AU & NZ
SG
MY
US
IE
Compliance officers don't know what the job requires
The headline finding from the SRA's review is stark: only one COLP out of those interviewed could describe the material requirements of their role. Not one individual was able to provide a comprehensive overview of all compliance officer requirements. When COLPs and COFAs were nominated, they and their firms gave assurances to the SRA that these were the right people, with the right support and training. The review suggests those assurances were not borne out in practice.
Beyond that, 20% of officers could not explain their record-keeping obligations, and 59% could only provide a partial explanation. Only half had read the SRA's own reporting and notification guidance - and only one officer could describe the difference between a notification and a report.
These are not marginal findings. The COLP and COFA regime is supposed to be the front line of consumer protection. If compliance officers do not know what they are supposed to be doing, the entire reporting architecture breaks down.
The reporting numbers don't add up
The review data on reporting is equally concerning. Across 25 firms over three years, 1,377 internal reports were made to 36 compliance officers - but three firms alone accounted for 82% of those reports. Only nine of those 1,377 internal reports made their way to the SRA. And 86% of compliance officers made no reports at all to the SRA over the entire three-year period.
You could argue that means everything was running smoothly. But as observed during the webinar, that interpretation does not hold up. Breaches happen. Administrative errors occur. Account rule issues arise. Residual balances build up. The idea that roughly 9,000 COLPs across the profession had nothing to report over three years simply does not reflect reality.
So what is going on? There appear to be multiple factors at play. Some compliance officers do not understand what may be reportable - particularly the concept that a series of individually minor breaches can form a trend that itself becomes reportable. Some do not know how to report or what information the SRA expects. And there is, candidly, a trust issue: firms are nervous about drawing the regulator's attention to themselves, particularly in an environment of increased fining powers and enforcement activity.
The problem is that not reporting carries far greater risk than reporting. The SRA has consistently stated that it treats non-reporting more harshly than the original breach itself.
Reporting process knowledge is poor
Only 25% of compliance officers could describe a defined reporting process within their firm. That means 75% could not. Some 44% relied solely on their own professional experience - none of whom had read any SRA reporting guidance. And 19% were unaware of their reporting duties entirely, because they had never had to make a report.
This points to a fundamental failure of internal policies, procedures, and training. As was noted during the webinar, if you have clear policies, clear procedures, and a clear reporting process that everyone in the firm understands, that in itself builds knowledge. A proactive compliance approach - where you are reading the guidance, auditing your files, and testing your systems before something goes wrong - is immeasurably better than scrambling to react after the event.
The SRA's guidance is available on its website. The reporting obligations are set out in paragraphs 7.7 and 7.8 of the SRA Code of Conduct for Solicitors and paragraphs 3.9 and 3.10 of the SRA Code of Conduct for Firms. These are not hidden requirements. They just need to be read.
Systems, records, and deputies
The review found that 31% of compliance officers could not provide a record of internal reports. Some 11% had no formal reporting system or process at all, and 17% could not provide an internal reporting policy.
If you have no policy, how does anyone in the firm know what they are supposed to report to you and how? If you have no system, how do you track trends? And if you have no records, how do you demonstrate to the SRA - or, in due course, the FCA - that you are doing your job?
There were also significant gaps in oversight. Some 11% of compliance officers had no formalised process to verify that staff were complying with instructions. Nearly half - 44% - did not have a deputy compliance officer. And 25% had not undertaken any training for their role within the previous 12 months.
The absence of deputies is a particular concern. If the sole compliance officer goes on holiday, falls ill, or is simply out of the office, the compliance function effectively ceases to exist. Best practice - and, I would argue, what should be a mandatory requirement - is to have a deputy in place at all times.
The 3.9 and 3.10 distinction
Many compliance officers struggle with the distinction between the "easy" reporting obligation and the "not so easy" one.
Paragraph 3.9 of the SRA Code of Conduct for Firms (and the equivalent solicitor provisions) requires you to report promptly to the SRA any facts or matters that you reasonably believe are capable of amounting to a serious breach of the SRA's regulatory arrangements by any regulated person. This is the relatively clear-cut obligation: you believe it is serious, you report it.
Paragraph 3.10 is broader and, in practice, less well understood. It requires you to inform the SRA promptly of any facts or matters that you reasonably believe should be brought to its attention so that it may investigate whether a serious breach has occurred - or otherwise exercise its regulatory powers. The key distinction is that 3.10 captures situations where you are not sure whether something is a serious breach, but the regulator needs to see it. It is designed to capture incomplete or ambiguous information you cannot fully assess, patterns of concern that have not yet crystallised into a clear breach, and matters relevant to the SRA's wider regulatory powers beyond just breach investigation.
This is a wider obligation than many firms appreciate. It is not just about what is happening within your own firm - it extends to conduct by other regulated persons that you become aware of. If you see another firm repeatedly engaging in concerning behaviour, you have an obligation to consider whether that should be reported.
The SRA's own enforcement strategy is clear: if in doubt, report. That is the safest course. The regulator cannot then say you failed to report, and if they consider a report unnecessary, that helps you benchmark for the future.
How to report
If you do need to report to the SRA, there are two formal routes: the online reporting form on the SRA's website, or email to [email protected]. It is important to note that a telephone call - for example, to the SRA's professional ethics helpline - is not in itself sufficient to constitute a formal report. Reports must be made formally and in writing.
A well-structured report should clearly set out who is reporting (the firm, COLP, COFA, or an individual), who is affected (clients, third parties, or internal staff), what happened (facts only, not speculation), which SRA provisions may have been breached, and why the matter is considered serious enough to report. You should also address when the issue occurred and when it was discovered - these are not always the same - any immediate risks and the mitigation you have put in place, remedial action already taken, and lessons learned or changes implemented as a result.
The SRA expects prompt reporting, but it also expects transparency and a reasoned judgement. If you are reporting promptly and have not yet gathered all the facts, it is perfectly acceptable to say so and to follow up with further information.
Confidentiality is not a barrier
A common concern is whether reporting obligations conflict with duties of confidentiality. The position is clear: you may disclose confidential or privileged information to the SRA if it is reasonably necessary to meet your regulatory obligations. This should be reflected in your terms of business, privacy policy, and data protection notices. Where legally privileged information is involved, client consent should be obtained where possible, but the SRA has mechanisms for confidential disclosures and can, if necessary, obtain information through a statutory production notice.
The consequences of not reporting
The consequences of failing to report when required are significant. The SRA may pursue separate disciplinary action for the failure to report, distinct from any action relating to the underlying breach. Sanctions may be increased, and the failure itself may be treated as evidence of a lack of integrity - which is, of course, itself a breach of SRA Principle 5.
Self-reporting, by contrast, is treated as a mitigating factor. If you discover an issue, report it promptly, and demonstrate that you have taken remedial action, the SRA will take that into account. Conversely, if an issue is discovered through other channels - another firm's report, a client complaint, or an SRA investigation - and you knew about it but failed to report, the consequences will be materially worse.
The FCA dimension
This is not just about the SRA. With the transfer of AML supervision to the FCA on the horizon - likely within 12 to 18 months - firms will face a fit and proper assessment for their compliance officers and principals. The FCA will ask searching questions about past compliance performance. Firms that have been fined for AML non-compliance, or that have a history of poor reporting, will face significant challenges in demonstrating that their officers are fit and proper for regulation under the FCA's regime.
The time to get your house in order is now. If the story has not been as good as it should have been, you need to be able to demonstrate that you have taken meaningful steps to improve. A clear record of proactive reporting, robust systems, and trained officers will go a long way. A blank sheet will not.
Key takeaways for firms
Firms should ensure their compliance officers and deputies are fully supported - with adequate time, resources, training, and a clear understanding of what the role requires. Effective reporting procedures must be embedded in the firm, not simply filed away; the SRA will test whether policies are genuinely being followed. Comprehensive reporting records must be maintained, on the principle that if it is not written down, it did not happen. And all staff - not just the COLP - should be trained to identify potential breaches and other matters that may need to be reported.
The SRA's thematic review has laid bare the scale of the problem. The question for every firm is whether it is going to act on those findings before the regulator - or the FCA - comes knocking.
