Jack of all trades: The ever-expanding role of compliance officers under OFR

The UK compliance agenda is starting to get very crowded. After endless rounds of training on outcomes-focused regulation (OFR), compliance officers could be forgiven if they had looked forward to putting their feet up. It looks as though they will be sorely disappointed. Far from a pause in the proceedings, it appears that the compliance agenda is starting to develop a steep trajectory all of its own. 2014 and 2015 look to be the years in which OFR starts to bite, not only in terms of the organisational aspects of law firms but also, increasingly, on their strategic aims.

Compliance is not glamorous. It is often see to be passive; the sole raison d’être is merely to check on the work being done by hard-pressed fee earners within the firm. Indeed, to some, this preoccupation with compliance can seem to be a hurdle which must be traversed so that the ‘real work’ can be done. Compliance can seem to be a distress purchase, something which is a necessary evil, but does not bring with it any discernible benefit to the firm – it is
simply a way of staying out of trouble. Times have changed.

The compliance agenda

The saturation training of the profession in OFR in recent times could result in a perception of stasis in law firm compliance. This could become a problem for compliance officers, especially when they seek additional resources and assistance for their departments.

The job of the compliance officer is set to leech into virtually all aspects of management decision-making over the coming years. It would be wrong to pigeonhole this work into a compliance silo, concerned only with the checking of material and non-material breaches. From now on, compliance officers will find themselves ‘treading on the toes’ of their colleagues in relation to information technology, education and training, human resources and anti-money-laundering compliance, to name just a few. The reasoning is set out below.

The ‘risk role’

Firstly, there is a growing body of
research which illustrates that the compliance role has an impact
beyond just claims avoidance.

In February 2013, the Solicitors Regulation Authority (SRA) published the paper Measuring the Impact of OFR on Firms. The research, which went relatively unnoticed, was based on a telephone survey of 1,000 solicitors from a variety of firms, selected at random.

More than half (58 per cent) of those interviewed stated that they had made additional changes to their practice arrangements, over and above the nomination of their compliance officer for legal practice (COLP) and compliance officer for finance and administration (COFA). However, 40 per cent confessed that the nomination of compliance officers represented their only involvement in OFR.

The research found that a number of firms had taken the opportunity to review their existing policies and procedures
(27 per cent), to create new policies
from scratch (26 per cent) and to undertake additional training across the firm (24 per cent). The implication was
that OFR had provided an impetus to make improvements to the governance of their firms above and beyond compliance.

Why is this research important?
A clue to the future of OFR can be
found in the responses. Those that stated that their firms’ procedures were well established and adequate (the ‘nothing to see here’ culture) were considered unduly complacent. Indeed, they would seem to be outside the ‘identify/monitor/review’ design of the SRA’s Risk Framework.
The idea of a suspiciously ‘clean sheet’
is not one that sits comfortably with OFR. The implication for compliance officers is that they will need to become comfortable with the idea that their work will never really be finished.

Firmwide integration

Secondly, compliance has started to integrate itself within the central management agenda. Over the past few months, the SRA has published a number of reports in relation to matters as diverse as cybercrime, the benefits of cloud computing, problems with the consolidation of the legal services marketplace, and research on the characteristics and risks associated
with firms in financial difficulty.

Compliance officers are starting
to become risk specialists in the fullest sense of the word. Data collection by the regulator and the need to engage with current research means that compliance officers should be involved in most areas of large procurement within their firms.

For instance, in February 2014 the SRA highlighted the problems associated with cybercrime and the technological
and human factors at work in Spiders in the Web: The Risks of Online Crime to Legal Business. This may seem to be a job for the head of IT, but in fact for the compliance officer it is of vital importance to ensure that data is protected and that all staff are aware of the relevant mobile working policies and only use secure
Wi-Fi networks.

A changing agenda

Thirdly, the management agenda itself is changing. For instance, diversity and inclusion has become a critical issue. It is fair to say that it is one of the main planks of the Legal Services Act 2007 and is also part of the SRA’s strategic plan for 2013 to 2015. While this may be seen as an issue of recruitment and retention (as well as an issue on beauty parades for some corporate clients) its ramifications now impact on the compliance agenda.

In the past, it was sufficient to avoid censure from the regulator. Now, the emphasis has shifted to ‘internal compliance’, which has the effect of throwing most of the regulatory load
onto the firm. It is not enough to simply forward diversity data to the regulator, for example. The firm has to be in a position of ongoing monitoring, as well as making plans for improvement and checking on progress to track improvements.

This is a much more dynamic approach than was the case in the past. To do it properly, compliance officers need the support and resources to scrutinise results. In addition to their new roles as risk specialists, they will find themselves adding research and data collection to their skill sets, as well as a newfound interest in HR data.

Developing learning

Finally, education and training is about to fly up the compliance agenda. ILEX Professional Standards, the independent regulator of members of the Chartered Institute of Legal Executives, instituted new continuing professional development (CPD) arrangements from September 2013. The new approach moves away from an “hours-based (inputs) system
to one based on professionals identifying their own development needs and
meeting them year by year,” according
to chair Alan Kershaw.

However, even before that announcement, the relevant SRA
outcome had already shifted the educational focus. On first reading, Outcome 7.6 seems to be nothing more than an exhortation to complete CPD hours: “you train individuals working in the firm to maintain a level of competence appropriate to their work and level of responsibility.” However, the outcome is wider than simple ‘hourage’ compliance.

Education and training should be provided at the right level and for a wide variety of personnel. It is also important to ensure that there is an ‘educational audit trail’ recording not just the fact of the training but its impact. Rule 8.2 of the
SRA Authorisation Rules requires that firms have suitable arrangements for training and compliance. The simple recording of hours is not enough in
this context; some form of assessment
of attainment and understanding is required to comply with this aspect.

The SRA’s Training for Tomorrow consultation (which closes 2 April 2014) sets another task for law firms and, in particular, compliance officers. Although apprenticeships and undergraduate and professional education grabbed the headlines, the issue of what is now to be termed ‘continuing competence’ has been relatively muted.

Is this CPD with bite? CPD looks to move from passive hourage adherence to a more active approach in which there is a need to ‘demonstrate’ that something has been achieved. The consultation document makes clear that the SRA’s review of CPD will be “wider in scope than a simple reform” and there will be
“a broader look at how CPD can be used more widely in our regulatory framework”.

It appears that CPD could be used to enhance specific training in risk management, perhaps as set out in the SRA’s risk outlook publications as well as remedial training identified as being particularly vulnerable and subject to regulatory action. Interestingly, the SRA also appears to be considering the use of education and training to prescribe specific competence requirements of the people holding certain regulatory roles as a way of demonstrating competence in those roles. This could, perhaps, lead to the development of methods of assessment in relation to anti-money-laundering compliance as well as specific training for compliance officers. Compliance officers have now gained
an education portfolio.

Tomorrow’s lawyers

The compliance agenda for law firms has changed. Twenty years ago, the focus was on claims avoidance. Now, firms have consolidated, clients are more demanding and the financial and regulatory aspects of practice are more complex. These range from anti-money-laundering compliance to diversity and equality data collection to the problems and opportunities of information technology. We have moved from simple ‘claims avoidance’ to ‘firm stability’ in the need for efficiency and financial hygiene.

Jane Jarman is a solicitor and reader
at Nottingham Law School
(www.ntu.ac.uk/nls)