Demystifying compliance: Tips to identify and tackle material breaches

Compliance officers and those with compliance responsibilities in the UK often feel isolated in a regulatory landscape that is regularly shifting and changing. With the recent introduction of the ninth version of the SRA Handbook and the tenth version expected to follow shortly, it is likely that there will be further changes ahead.

Principle 8 of the Solicitors Regulation Authority’s (SRA’s) outcomes-focused regulatory regime requires firms to run their businesses “with proper governance and sound financial and risk management principles”. Integral to this is the requirement for each firm to appoint two compliance officers: a compliance officer for legal practice (COLP) and one for finance and administration (COFA).

Both the COLP and COFA are responsible for ensuring that their firm has adequate systems and controls in place to ensure compliance with regulatory requirements. A critical aspect of this is recording and reporting ‘material’ breaches of the SRA Handbook and Code of Conduct to the regulator.

The underlying philosophy of an outcomes-focused approach is that prescriptive rules are avoided if possible and practitioners exercise their judgement as to how the required outcome can best be met. Given this, the SRA has resisted providing a definition of a material breach. At Managing Partner’s COLP and COFA conference on 18 October 2012, Samantha Barrass, the then executive director of the SRA, said:

“We have resisted the pressure to produce more detailed guidance on breaches for good reasons. First, we do believe well-run firms should be able to use their own judgement on what constitutes risk and a serious breach. Second, providing detailed prescription on what is and isn’t a material breach is a fool’s errand. If you’re wondering whether or not a breach is material, then it probably means it is material.”

Defining ‘material’ breaches

The duties around material breaches arise from sections 91 and 92 of the Legal Services Act 2007 (LSA), which have been given effect through rule 8.5 (c) and (e) of the SRA Authorisation Rules 2011. But, neither the authorisation rules nor the LSA offer any specific guidance as to what constitutes a material breach.

Defining what constitutes a material breach is therefore challenging, particularly given the characteristics of a system of regulation based on high-level outcomes. Guidance Note (x) to Rule 8 of the authorisation rules provides some assistance:

“In considering whether a failure is ‘material’, the COLP or COFA, as appropriate, will need to take account of various factors, such as:

(a) the detriment, or risk of detriment, to clients;

(b) the extent of any risk of loss of confidence in the firm
or in the provision of legal services;

(c) the scale of the issue; and

(d) the overall impact on the firm, its clients and third parties.

“In addition, the COLP/COFA will need to keep appropriate records of failures in compliance to:

(a) monitor overall compliance with obligations;

(b) assess the effectiveness of the firm’s systems;

(c) be able to decide when the need has arisen to report breaches which are material because they form a pattern.”

Ultimately, it is therefore for compliance officers to make a judgement call as to whether a breach is material. Factors such as the detriment or risk of detriment to clients, the scale and duration of the issue and the overall impact on the firm will need to be considered in deciding whether a failure is material.

In reaching a judgement, it is sensible to access and consider internal and/or external advice, while recognising the importance of carrying out an independent assessment of breaches and resisting any internal pressure to hold back on the duty to report.

In borderline cases, it is generally safer to err on the side of caution and make a report to the SRA. When making a report,
the COLP or COFA should ensure that steps are taken to:

(a) remedy the breach as far as possible; and

(b) ensure that the situation is unlikely to happen again
(e.g. through systems, procedures, policies, supervision, monitoring and training).

Reporting breaches

The new compliance officer regime has resulted in an increase in the number of breaches reported to the SRA. According to figures from the regulator’s supervision department, just over 1,000 breaches were reported in 2013, compared to around 250 the previous year (when the compliance officer regime was not yet in place).

COLPs and COFAs are responsible for reporting material breaches to the SRA as soon as reasonably practicable. The SRA has indicated that timely reporting is important and that a material breach must be reported within 24 hours of it being discovered.

Looking at reporting responsibilities from a firmwide perspective, managing partners need to both support and facilitate full disclosure of breaches. To contextualise this, a partner who orders a compliance officer not to inform the SRA would risk being in breach of Outcome 10.7 (“you do not prevent anyone from providing information to the SRA”).

Additionally, and critically, the requirements on COLPs and COFAs to ensure compliance with regulatory requirements do
not remove the ultimate responsibility on managers of a practice
to have suitable arrangements in place to ensure that managers
and employees comply with the SRA’s regulatory arrangements.

In fact, the greater responsibility for compliance lies with the firm and its managers. Rule 8.1 of the SRA’s authorisation rules specifies that firms and their managers “must ensure” compliance with regulatory and statutory requirements. Compliance officers are, by contrast, required to “take all reasonable steps” (rule 8.5 (c) and (e) of the authorisation rules).

There is a range of advice and support to judge whether a breach is material. In May 2013, the SRA issued three case studies based on reports it received, which outline the factors that COLPs and COFAs should take into consideration in reaching a decision on whether a breach is material or non-material. Another case study is provided in the compliance reference group section of the Law Society’s website.

The SRA’s ethics Q&A section for COLPs and COFAs contains some material on the reporting of breaches, while the Law Society’s compliance officer FAQs and practice note for compliance officers cover reporting responsibilities. Members of the society’s risk and compliance service can also access a
‘safe harbour’ advice service from a panel of regulatory compliance experts and practitioners.

Recording breaches

The compliance landscape is not static. As part of the SRA’s Red Tape Initiative, the version of the SRA Handbook which came into force on 8 October 2013 removed the requirement for non-alternative business structure (ABS) firms to report non-material breaches annually to the SRA as part of its annual information-gathering exercise. Records of non-material breaches still need, however, to be kept to support the identification and management of systemic risk issues and to demonstrate to the SRA on request.

It is important to note that, while a single non-material breach may be considered trivial, a series of such breaches may constitute a material breach. Compliance officers will need to establish systems to identify patterns of breaches and to be assiduous in compiling records of non-material breaches. ABSs continue to be required to report non-material breaches because of the full reporting obligations imposed on them by the LSA.

The SRA recently unveiled plans to remove the requirement for firms to have their client accounts reviewed by an independent accountant and to submit an annual accountant’s report.
If implemented, this may have consequences for the COFA role, with the COFA becoming the main financial conduit between a
firm and the SRA.

In this context, it is worth mentioning the concern expressed by the SRA about the lack of self-reporting by law firms that
are in ‘intensive engagement’ with it because of significant financial difficulties. Firms in financial distress should bear in mind that the regulator has publicly stated that intervention is the ‘last resort’ and that it would always prefer active engagement, transparency and a willingness to take the necessary steps to address financial problems.

 

---

Top-level management of compliance risks

The role of the compliance officer is to focus on ensuring the right practices, procedures and processes are in place within the firm to manage risks and that the right information is collected, analysed and acted upon.

But, this does not absolve senior managers of their own responsibilities. It is important for the managing partner to recognise the need to provide sufficient support to the firm’s compliance officers to ensure that the firm discharges both its regulatory and statutory obligations.

The SRA’s view is that “a proactive, efficient regulatory regime is one where the primary responsibility for managing compliance risk lies with the firms by creating a clear formal focus for delivery of the regulatory outcomes in each firm, increasing the chances that the vast majority of firms will identify and deal with regulatory risk”.

Becoming familiar with the regulator’s take on risk will provide context to the roles of the compliance officers in managing risks within the firm. COLPs and COFAs should also familiarise themselves with the SRA’s Regulatory Risk Frameworkand Regulatory Risk Index, as well as monitor its regularly-updated Risk Outlook.

Key risks that have recently been identified include:

• financial difficulty;

• dishonest misuse of client money;

• failure to cooperate or comply with notification and information requirements;

• lack of adequate succession and exit planning;

• poor standards of service or advice;

• lack of care over outsourcing arrangements;

• inadequate systems and controls over the transfer of money; and 

• cybercrime

---

 

Nicholas Fluck is president of the Law Society
of England & Wales (www.lawsociety.org.uk)