for Accounts Rules compliance?
- If the law firm COFA is absent for any reason, what should the law firm do?
- What responsibility does the COFA have if they suspect the law firm is in financial difficulty?
- As COFA, how do I protect myself?
- Does the firm need a client account?
- Does the firm need to have an accountant’s report prepared?
- What should the firm do to prepare for the work by the reporting accountant?
- What will the reporting accountant look at in terms of the practice’s accounting systems during their annual review work?
- What steps do I need to take before paying any residual client balances to charity?
- What steps can I take to prevent further residual balances occurring in the law firm?
- What are the rules on providing banking facilities through a client account?
- When would our reporting accountant need to qualify our Accountants’ Report and submit it to the SRA?
- What should the reporting accountant provide to the law firm after each year’s review?
Rosy Rourke, legal sector director, Armstrong Watson, responds to questions about compliance with the Solicitors Accounts Rules and who needs to be involved. (Updated 17 August 2021)
The COFA must be an employee, but not necessarily a manager of the practice. They need to be approved by the SRA for the role and to have consented to the role. Additionally, they must be of sufficient seniority within the practice to carry out the role. The COFA does not need to be a lawyer.
The role is largely concerned with the Solicitors Accounts Rules, so a good understanding of those is vital. In addition, the COFA should have a good understanding of finance in general and the financials of the practice.
Ultimately, who is appointed to the role will depend on the size of your practice and what suits the needs of the firm. Many sole practitioners will also be their own COFA. In large practices, the COFA will be a full-time role held by a finance partner/director or someone who leads the finance team. Whoever you choose, the COFA does require the right level of gravitas to fulfil the role.
2. Other than compliance with the Solicitors Accounts Rules, what other examples of financial non-compliance may occur in law firms?
Lawyers have an obligation to run their business and carry out their roles in accordance with proper governance and sound financial and risk management principles, so financial non-compliance should not regularly occur. However, some examples are:
- not filing statutory accounts with the relevant bodies on time;
- not filing tax returns on time;
- not paying tax liabilities on time;
- owners over-drawing where the practice cannot necessarily afford to fund those drawings.
The most common breaches under the rules are as follows:
- Residual balances (Rule 2.5). At the end of a matter, small balances are often left in client account instead of being returned to the client. The rule states that the money should either be returned or, if there is good reason to retain it, the solicitor should write to the client to explain how much is being held and why, and write to confirm that annually thereafter. This is a recurring breach for many law firms. Depending on the extent of the breach, sometimes it is reportable to the SRA, and sometimes it is not.
- Bank account titles (Rule 3.2). Many law firms have difficulty ensuring that their client bank accounts have the correct full titles (including the word 'client'). Words are often abbreviated, eg client to clt or limited to ltd, or if there is a maximum number of characters allowed within the title, the law firm name is sometimes shortened.
- Written notification of costs (Rule 4.3 and 8.4). The rules introduced in November 2019 say that clients must be given a written notification of costs prior to any transfer from client to office. Firms must also keep a readily accessible central record of bills and other written notifications of costs. How firms treat these notifications to clients prior to the transfer of monies for disbursements varies greatly. This is an area where we see breaches in most firms as it is the one area that required a change in system or process upon the introduction of the new rules.
Finally, we are still finding that not all policies and accounting manuals have been updated to refer to the rules introduced in November 2019, or contain the required definitions of ‘promptly’.
Fee-earners have a lot to do in their everyday work, so can become over-reliant on the accounting team for compliance.
All fee-earners within the practice should have a good understanding of the rules. They should have regular training and updates on the rules to ensure ongoing compliance.
It is important to instil a firm-wide culture of financial compliance. The breach register, file reviews and health checks should be highlighted and discussed with the management of the practice to reinforce its importance to all.
All breaches, no matter how minor, should be recorded in the breach register.
If a law firm has no breaches in its register during an accounting period, I’d question if the reporting processes are working effectively.
All employees within the practice should be aware of their obligations with regard to the Solicitors Accounts Rules. They should report any breach or suspected breach to the COFA immediately.
In addition, the systems and reporting lines that you have put in place should work to identify and highlight minor/trivial breaches with ease.
There is no prescriptive guidance on the format of the breach register, but it should be capable of being interrogated easily; for example, by filtering and categorising.
The register should also contain sufficient detail for the COFA to use it as a management tool to identify trends and issues. For example, the register might include the rule number and name as well as amounts, frequency and timings of rectification.
In its most simple format, Microsoft Excel will work for most practices.
When a breach should be reported is very subjective and is based on materiality.
When considering the materiality of a breach, the COFA should consider:
- the amounts involved;
- whether there is any loss to a client;
- whether there is a systematic failure in controls within the practice;
- whether it forms part of a pattern of breaches;
- how quickly it was discovered and rectified.
Whatever your decision on materiality, you must be comfortable that you can justify your decision. It would be useful to document that from a reporting accountant’s perspective.
If you decide a breach is material and should be reported, it isn’t necessarily the end of the world. This can in fact be an indication of good risk management. You should ensure the report is clear and transparent.
As COFA you have responsibility for having systems in place which ensure sound financial and risk management of the practice. As such you need to have access to all management information systems and business information.
As everyone is aware, law firms are at particular risk of cyber crime due to the large amounts of client monies held and financial transactions undertaken. It is not just the accounting systems that are affected, but all systems within the law firm.
Specifically with regard to the accounting function, the following areas should be considered:
- How you communicate and collect client data such as bank details. Email may not be secure. Face-to-face meetings are the safest way, but letter is another option, or fax (if still used).
This has become more difficult due to remote working during the pandemic, and where practices are maintained post-pandemic, firms should ensure their risk assessments and polices are updated accordingly.
- Everyone in the firm needs to be given regular updates of the risks and ever-evolving technologies used by fraudsters, so that they can identify a potential scam and question instructions which may not feel quite right.
- Provide your bank details to clients in a secure manner at the outset of the transaction. Make it clear that this will not change during the course of the transaction.
- Check the practice’s bank statements on a regular basis. Highlight anything that seems unusual or cannot be identified with your bank immediately.
The role of COFA should not be treated as a one-off tick box exercise – it is a continuous, ongoing process of compliance. Every COFA should have systems in place to monitor that compliance.
Regular file reviews and health checks should be undertaken. This ensures that processes and procedures are being followed. It also encourages a culture of accountability and openness with fee-earners, which will allow effective supervision.
Compliance checks and supervision has become even more pertinent due to remote working since the pandemic.
Ideally, as a minimum the COFA should review at least one file from every fee-earner over the course of a year. So the frequency will depend on the size of the practice.
That is not to say that a practice with two fee-earners should only have a review twice a year. Our suggestion would be monthly or at least quarterly reviews.
How the sample is selected will be driven to some extent by the size and makeup of your firm. As a minimum, a file from each department should be included in each review where possible.
When starting to implement the reviews, a good starting point for file selection would be any departments or fee-earners who regularly appear on your breach register.
As with any role, there will be times when the COFA is absent for short periods, such as annual leave or short-term illness. As part of the COFA’s role, the ongoing compliance processes of the practice should be designed to be capable of continuing whilst the COFA is absent. This includes ensuring that any issues that arise are still identified and can be rectified without the COFA.
The recent pandemic has highlighted the need for contingency planning, and it may be that your plans have been tested. Depending on your current contingency plan, you may want to consider an informal deputy for the role of COFA who can step in for shorter periods of absence.
There will be circumstances where the COFA is unable to fulfil the role for a longer period of time, perhaps through long-term illness, or even on a more permanent basis such as dismissal. In these cases, you should immediately – and certainly within seven days – notify the SRA of the absence, select another suitable individual to undertake the role and apply for temporary emergency approval. As part of the temporary approval process, you must include the reason why temporary approval is required. Any absence period in excess of four weeks should follow this process.
In addition to the COFA’s role relating to the SRA’s Accounts Rules, the COFA also has responsibilities to report the practice should it be in serious financial difficulties.
If you hold the role of COFA, you need to ensure that you have access to all information on the practice’s overall financial position in order to recognise if the practice is in difficulty.
The areas that should be focused on with regard to good financial management are the working capital and credit control procedures of the firm.
As part of accepting and consenting to the role of COFA, you must consider your own personal liability. You should consider if you are satisfied that the practice has the appropriate safeguards in place.
You should also reach an agreement with the practice as to the best way to protect yourself against any personal liability. There are a number of options as to how you could do this, including an indemnity agreement, an endorsement on the practice’s PII policy, or a specific insurance product.
Ultimately, the responsibility for compliance rests with the managers of the practice but a COFA may find regulatory action is taken against them where they fail to meet their responsibilities. The SRA has stated that COFAs will not be ‘sacrificial lambs’ if a practice has a practice-wide culture of non-compliance. If this is the case, you should question if the role is being undertaken effectively, and whether a report should be made to the SRA, even if against the wishes of the managers of the practice.
Under the rules that have been in force since 25 November 2019, you no longer require a client account if the only client money received by you is advance payments for fees and unpaid disbursements (not including disbursements for which your client is liable, such as SDLT).
You also need to make sure that your client has been properly advised and given sufficient information about where their money will be held. If you choose not to have a client account, you should explain to the client that it will not be held on account for them and may be held and used as part of the firm’s own money in their business account. The client can, therefore, make an informed decision about whether they wish their money to be held outside a client account or to consider an alternative.
A further option under the new rules would be the use of a third-party managed account.
If a practice holds client money, it is usually required to obtain an accountant’s report within six months of the end of the accounting period.
There are some exceptions to the above, as follows:
- If a practice only holds money for legal aid, then a report will not be required.
- If during an accounting period the balance on the practice’s client account does not exceed £10,000 on average, and the maximum balance at any one time does not exceed £250,000, then a report will not be required.
The practice must still carry out reconciliations of the client accounts at least every five weeks. These reconciliations will be used to establish if the practice satisfies the exemption criteria above.
Much of what the reporting accountant will require for their work should be readily available, as part of the month-end processes of the practice. The reporting accountant should make you aware of exactly what they require in advance of the work commencing. This will include a sample of files from your client matters listing which they will need to review.
The accountant will also need details of all the practice’s bank, building society etc accounts held or operated throughout the year.
You must provide all information that is requested by the accountant.
20. What will the reporting accountant look at in terms of the practice’s accounting systems during their annual review work?
The rules regarding what the reporting accountant should look are much less prescriptive now. What they look at and the work they perform will be based on their professional judgement of what they require in order to assess the risk to client monies.
Much of the focus of the reporting accountant is looking at the systems, processes and controls of the practice. The accountant is likely to want to document what systems and controls are in place in terms of the accounting and finance function, and to test them. The COFA and members of the finance function should be available throughout the on-site visit to help.
If the systems and controls of the practice are strong and through testing are determined to be working effectively, the accountant may assess that the risk to client money is lower. If so, the testing of the detailed individual transactions may be reduced in some areas.
The accountant is expected to submit their report to the SRA if the systems and controls of the practice are judged to be weak, or are not sufficient for the size and complexity of the practice.
In addition to the above focus on systems, processes and controls, the Reporting Accountant also needs to examine the practice’s policies. Any testing undertaken needs to be tailored to the practice’s own policies in order to determine if the practice is following its own policies and procedures.
Rule 2.5 requires you to ensure that client money is returned promptly to the client as soon as there is no longer any proper reason to hold those funds.
Rule 5.1 governs withdrawals from a client account, and specifically 5.1 (c) states that you can only withdraw client money from a client account ‘on the SRA’s prior written authorisation or in prescribed circumstances’.
Prescribed circumstances are as follows:
- The balance does not exceed £500 on any one client matter.
- The balance is paid to a charity of your choice.
- You have taken reasonable steps to return the money to the rightful owner.
- The steps taken in the above have been recorded and retained for six years.
- You keep appropriate accounting records, including:
- A central register of the rightful owner, the amount, name of charity and charity number and the date of payment;
- all receipts from the charity and confirmation of any indemnity provided against any legitimate claim subsequently made for the sum they have received.
- You do not deduct from the residual balance any costs incurred in attempting to trace or communicate with the rightful owner.
- For amounts over £500, SRA approval is required before removing from client account.
In order to prevent further residual balances occurring, the practice should have a robust file closure procedure that does not allow files and matters to be closed where client money is still held.
The practice should agree at the outset of the retainer about how surplus funds will be dealt with. This may be included in your client-care letter or terms and conditions.
Gathering additional information from clients to allow them to be traced, such as a national insurance number or their bank account details in order to make direct payments, may also be useful. Remember, being unable to trace your clients may be viewed as poor practice management.
Finally, if you are involved in a merger or acquire another law firm practice, you should not accept liability for any client money which does not have an accompanying client file and details.
A practice must not provide banking facilities through its client account. Any client money transaction must be related to an ongoing legal transaction or to a service as part of your regulated activities.
Throughout your relationship with the client, you should question why you are receiving or holding funds and for what purpose. Your client account is not there for the client’s convenience.
The rules reduce the risk of money laundering through the client account. In addition, by providing banking facilities to a client you may inadvertently be helping them shield monies from an insolvency situation or facilitating financial, tax or benefit fraud.
24. When would our reporting accountant need to qualify our Accountants’ Report and submit it to the SRA?
Your accountant will be expected to use professional judgement when preparing the report and in deciding if it should be submitted.
The SRA’s view is that reports should only be submitted where the breach is material and client money is at risk. A material breach may be one where there is intention to breach the rules, or if there is a significant weakness in the processes and controls in the practice which has led to the breach.
Most firms will have trivial non-reportable breaches. These should still be monitored by the practice in their breach register and reviewed by the reporting accountant, as repetitive trivial breaches may indicate poor systems and controls.
The reporting accountant must provide the COFA of the practice with a signed copy of the report, whether qualified or unqualified. The COFA should ensure that all managers of the practice have access to and have seen the report. The report must be signed and delivered to the COFA within six months of the end of the accounting period.
There is no longer a checklist for completion by the reporting accountant.
I would expect the reporting accountant to provide the practice with a management letter which details any breaches (reportable or non-reportable) found through their work, together with pro-active suggestions for improvement. In addition, any best practice points where systems and processes could be improved would also be detailed.
Although it may be agreed with the reporting accountant that they will submit any reports that are required to be submitted to the SRA, the ultimate responsibility for delivery is with the practice itself.