Legal Compliance Update

If there was ever a month where the regulatory landscape shifted beneath the profession's feet, this was it. From the Legal Services Board's most consequential intervention since the Legal Services Act 2007 to the quiet passage of legislation that will reshape corporate criminal liability for every law firm in England and Wales, the period covered by the update delivered a series of developments that no compliance officer, COLP, or managing partner can afford to ignore.

Here's what you need to know.

The LSB finally loses patience

On 6 May 2026, the Legal Services Board published a statement on the SRA's regulatory performance that may prove to be the most significant oversight intervention in nearly two decades. The language was measured. The implications are seismic.

The LSB is deeply concerned about the failure of PM Law Limited, where cumulative client money losses associated with Axiom Ince and PM Law now stand at approximately £100 million. The SRA has been ordered to commission an independent review into its handling of the matter, due within the coming weeks.

This isn't just about one firm. The LSB is asking fundamental questions about how the SRA supervises, how it escalates, and whether the people at the top of the regulatory structure had the right background and expertise to prevent what happened.

The LSB has also reversed its planned budget cut and approved an increase - an extra £1.79 on every authorised lawyer's practising fees - citing the PM Law collapse as a key factor. The profession is, once again, picking up the bill.

The SRA's reset - words and actions

Credit where it's due: the mood music from Sarah Rapson, the SRA's relatively new chief executive, has been positive. She has acknowledged candidly that the SRA needs to change to regain the trust of solicitors, law firms and the wider public.

The SRA has doubled its leadership team with four new director-level posts covering supervision, risk and data, external affairs, and general counsel. It's also consulting on mandatory CPD records and annual ethics discussions for all solicitors - a move that has divided opinion, with early polling suggesting around 40% think three hours of ethics discussion is about right and another 40% think it's too much.

Personally, I think three hours isn't enough. We can't keep talking about "the odd bad apple" when the evidence points to systemic issues. Ethics discussions shouldn't be a once-a-year tick-box exercise - they should be woven into one-to-ones, case reviews and everyday practice.

The SRA has also signalled its willingness to revisit the split complaints system with the Legal Ombudsman, with its chief executive telling the Justice Select Committee that the SRA "would love to have a conversation" about whether it should take on complaints handling. Whether they'd actually want that workload on top of everything else right now is another question entirely.

The "sufficiently serious" test

The Court of Appeal has ruled that a solicitor's breach of their regulatory obligations will only amount to misconduct if it is "sufficiently serious." The case is heading back to the tribunal, but it raises an important question: who decides what's sufficiently serious, and where's the benchmark?

This matters because the profession already has a reporting problem. The SRA's own thematic review found that 86% of compliance officers had not made a single report to the SRA in three years. Of nearly 1,400 internal breach reports across the firms visited, only 9 were escalated to the regulator. That's a 0.65% escalation rate.

And here's the part many people miss: it's not just serious breaches that need reporting. The rules also require you to report matters to the SRA so that it can investigate whether a serious breach has occurred. That opens up a much wider reporting obligation than most firms currently recognise - and it's something we'll be covering in detail at our Breach Management webinar on 14 May.

Mazur: the dust settles (mostly)

The Law Society has decided against appealing the Court of Appeal's ruling in Mazur - a decision I think was sensible, given the risk to its own members had things gone the wrong way.

The Law Society has published litigation guidance post-Mazur, which is helpful, but it references SRA guidance that hasn't yet been reviewed or signed off. So firms are in the odd position of following recommendations that point to regulatory standards which don't yet exist in final form.

The Court of Appeal has also amended its ruling to clarify that firms are not at risk of criminal offence through inadequate supervision of unauthorised persons. That's reassuring from a criminal law perspective, but it doesn't change the regulatory position - the SRA will still come after you if your supervision arrangements aren't up to scratch.

The FCA's fit and proper test: a looming challenge

This is potentially the biggest issue on the horizon for firms with AML obligations. When supervision transfers from the SRA to the FCA - likely around 2027-28 - firms, their owners and their managers will need to pass the FCA's fit and proper test.

Consider this: hundreds of firms have been fined for AML breaches in recent years. Many were non-compliant for an average of six years, with some stretching to fifteen. Their enforcement records will transfer to the FCA. The question is: will the FCA lower the bar to let them through, or will it hold firm?

I'd like to think the FCA will take a pragmatic view - if a firm was fined but has demonstrably fixed the problem, perhaps a period of enhanced supervision rather than outright rejection. But firms that are still non-compliant when the door opens will have a very different conversation.

The FCA has also published updated findings on customer due diligence processes and controls. If you're going to be moving to FCA supervision, start getting familiar with their expectations now. The senior managers regime carries significantly more personal liability than the current COLP/MLRO framework.

AML and sanctions: the legislative pipeline

Money Laundering Regulations: HM Treasury has laid draft amendments to the MLR 2017 before Parliament. The changes aren't expected to be massive, but they will require updates to firm-wide risk assessments, policies, controls and procedures. Watch this space.

Sanctions: New regulations under the Sanctions (EU Exit) (Miscellaneous Amendments) Regulations 2026 came into force on 12 May. A new Legal Services General Licence (INT/2026/9512597) has been issued, replacing the previous one which expired on 28 April. Make sure your sanctions risk assessments are updated accordingly.

On the question of whether you need separate firm-wide risk assessments for AML and sanctions: my view is it's up to you, as long as both are clearly addressed. However, some SRA officers have apparently been saying they expect to see them in separate documents. If you get pushback, I'd recommend going to the SRA's ethics helpline in writing for a definitive answer - and letting me know what they say.

The SRA's fixed fines contradiction

This one genuinely made me laugh. The SRA issued its first fixed fines to four firms for failing to provide AML and sanctions data - £750 each. Fair enough, you might think. Except that just days earlier, the SRA's own Chair and CEO told the Justice Select Committee that they could not demand information from firms unless a formal investigation was under way.

So which is it? Either the Chair and CEO were wrong about their own powers, or the fixed fines shouldn't have been issued. The rules clearly state that firms must cooperate with the regulator and provide information on demand. Perhaps some internal training is in order.

Corporate criminal liability: the wake-up call

The Crime and Policing Act 2025 received royal assent on 29 April 2026, with enhanced corporate criminal liability provisions taking effect from 29 June 2026. This was buried amongst provisions on shoplifting and probation, but Clause 130 is significant for every law firm.

The new rules require corporate organisations in all sectors to think carefully about situations in which individuals could commit offences in the course of their duties - and how to minimise the opportunities for offending conduct. Critically, this applies across the full spectrum of criminal offences: fraud, bribery, money laundering, health and safety, environmental breaches, data protection, computer misuse, modern slavery, and public order offences.

For law firms, this means that practice managers, IT managers, compliance officers and anyone with management influence could be caught by these provisions. If your compliance officers were "asleep at the wheel" when AML breaches occurred  and the fines suggest many were - this legislation adds a new dimension of personal risk.

Firms have until 29 June to get their houses in order. Policies, procedures and training all need updating.

Other developments worth noting

Client expectations: Research shows the vast majority of clients expect weekly updates and same-day responses from their lawyers. The question, as always, is who pays for this - particularly when there's nothing to report.

Misleading reviews: Firms posting nothing but perfect reviews on their websites risk breaching rules around misleading publicity. An analysis of 50 firms found that every single one of 486 testimonials was five stars. The Advertising Standards Authority will take an interest if complaints are made.

NDAs: The government has recommended that employees receive independent legal advice before signing non-disclosure agreements, as part of plans to stop the cover-up of harassment and discrimination.

Legal advice privilege: The High Court has widened legal advice privilege to cover all internal client documents where the dominant purpose is to seek legal advice, even if they wouldn't actually be sent to a lawyer. This will need staff training.

Digital ID verification: New government guidance aims to build trust in digital verification services. The key resource is the Digital Verification Services (DVS) register, which firms can use to check the reliability of digital ID providers. Consider how this fits into your firm-wide risk assessment.

HMRC tax adviser registration: From 18 May 2026, all individuals or entities that interact with HMRC on behalf of clients for payment must register as a tax adviser. The Law Society has published helpful guidance. You have three months, but don't leave it to the last minute.

Immigration: The Home Office has updated its guidance following the renaming of the OISC to the Immigration Advice Authority.

SRA sanctions: 2 April – 5 May 2026

Twelve sanctions were imposed during this period, totalling £245,303. The largest - £160,059 - related to client account failures spanning 2018-2025, arising from inadequate checks when acquiring firms out of administration. AML failures dominated the remainder, with fines ranging from £725 to £25,000.

Notably, 80% of the fined firms held CQS or Lexcel accreditation. Which raises the question I keep asking: where were the seven layers of compliance oversight - COLP, COFA, MLRO, MLCO, independent audit function, senior responsible officer, and the partners themselves - that should have prevented these failures?

These are exactly the questions the FCA will be asking.

What you should do now

1. Read the LSB statement on SRA regulatory performance - it sets the direction for everything that follows
2. Review your breach reporting processes - the 0.65% escalation rate suggests most firms are under-reporting
3. Update your firm-wide risk assessments for the sanctions regulation changes (in force 12 May) and the upcoming MLR amendments
4. Prepare for the Crime and Policing Act provisions on corporate criminal liability (in force 29 June)
5. Register with HMRC as a tax adviser from 18 May if you interact with HMRC on behalf of clients
6. Start familiarising yourself with FCA expectations - the fit and proper test is coming, and your enforcement history will transfer
7. Engage with the SRA's consultation on mandatory ethics discussions and CPD records
8. Train staff on the widened legal advice privilege and updated beneficial ownership guidance

The April 2026 compliance update covered significant ground — from the Court of Appeal's Mazur judgement to the ongoing failures of the CQS regime, the Legal Ombudsman's continuing struggles, and the quiet but important question of what firms must actually report to the SRA. What follows is a summary of the key developments and the regulatory questions they raise.

Mazur: business as usual, but not quite

The Court of Appeal has upheld the Mazur decision, and the headline for most firms will be straightforward: unauthorised persons can continue to carry out work that falls within the conduct of litigation, provided they do so under proper supervision.

But the judgement deserves closer reading than some commentary has given it. Lady Justice Andrews was clear that the critical question is whether the unauthorised person is in truth acting on behalf of the authorised individual. If they are, it is the authorised individual who is conducting the litigation. If the reality is otherwise — if the unauthorised person is not working for and on behalf of the authorised individual — they will be committing an offence.

This is not a blanket permission to delegate without oversight. Firms need to review their supervision arrangements now, ensuring that delegation to unauthorised staff is genuinely supervised and that the authorised individual retains meaningful conduct of the matter. The distinction between proper delegation and unsupervised handover is where regulatory risk sits.

Is the LSB fit for purpose?

The Legal Services Consumer Panel has posed a direct question: is the Legal Services Board sufficiently resourced and structured to oversee the regulatory framework?

Tom Hayhoe, the Panel's Chair, observed that the legal services market is increasingly complex, technologically dynamic, and characterised by rapid shifts in business models and risk profiles. He questioned whether an oversight regulator of fewer than 50 staff can effectively oversee such a system — not as a criticism of the LSB's staff or leadership, but as recognition that the scale and complexity of the sector may now exceed the assumptions underpinning its original design.

With the LSB itself under parliamentary scrutiny, the frontline regulators under LSB scrutiny, and the final Post Office inquiry report still to come, the structural questions about the Legal Services Act 2007 framework are only going to intensify.

The LSB, ethical standards, and the rule of law

The LSB has set out new expectations to strengthen lawyers' ethical standards and rule of law obligations — a move linked directly to the Post Office scandal and its exposure of professional failures.

The concern, however, is whether this represents anything materially new. A comparison of the LSB's proposals with the SRA's existing Standards and Regulations reveals substantial overlap. The ethical obligations are already there. The question is not whether they exist on paper, but why they are not being met in practice — and what the LSB intends to do differently to change that.

Some regulators in other sectors are moving towards mandatory annual ethical training. Legal services arguably already has this through the competency framework and schemes like CQS. But the gap between completing training and reflecting on it — between ticking a box and changing behaviour — remains wide.

Reserved legal activities under review

LSB Chief Executive Richard Orpin has signalled a growing case for reviewing the six reserved legal activities. The legal market, he noted, has changed beyond recognition since those activities were enshrined in the Legal Services Act 2007, and the uncertainties exposed by Mazur have strengthened the case for re-examination.

For firms, the practical question is: what would happen to your business model if activities such as conveyancing or probate were no longer reserved? If estate agents could handle the full transaction, or if non-authorised providers could offer the complete range of probate services, the competitive landscape would shift fundamentally. This may not happen imminently, but forward planning is prudent.

The reporting obligation nobody talks about

The SRA's December 2025 COLP thematic review revealed that only nine of the 1,377 internal breach reports made by firms over three years were referred to the SRA. Eighty-six per cent of COLPs reported nothing externally over the same period, and the vast majority of the 1,377 internal reports came from just three firms.

These figures alone warrant attention, but there is a further dimension that many firms appear to overlook. The obligation to report serious breaches is well understood — at least in principle. What is less well recognised is the separate obligation under the SRA's rules: firms must also inform the SRA of matters so that it may investigate whether a serious breach has occurred.

This is a distinct requirement. It is not limited to breaches the firm itself considers serious. It encompasses matters the firm believes the SRA may wish to assess.

When pressed for guidance on what this means in practice — what types of matters the SRA would wish to investigate — the regulator declined to provide examples, thresholds, or case studies. The reasoning is understandable: the SRA does not want to create a floor beneath which firms assume reporting is unnecessary. But the consequence is a vacuum of guidance that, post-Mazur, sits at odds with the SRA's stated commitment to providing clearer direction to the profession.

This is an area firms should watch closely. The absence of guidance does not diminish the obligation.

CQS: the 88% question

Another CQS-accredited conveyancing firm has been fined for AML non-compliance — one that was non-compliant for nine years. This brings the proportion of firms fined by the SRA this year that hold CQS accreditation to approximately 88%.

The question remains unanswered: how does a firm maintain CQS accreditation through annual renewals while being non-compliant for nearly a decade? The Law Society's response to repeated Freedom of Information requests on CQS audit frequency, methodology, and outcomes has been to decline disclosure on commercial or voluntary-scheme grounds.

What is known is that proposed desk-based and on-site audits, flagged during the 2019 CQS review, were not implemented — initially because of COVID, and subsequently because they simply have not been reintroduced. The annual renewal process reportedly includes compliance questions, but asking a firm whether it has a firm-wide risk assessment is not the same as verifying that it does.

The implication for firms doing the right thing is clear: they are being held to a standard that is not being enforced against those who are not. And when the FCA assumes AML supervisory responsibility, the question of whether past CQS-related enforcement failures will factor into fit-and-proper assessments is a live one.

Consultant solicitors: a new Mazur in waiting?

The SRA has updated its position on consultants’ service companies employing assistant solicitors, concluding that assistant solicitors fall within the ‘employee’ definition for regulatory purposes.

This guidance raises concerns. The Legal Services Act's definition of "employee" may not support the broader interpretation the SRA has adopted. If that analysis is correct, we may be looking at another situation where regulatory guidance proves unreliable when tested — a Mazur echo.

Practical risks include: insurance disclosure gaps between consultant and instructing firm; questions over whether clients are aware that work is being carried out by an assistant rather than the consultant they instructed; and the possibility that insurers may reserve their position on negligence claims arising from work done by assistant solicitors operating through consultants’ service companies.

For the estimated 2,000 solicitors now providing services through consultancy arrangements, the advice is to ensure full transparency — with instructing firms, with clients, and with insurers — and to take independent advice on the regulatory position rather than relying solely on the SRA's current guidance.

AML: OPBAS warnings and the FCA horizon

OPBAS has warned regulators over the failure to take sufficiently dissuasive action on AML breaches. With average fines running at approximately £20,000, the question of whether non-compliance has simply become a cost of doing business is legitimate.

The transition to FCA supervision, expected within 18 to 24 months, will likely change the calculus significantly. The FCA's enforcement culture is materially different, and the prospect of substantially higher fines — alongside fit-and-proper assessments — should focus minds now, not when the transition takes effect.

Firms should ensure their firm-wide risk assessments reflect the UK government's recently published strategic approach to sanctions enforcement and the updated UK sanctions guidance issued on 30 March 2026.

The Legal Ombudsman: sticking plasters

The LSB has rejected the Legal Ombudsman's request for an 11.1% budget increase, approving approximately 6% instead. The Legal Ombudsman is calling for input on a draft model complaints resolution procedure.

Meanwhile, the government's preferred candidate for Chair of the Office for Legal Complaints told the Justice Committee that the Legal Ombudsman had performed better than it had been given credit for — a characterisation that is difficult to reconcile with years of missed targets, escalating budgets, and growing backlogs.

The complaints system is, by most accounts, broken. The LSB and Legal Services Consumer Panel appear to agree. A model complaints resolution procedure may be necessary in the interim, but it does not address the structural problem. Firms should nonetheless respond to the consultation — the outcome will affect how complaints against you are handled.

Conveyancing under pressure

Residential conveyancing now accounts for 36% of complaints accepted by the Legal Ombudsman, with 647 received in Q3 2025/26. But raw complaint numbers without outcome data — how many were upheld, how many were dismissed, what the underlying causes were — tell us very little.

The broader picture is one of a practice area under unsustainable pressure. Conveyancers are being held responsible for matters outside their expertise — coastal erosion risks, landslide exposure — while operating in an environment where search providers and local authorities contribute to delays, estate agents remain unregulated, and the economics of the work are increasingly marginal.

The TA Property Information Form became compulsory for CQS firms from 30 March 2026. Firms should ensure they have implemented it.

Key takeaways

Review supervision arrangements. Mazur permits delegation to unauthorised staff, but only where the authorised individual genuinely retains conduct. Assess whether your current arrangements meet that test.

Assess your reporting obligations. The duty to inform the SRA extends beyond breaches you consider serious. There is a separate obligation to report matters the SRA may wish to investigate. The absence of SRA guidance on what this encompasses does not reduce the obligation.

Prepare for the FCA. AML supervision is transferring within 18 to 24 months. Firms with enforcement histories — particularly those holding CQS — should consider how that record may be viewed through fit-and-proper assessments.

Consider reserved activities. If conveyancing or probate were no longer reserved, what would that mean for your firm? The LSB has signalled a review. Forward planning costs nothing.

Respond to consultations. The Legal Ombudsman's draft model complaints resolution procedure and the LSB's ethical standards proposals both warrant responses from the profession.

Make ethical training mandatory. Do not wait for regulators to require it. Implement it now, with case-study-based reflection, not tick-box completion.

The pace of regulatory change in the legal sector shows no sign of slowing. If anything, February and early March 2026 have been among the most significant weeks in recent memory. From a second formal censure of the SRA to the Mazur appeal, from AI warnings to AML enforcement pressure, the issues converging on the profession right now demand attention.

Here's what you need to know - and what you need to be doing about it.

The LSB formally censures the SRA again

The Legal Services Board has now issued a formal public censure of the SRA for its failure to protect consumers affected by the collapse of the SSB Group. This follows the earlier censure over Axiom Ince, making this the second time the oversight regulator has taken such action against the SRA.

The question that keeps coming back is a simple one: how many censures does it take before something fundamentally changes? The first was described as historic. The second starts to look like a pattern.

With the Ministry of Justice also announcing a long-awaited review of the LSB - the first since 2017 - and a call for evidence asking whether the LSB is sufficiently focused on its statutory obligations, the regulatory framework itself is now under scrutiny. The call for evidence asks pointed questions about how the LSB holds frontline regulators to account and what evidence there is that its oversight has had a positive impact. These are the right questions. Whether they lead to meaningful reform remains to be seen.

A new CEO, a new direction?

Against this backdrop, the SRA's new chief executive Sarah Rapson has pledged a "back to basics" approach, with a focus on core responsibilities and keeping firms compliant without having to take enforcement action. Her stated ambition is for the SRA to be "a modern, proportionate, effective and trusted regulator."

These are welcome words. But each of those four pillars invites scrutiny. Is a regulator operating under a 20-year-old Legal Services Act truly modern? Can an organisation censured twice for failing to protect consumers credibly claim to be effective? And trust - from both the regulated community and the public - will have to be earned through consistent action, not aspiration.

The real test will be in what changes over the coming months. The profession will be watching closely.

Mazur: waiting for the verdict

The Mazur appeal was heard over three days, and having sat through the entire hearing, the strong impression was that the judges were questioning what all the fuss was about. The prevailing sense was that the court viewed the delegation of work from solicitors to non-solicitors as a matter of common sense.

That said, we are still awaiting the judgement, and impressions from the courtroom do not always translate into outcomes. If the appeal is allowed, much of the current uncertainty will dissipate. If Mazur is upheld, the profession faces significant operational disruption.

What firms should be thinking about now is the potential for a Mazur Mark 2 - the same issues arising around rights of audience, conveyancing and probate. These concerns were raised during the appeal hearing itself, and we have already seen a Circuit Judge refuse to grant a highly experienced chartered legal executive an exemption to conduct a family law case. This is not theoretical. It is happening now.

Firms dealing with rights of audience, conveyancing or probate work should be assessing their position and reviewing how work is delegated and supervised.

When the compliance officer IS the problem

A recent SDT case brought into sharp focus what happens when the regulatory safeguards themselves fail. A COLP who was also the COFA practised without authorisation for three and a half years, held £1.3 million in client money, and had not submitted accountant's reports for six years - all while ignoring direct warnings from the SRA.

This case does not exist in isolation. The SRA's own thematic review found that only one COLP in 36 could describe their material obligations. Internal breach reporting rates sit at just 0.65%. Over a three-year period, 1,377 internal reports were made within firms, but only nine reached the SRA. And more than 85% of compliance officers had not submitted a single report to the regulator in three years.

These figures raise serious questions about whether the COLP/COFA model, as currently operating, provides the consumer protection it was designed to deliver.

AI: opportunity and risk in equal measure

The Upper Tribunal has issued a stark warning after a solicitor admitted uploading client documents into ChatGPT. Judge Fiona Lindsley was unequivocal: doing so places information in the public domain, breaches client confidentiality and waives legal privilege. Any regulated lawyer or firm doing this must self-report to their regulator and consult with the ICO.

This is not a theoretical risk. Cases involving AI-generated fictitious case citations continue to emerge. The SRA's latest Lawtech update examines how AI is reshaping recruitment and training. The technology is moving fast, and firms need clear policies, staff training, and robust governance around its use.

The message is straightforward: use AI wisely, but make sure everyone in the firm understands the boundaries.

AML: the pressure is building

OPBAS has warned that some legal and accountancy regulators are not taking sufficiently dissuasive disciplinary measures over AML non-compliance, finding that some are "overly relying on assisted compliance" rather than enforcement. This directly challenges the approach of working with firms rather than holding them to account.

Meanwhile, the FATF has updated its grey list, adding Kuwait and Papua New Guinea to increased monitoring. Firms need to update their firm-wide risk assessments to reflect this change.

On the due diligence front, HM Treasury and DSIT have released new guidance on digital identity verification, aimed at building trust in digital verification services and streamlining CDD processes. Firms can check the reliability of digital ID providers through the DVS Register. However, clarity is still needed on whether this new route constitutes outsourcing or reliance under the Money Laundering Regulations - the distinction matters and the obligations are different.

And the question of accountant's reports is back on the table. The ACCA has backed the SRA's proposal to reintroduce the requirement that all reports - qualified and unqualified - be submitted to the regulator. But it has drawn a firm line against shifting the responsibility for submission from firms to accountants. This is a space to watch.

Conveyancing: multiple moving parts

Conveyancers are dealing with several concurrent developments. The government has held firm on requiring conveyancers to register as tax advisers with HMRC, despite lobbying from the Law Society and the wider profession. Registration opens from May 2026, with a minimum three-month window, and HMRC guidance is expected in the coming weeks.

UK Finance has paused the launch of its new-look lender instructions handbook, just days after dropping the controversial £50 access fee. A revised launch date is expected by the end of June 2026.

Nationwide has become the first lender to allow electronic mortgage deed signing without a witness, using qualified electronic signatures that HM Land Registry has been accepting since August 2025. When one major lender moves, others tend to follow.

And the CLC has launched a review of referral fees, while suggesting that regulating estate agents would better address the underlying concerns. This could well prompt the SRA to follow suit. If referral agreements are examined closely, many are likely to be found wanting - non-compliant clauses, compromised independence, and referral fees dressed up as upfront legal fees are not uncommon.

The SRA's legal battles continue

The Axiom Ince fallout continues, with the firm's insurer launching two sets of proceedings against the SRA, and the regulator filing its own counter-claim. Meanwhile, a solicitor whose tribunal decision over a "without prejudice" email was overturned on appeal has been granted a costs order of £400,000 against the SRA. These costs are ultimately borne by the regulated community through practising fees.

Data Protection: new obligations from June

The ICO has published final guidance on handling data protection complaints under the Data (Use and Access) Act. From 19 June 2026, organisations must have a formal complaints process in place. Complaints must be acknowledged within 30 days - failure to do so will be a statutory breach, not merely a procedural misstep. The ICO will track complaint volumes by organisation, and patterns may trigger regulatory scrutiny.

Most of the remaining DUAA data protection provisions are already in force. ICO governance provisions will follow at a later date.

Cyber security: stay alert

The National Cyber Security Centre has issued a new alert advising UK organisations to remain vigilant to the potential risk of cyber compromise linked to evolving events in the Middle East. Firms should be reviewing their cyber security posture, ensuring staff training is up to date, and checking that incident response plans are in place.

What you should be doing now

The volume of regulatory change is significant, but the key compliance actions are clear:

1. Use AI wisely - and make sure all staff understand the boundaries around confidentiality and privilege.
2. Ensure compliance with AML obligations - the pressure from OPBAS, the LSB and the incoming FCA regime means non-compliance carries increasing risk.
3. Assess your Mazur Mark 2 position - if your firm deals with rights of audience, conveyancing or probate, review how work is delegated.
4. Review property referral agreements - if the CLC is asking for copies, the SRA may not be far behind.
5. Register with HMRC for tax advice - conveyancing firms need to be monitoring the guidance and acting at the appropriate time.