Compliance is a priority for any law firm and demonstrating your new firm’s ability to meet compliance requirements is a key element of the Solicitors Regulation Authority (SRA) authorisation process. At its heart, you need up to date systems and processes that help the firm act properly and manage risk, as explained here by Andy Harris, a partner in the Hazlewoods legal team and Andy Poole, legal sector partner at Armstrong Watson. (Updated 14 March 2022)
You should take a positive approach to managing compliance rather than treating it as a box-ticking exercise. Of course, compliance does involve paperwork, time and costs; but effective compliance is about ensuring clients are treated properly, protecting the reputation of your firm and the profession – all things you should want to do anyway.
Applying for SRA authorisation is not something many new law firms look forward to, but it is manageable. There are several key forms you may need to complete:
- The 13-page FA1 Firm authorisation application form. This collects basic information about the firm, holders of key roles, how the firm is being financed, proposed practice areas, professional indemnity insurance and how client funds will be handled, plus some extra details for firms that are to be authorised as an Alternative Business Structure (ABS).
- The 14-page FA2 Individual approval application. This requires detailed information to check the suitability of key individuals (owners and post holders). It is not generally required for practising solicitors unless they are not deemed approved for certain roles such as COLP and COFA.
- The 8-page FA3 Entity manager owner application. This requires information about any corporate body or other entity that will be a manager or owner of the firm. Again, this is not required if the entity is itself authorised (eg another law firm).
- The 5-page FA8 financial services form. This is for information about any regulated financial services the firm will provide, and is used to pass information to the FCA for the Financial Services Register.
- The 9-page FA10 Anti-money laundering authorisation form. This is used to collect information on any services covered by Anti Money Laundering (AML) regulations and on key individuals in the firm.
As part of the application, you’ll need to provide background documentation covering the firm’s ownership structure, governance (including any shareholders agreement, LLP or Partnership agreement), details of the Memorandum and Articles of Association (for incorporated firms), and details of whatever arrangements you have in place – or agreements in principle – for professional indemnity insurance.
It may well help if you provide further information demonstrating that you know what you are doing and how to manage the risks. This might include your business plan and financial forecasts, along with documentation on your risk management and contingency planning. The SRA may ask for more details if they aren’t satisfied by the information provided, so it is good planning to have this additional information ready.
If you are starting up as a sole owner, the SRA will want you to have contingency plans for what will happen to your clients and your firm if you become unable to continue working. So it is vital that you have sensible conversations with potential successor firms at an early stage.
It all adds up to a significant volume of paperwork – but a great deal of it is information that you should be putting together anyway. Although you can complete the application forms yourself, it makes sense to work with the professional advisers who are helping you with your business planning.
A successful application may take a month or two, or up to three months for an ABS. The application fee is £200, or £2,000 for an ABS (plus a further £150 for each individual who needs to be approved). Once authorised, you also pay annual regulatory fees based on turnover and a further contribution is usually required for firms that hold client money.
"When you’re starting out, the amount of compliance can seem overwhelming. Break the tasks down into chunks, work out what to do first and where you can get help from others. Then it becomes manageable."
Alistair Wells, founder, Tend Legal
Responsibility, COLP and COFA
Once the application for the new firm is completed, there are other applications to think about.
The SRA needs to know about each senior role holder in the firm (usually referred to as managers) and whether they are ‘deemed suitable’ for the position.
There is also a requirement for the SRA to approve a number of key compliance officers in the firm, as follows:
- the compliance officer for legal practice (COLP), who has primary responsibility for compliance with the legal regulatory aspects of the firm other than the Accounts Rules
- the compliance officer for finance and administration (COFA), who has responsibility for compliance under the Accounts Rules
- at least one person responsible for supervision, who must be a lawyer with at least three years’ practising experience
- assuming the firm is carrying out work that is subject to money laundering regulations, a money laundering compliance officer (MLCO) and a money laundering reporting officer (MLRO) – although there are some exemptions
One individual can fill more than one role, and in smaller firms (with a turnover up to £600,000) a practising solicitor can be approved as a compliance officer without any further requirements as they will be ‘deemed approved’. For example, a lawyer with more than three years’ experience can set up as a sole practitioner and act as both COLP and COFA. A degree of financial experience / expertise will make the COFA’s life much easier.
In larger firms, the SRA will want to be satisfied that the individuals have the ability to meet their obligations. For example, you might want to show what relevant experience and qualifications they have, and that they will have the access they need to the firm’s systems and records. In larger firms, it’s essential to ensure that both COLP and COFA have the ear of the firm’s leadership.
Whoever takes the roles, it’s essential to ensure that they have the right support and training. Working with experienced external providers may be part of the solution, though ultimate responsibility for compliance will remain with the nominated individuals in the firm.
While it is possible for individual role holders to limit their personal liability through specially tailored PI insurance policies, setting up and carrying out these roles rigorously in the first place is time well spent.
You can find out more in:
- the SRA guidance on approval of role holders
- the SRA guidance on responsibilities of COLPs and COFAs
- the Law Society’s guidance on who can be a compliance officer and what is involved in the roles of COLP and COFA
Being a compliance officer can be a lonely role, and the role can only be effective with collaboration from all levels. Ensure that all your team get the training they need to follow the firm’s processes. All individuals, irrespective of grade or job title, need to feel confident that they can report concerns, observations or simple mistakes to the appropriate person without fear of reproach. A firm with such an open culture is much less likely to run into serious compliance issues.
SRA Standards and Regulations
The SRA Standards and Regulations set out the rules firms and individual lawyers must follow and the ethical standards expected. (These regulations replaced the old SRA Handbook, which was much longer and less flexible.)
When starting a new firm, you should familiarise yourself with the SRA Code of Conduct for Firms, the SRA Principles and the SRA Accounts Rules. You need to understand the principles, as these will be central to the key controls and procedures that you set up from day one, as well as those that naturally develop over time.
The key areas that you will need to get to grips with quickly include:
- risk management – and, specifically, a continually evolving risk register where you identify the key risks facing your firm and how you can mitigate them
- breach registers – where you capture, consider and, where necessary, report compliance failings
- financial management
- client onboarding and care, ensuring quality service and dealing with complaints properly
- supplier management, particularly for outsourced operations and systems
- human resources management – including CPD and training contracts
- other regulatory issues – for example, health and safety management and data protection/GDPR
You’ll need to decide the best way to manage compliance in your firm, taking into account the experience of your COLP and COFA and others. This typically relies on a continuing training and development programme for your whole team, together with systems and support from experienced suppliers and advisers.
You may find the SRA Sole practitioners and small firm regulatory starter pack helpful for thinking about the key risks you need to address.
"Compliance is a huge part of running your own firm, and the regulations are ever-changing. Make sure you and any employees have access to training, as part of a culture of compliance."
Michael Burne, chief executive, Bamboo Platform
Financial management brings significant challenges and compliance issues for law firms.
- Sound financial management, including forecasting cash requirements, is a crucial element of managing the firm. The SRA specifically requires firms to “monitor their financial stability and business viability”.
- Like any business, the firm needs to keep adequate financial records, file accounting information, comply with relevant accounting standards, file the necessary business and personal tax returns, and deal with VAT and payroll (if applicable).
- More than most other businesses, law firms are prime targets for fraudsters. Appropriate cyber security is essential.
- The SRA Accounts Rules deal with the rules for handling client money, and the need to ensure that the firm has appropriate systems and controls in place. Find out more in our FAQs on Accounts Rules compliance.
- There are additional compliance requirements if your firm is going to carry out regulated financial services activities.
Good financial management starts with making sure you have effective accounting systems and processes in place. The COFA will need to:
- Have a clear strategy to ensure that systems and processes are working properly and reflect any changes to regulation and guidance
- ensure that client accounts are regularly reconciled and a year-end accountant’s report is prepared (subject to certain exemptions)
- maintain a breach register, recording and addressing any compliance failures and, if appropriate, reporting them
- monitor the firm’s overall financial stability and viability and consider what action may be required
As in other areas of compliance, the solution for your firm is likely to be a combination of in-house systems, working with external suppliers, and training. Your accountant will be a key partner in helping you get the right systems in place.
Compliance with the SRA Accounts Rules is a common problem area for law firms, not least because of the emphasis on firms using their judgement to ensure ongoing compliance.
The focus of SRA enforcement is on firms that not only breach the rules, but also put the safety of client money at risk. There has been a large amount of guidance emerging over the past couple of years, with some firms struggling to keep pace. Common breaches range from a lack of clear records to paying over residual balances too slowly to providing prohibited banking facilities to clients.
Outsourcing legal cashiering can be a good way to access appropriate expertise
Using Third-Party Managed Accounts is something that firms have been considering as an alternative to holding client money directly in some situations. But it remains to be seen to what extent firms manage to completely avoid the need for client accounts.
Continuity and contingency planning
Risk management is at the heart of compliance. But while you can try to identify and mitigate risks, you also need to plan for the worst. Key risks you may want to think about include:
- illness (or death) of yourself or another key individual
- your premises becoming unusable (for example, because of flooding)
- IT systems failures or being ‘hacked’ – can your firm continue in the event of its systems being compromised, or data being unavailable indefinitely?
- employee fraud or misconduct
- claims from clients
- significant changes to the financial outlook – for example, the loss of a key client, lack of availability of required funding, loss of key fee earners, or a substantially increased rent review
The better your contingency planning, the easier it will be to limit the impact, get the firm back operating normally and deal with the financial and reputational impact. Read more about business continuity planning from the Law Society.
Insurance, including professional indemnity insurance, can help protect the firm against some risks – and good contingency planning can also help demonstrate to insurers that you are a good risk, helping to reduce your premiums – but insurance is not a solution in itself.
Find out more about PII for law firms and how to keep costs down.
The systems you have for dealing with clients are a key part of compliance. You need to create compliant systems and processes for every stage of the client relationship:
- client onboarding – checking for conflicts, setting out clear terms of business / engagement letters, carrying out appropriate know your customer (KYC) / anti-money laundering (AML) checks
- client service – taking instructions properly, providing clear information on fees, progressing matters effectively and in a timely manner
- client protection – ensuring client funds and information are properly protected, maintaining client confidentiality
- Ongoing monitoring – understanding the source of funds throughout a matter and being alive to changes in the scope of work, so ‘scope creep’ does not compromise your risk management procedures
- complaints – setting up a complaints handling procedure and ensuring clients are aware of it, handling complaints expeditiously
In part, this means developing appropriate documents, processes and so on. For example, you should be sending out user-friendly client care letters (The Law Society offers a range of client care guidance resources). Training for all staff is also key.
More broadly, every lawyer in the firm needs to take on board their role in delivering not just legal expertise but customer service.
Reporting and monitoring
No compliance system is perfect. By identifying and addressing compliance shortcomings, the firm can continually improve performance. The COLP and the COFA must maintain a register of breaches. There isn’t a prescribed method for doing this, but most well thought out registers share common themes – the aim is to create a tool that works for your firm.
Serious breaches – for example, if a lawyer is charged with a criminal offence, instances where client money has been dealt with inappropriately, or if the firm has serious financial problems – must be notified to the SRA. You can find more details in the SRA guidance on reporting and notification obligations.
For less serious breaches, the compliance officer must use their judgement. Minor breaches do not generally need to be reported, though a pattern of repeated minor breaches (indicating a more serious underlying problem) might need to be.
Serious data breaches also need to be reported to the ICO.
Compliance officers – and individual lawyers in the firm – should make sure that any breaches that are brought to their attention are reported if necessary. The COLP and COFA should also pro-actively carry out reviews and audits.
“A robust system to ensure all breaches are captured so that they can be properly analysed and considered is vital. A compliance officer is only as effective as the information that they have access to”
Brian Rogers, regulatory director, Access Legal
Many firms choose to work towards one or more accreditations. This can have several advantages:
- helping ensure best practice
- providing a marketing edge, particularly where clients are aware of or require relevant accreditations
- helping to control risks
- reducing PII costs
Well-known accreditations include the practice management standard Lexcel, the Conveyancing Quality Scheme, the Wills and Inheritance Quality Scheme and the Specialist Quality Mark. If your firm plans to have a legal aid contract, you will need to have either Lexcel or SQM.
The accreditation process can demand a significant investment of time, along with the payment of initial registration and continuing annual fees. But the schemes provide a useful framework for helping you run your firm with high standards of compliance.
Compliance top ten
- Work with advisers who have experience of getting other firms authorised.
- Use the authorisation process as an opportunity to develop your plans for running the firm.
- Provide extra background information where necessary to make it easy for the SRA to assess and authorise you.
- Identify which individuals should take the lead compliance roles as COLP and COFA.
- Treat compliance as a priority for the firm, not a box-ticking exercise; make sure your compliance officers have the ear of top management.
- Consider outsourcing key support activities to providers who already have compliance expertise and compliant systems.
- Create a culture where everyone in the firm is free to raise concerns.
- Use a continually updated risk register to identify and manage key risks.
- Actively monitor, record and where necessary report any compliance breaches.
- Consider working towards one or more quality standards.
- SRA Accounts Rules compliance for law firms FAQs
- Start-up operations and systems
- Avoiding claims. Insurance - overview