Compliance in practice – the ten-year milestone
Ten years after the SRA's Handbook was published, Tracey Calvert argues that constant vigilance is needed to uphold compliance.
The Solicitors Regulation Authority’s (SRA) first rulebook – the SRA Handbook – was published in October 2011 and introduced a variety of rules, regulations and outcomes which supported the SRA’s risk-based and firm-based style of regulation. Much of the content was quietly revolutionary and I recall many new compliance conversations from a decade ago.
Back in 2011, I talked about the need to adapt to the new order in order to succeed in the modern regulatory era. There is no reason to change this message ten years on. The SRA insisted we consider their expectations in all that we do and be able to demonstrate compliance in practice. The need to adapt compliance initiatives is no less relevant in 2021 than it was in 2011.
Revolutionary changes
One of the most radical changes introduced in the SRA Handbook was the introduction of the compliance officer regime and the designation of Compliance Officers for Legal Practice (COLPs) and Finance and Administration (COFAs). Although these roles did not go live until 2013, these additions have made a long-lasting impact on law firm dynamics.
Added to this was the increased interest in effective governance in each firm. Of course, the SRA Handbook was replaced by the SRA Standards and Regulations in 2019, but the compliance officer regime and the SRA’s interest in how firms operate has not diminished.
So, what’s the position in 2021? If you are a compliance officer, you have a job description and responsibilities (now in the SRA Code of Conduct for Firms) and you can be made subject to personal disciplinary investigation in some circumstances. However, in an era of collective responsibility for compliance, it is important the owners and managers of the firm understand the same code also talks to them with directions as to their role in compliance. These individuals are told managers are responsible for compliance in their firm, and that this responsibility is joint and several where management responsibilities are shared with other managers.
Unfortunately, we have seen a number of disciplinary investigations where misunderstandings about managerial or individual responsibilities have resulted in enforcement action. For example, last year a decision relating to one of the COFA’s perennial headaches – residual balances – was made in which the COFA, his partners and the firm itself were all separately fined and ordered to pay costs after it had accumulated almost 1,000 residual balances in its client account.
The need for vigilance
None of this should be a surprise. The SRA’s enforcement strategy is veryclear. It will take action against a firm: “when the events demonstrate a failure which relates to the culture, systems, supervision arrangements or processes for which the firm, as a whole, should be held accountable.”
This supports the messages within the introduction of the Code for Firms: “this Code describes the standards and business controls that we, the SRA, and the public expect of firms (including sole practices) authorised by us to provide legal services. These aim to create and maintain the right culture and environment for the delivery of competent and ethical legal services to clients.”
We are also told that “a serious failure to meet our standards or a serious breach of our regulatory requirements may lead to our taking regulatory action against the firm itself as an entity, or its managers or compliance officers, who each have responsibilities for ensuring that the standards and requirements are met.”
So, keeping the compliance response appropriate and effective is a challenge that cannot be avoided. Ten years on, I suggest that compliance officers, firm managers and their compliance colleagues remain vigilant. They must be confident that they can all, collectively and individually, demonstrate effective risk management.
The SRA has set compliance leaders a series of challenges: risk identification and management; the need to attain competency standards in regulatory and ethical matters; effective supervision, the role of all managers in compliance and the need to ensure that everyone understands the SRA’s expectations. The role of these individuals will become easier and more predictable if robust decisions are made for regulatory and ethical up-skilling.
Where to start with this? If ethical behaviour is considered a defining characteristic of legal services providers, then I would suggest a consideration of the firm’s ethical compass as an appropriate beginning. As long as we are clear about what is legal and what isn’t, there are going to be shades of grey. Some firms might be comfortable with a riskier approach, but it is important this is discussed and lines in the sand are agreed.
Law firms are composed of a diverse group of individuals; it is too risky to assume everyone understands regulation and ethics in a way which keeps a firm – and its senior role holders – in the regulatory comfort zone. There is a strong argument for training to ensure everyone understand the firm’s expectations about behaviours.
To develop this theme further, managers and compliance officers should ensure their regulatory and compliance toolkits contain the right equipment. How effective are your compliance resources? It is risky to assume the work needed to demonstrate compliance in practice is only ever a one-off exercise. In other words, if this was considered in 2011, and perhaps never again, or only if a new compliance officer came on board, I suggest this is not often enough and maybe this is the time to undertake a regulatory and ethics audit.
Regulatory and ethical toolkit
To be clear, unlike an independent anti-money laundering audit which is a legal obligation in some cases, a regulatory or ethics audit is not mandatory. Instead, it is a best practice initiative which will enable you to consider whether your regulatory and ethical toolkit is fit for purpose. Do policies and procedures manage identified risks? Is risk identification realistic, capturing both firm-based issues and SRA risk priorities? Is your response appropriate to the way in which you now work? Do your people understand or is up-skilling required?
In terms of ensuring an appropriate response, and speaking to the COFA role, audit tests to monitor the usefulness of policies will be helpful, as will investigations designed to test knowledge of the following topics:
· Awareness of the personal responsibilities to keep client money safe
· Understanding that accounts rules compliance doesn’t rest solely with the owners of the business and the accounts staff
· Knowing when to say no to clients (in terms of banking, etc.)
· How to deal with monies at the end of a retainer.
For the COLP, priorities might be:
· Checking compliance with the SRA Transparency Rules; website accuracy, do relevant staff know why prices, etc, are published; is complaints information accurate; do staff adhere to published prices, etc.
· Standards of service – is retainer information correct and kept under review; is evidence collected to show that we are acting on properly authorised instructions; are client vulnerabilities identified and understood, etc.
· Effective supervision – is there evidence that the supervisory processes work?
· Staff screening – do we really know our staff?
In addition, new topics that should be added to the conversations in 2021 include the firm’s response to the Solicitors Qualifying Examination and compliance issues that must be incorporated into new remote-working or hybrid-working policies. With the latter, the SRA is entitled to ask firms to justify new working arrangements and demonstrate that client interests and professional behaviours are not compromised or sidelined.
The SRA expects us to contribute to the success of their style of regulation. They require the regulated community to be able to demonstrate compliance in practice. It is assumed we will be, if not equal partners on their regulatory journey, at the very least functioning participants with embedded systems, the capability to evidence what we are doing and the ability to hold conversations with the SRA about the issues that matter to them. We are now at the stage of this journey where it is expected that there is a compliance heart in all firms, and a culture and ethos which not only talks effectively to all owners and all employees but also contributes to effective risk management.
Tracey Calvert is a consultant at Oakalls Consultancy Limited oakallsconsultancy.co.uk