Compliance officer for legal practice: the essentials

From May 31 2012 all firms, including sole practitioners, must begin the process for nominating a compliance officer for legal practice (COLP) and a compliance officer for finance and administration (COFA). The SRA handbook 2011 sets out a new 'outcomes-focused regulation' (OFR) regime for the regulation of legal services. The handbook brings together the new code of conduct and other compliance rules including new Accounts Rules and Authorisation Rules. The COFA is essentially concerned with maintenance of the Accounts Rules and keeping client money safe. The COLP has a far more wide-ranging responsibility to ensure compliance with the principles and outcomes of the code and other statutory obligations to ensure that clients are protected and treated fairly and has new recording and reporting responsibilities.

The SRA expects to open for nominations on 31 May 2012 with all nominations to be complete by 31 July 2012. Confirmation of appointment should be made by 31 December. Nominations will be made online, but via email not directly inputted (like MySRA). The nomination form is expected to contain a series of declarations about the firm and the individual including declarations about the suitability of the nominee and the governance and systems of the firm. Since the COLP will be a solicitor and the SRA is likely to have sufficient regulatory knowledge of the nominee it is unlikely that any further checks will be required (in the case of the COFA '“ who need not be a solicitor '“ the process will most likely be more forensic, with the SRA analysing the suitability criteria against each nominee).

Both the COLP and COFA must be individuals (not corporate bodies) who must also be a 'manager' or 'employee' of the firm (regulation 8.5). The glossary definition of 'employee' appears to be sufficiently wide to include self-employed people.

Duty calls

The COLP must ensure that the firm is compliant with the terms of the firm's authorisation and all relevant statutory obligations in relation to the authorised activities of the firm '“ essentially the handbook (except the Solicitors Accounts Rules which are the responsibility of the COFA) the Legal Services Act, the Administration of Justice Act and the Solicitors Act. It does not mean all conceivable statutory obligations '“ for example, health and safety '“ which remain the responsibility of the firm's management.

Indeed the appointment of a COLP does not absolve the firm's management from compliance responsibility '“ the SRA seeks to create a 'community of compliance' with the COLP working with management to ensure that there are demonstrable systems for compliance in a risk-based environment. The concept is to encourage best business practice and best risk management to ensure that the firm behaves in a way that ?is both good for the business and good ?for the client. Perhaps most notably, and ?this is new, the COLP will be required to record all relevant compliance breaches ?and, where such breaches are sufficiently ?serious, report them to the SRA.

Who should you choose?

This should be a business-led decision. The SRA does not prescribe the status of the COLP in the firm except that rule 8.2 and the guidance note to that rule require the firm to ensure that the COLP is of sufficient seniority, in a position of sufficient power and responsibility and has clear reporting lines to senior management. The COLP must also be able to devote sufficient time to this day-to-day role. Firms appear to be selecting from a range of personnel: managing and senior partners, general counsel, compliance partners, professional indemnity partners and directors of risk or compliance.

The selection of a confident, informed, pragmatic, professionally respected admitted lawyer with sufficient seniority and access to senior management and management information will be important

What to record and report

This is perhaps the most controversial aspect of the role of the COLP. Chapter 10 of the code, 'You and Your Regulator', requires the firm to 'comply with all reporting and notification requirements in the handbook' (outcome 10.1) and 'notify the SRA promptly of any material changes to relevant information'¦ including serious financial difficulty, action taken against you by another regulator and serious failure to comply with or achieve the principles, rules, outcomes and other requirements of the handbook' (outcome 10.3).

The Authorisation Rules in the handbook require the COLP to 'take all reasonable steps' to ensure compliance with the terms and conditions of the firm's authorisation, ensure compliance with any statutory obligations in relation to the firm's carrying on of authorised activities, and to record any failure to comply and make such records available to the SRA on request (regulation 8.5(c)(i)).

Further, 'as soon as reasonably practicable, report to the SRA any failure so to comply which is material either taken on its own or as part of a pattern of failures to comply' (regulation 8.5(c)(ii)).

It is important to apply a common sense perspective. The mischief the regulations seek to address in the legal services market relates to poor client service. The regulatory role of the SRA is to create rules in the public interest for the protection of the client. What is recorded or reported should be a contextual and risk-based judgment for the COLP. The drivers for this judgment should be the principles and outcomes of the code and the other regulatory requirements mentioned previously.

The COLP should look at the needs of the client '“ chapter 1 of the code is particularly important here '“ the outcomes-based code is very flexible. A vulnerable client might need more care and information than a sophisticated commercial client. The starting point should be the words 'serious' and 'material'. Guidance note (x) to regulation 8 of the Authorisation Rules notes that something may be judged 'material' and therefore 'reportable' based on criteria such as detriment or risk of detriment to clients; loss of confidence in the firm or the provision of legal services; the scale of the issue and the overall impact on the firm, its clients and third parties. Clearly, any serious professional misconduct will be reportable ('You and Your Regulator': outcome 10.4) but this is nothing new. Minor breaches of internal systems may not be '“ but should perhaps be recorded so as establish whether a pattern of risk taking is emerging and threatening client protections. Very substantial systemic failures might sensibly be reported and should certainly be recorded.

Clearly, there will be occasions when the COLP may have to take steps that are unfavourable to the firm and the fact that the concept of 'compliance' under the new regulatory regime is untested will complicate this judgment. However, a sensible, common sense decision should be based on the needs of the business as a whole and its clients. It is certainly not for the owners and managers to make this decision and they need to take care 'not to obstruct, whether intentionally or unwittingly, a COLP in fulfilling their role' (guidance note (vi) to rule 8).

COLPability

The SRA's intention is to create a firm-wide culture of compliance. Rule 8.1 places an obligation on the firm's managers to ensure compliance with 'regulatory arrangements' '“ defined by section 21 of the LSA 2007 '“ which includes all of the rules and regulations of the SRA. It is thus the owners and managers of the firm that are primarily responsible for compliance '“ not the COLP. This primary responsibility is thought by most commentators to be non-delegable (see also guidance note (vii) to rule 8). Accordingly, it is for the firm's management as a whole, and all of its staff, to ensure day-to-day compliance and the appointment of a COLP will not absolve the owners and managers of this responsibility. That said, it is important that the COLP agrees with the firm's management a clear job description and the allocation of sufficient resources to undertake the role. While personal liability is unlikely to be an issue, some COLPs are insisting on an indemnity against any such liability and the insurance market is developing products to cover this risk.

What should they be doing now?

Rule 8.2 deals with the need for firms to have 'suitable arrangements' for compliance (in addition to chapter 7 of the code). The guidance note to rule 8.2 indicates that the COLP elect should, in readiness for the autumn of 2012, produce a compliance plan. The plan is designed to ensure that the firm is able to demonstrate effective compliance and firms should analyse their compliance arrangements now and monitor their effectiveness on an ongoing basis. This will involve an analysis of internal systems of governance and responsibility, accounting, risk management (including file reviews, undertakings and critical dates), HR, client care, management information and staff training and development. The internal governance structure should ensure that the reporting lines for the COLP are clearly articulated and recording and reporting procedures established and agreed with senior management.

The COLP elect should also ensure compliance with AML and data protection legislation and ensure relevant training for staff on these obligations. While the specific duties of the COLP will not come into force until 31 October (at the earliest) firms must still comply with the handbook so many relevant systems should already be in place.

The new approach should provide greater, not lesser, flexibility for the providers of legal services. OFR should not be a huge challenge to well-run firms '“ firms that are committed to effective risk management, fiscal responsibility and good client care. It is the role of the COLP (and COFA) to make sure that firms are able to demonstrate compliance '“ so that we all treat our clients fairly and don't steal their money!