The Knowledge Crisis: Only One COLP Knew Their Job

The SRA asked COLPs and COFAs to explain their regulatory duties. Out of 36 people:

• Only one could list all five requirements of the COLP and COFA roles
• 78% of COFAs could explain their three obligations (a smaller set)
• 22% couldn’t explain them at all
• One firm had completely forgotten to appoint a COFA after their previous one retired

When 35 out of 36 compliance officers cannot describe the fundamentals of the role they legally hold, it shows this is not an individual problem - it's a structural failure.

The COLP and COFA are supposed to be the front line of client protection in law firms. They safeguard client money, ensure compliance with SRA rules, and oversee serious breach reporting.

But if they don’t understand the rules?

Clients aren’t protected.
Firms are exposed.
And the regulator sees red flags.

It’s no surprise the SRA is increasingly questioning whether some firms should manage client accounts at all.

The SRA’s approach is clear:
If it isn’t documented, the regulator assumes it didn’t happen.

Yet the review found:

• 20% of compliance officers couldn’t explain their record‑keeping duties
• Only 59% could give a partial explanation
• Only 50% had read reporting and notification guidance
• Over 80% had not read the SRA’s enforcement strategy
• Only one person understood the difference between notification and reporting

This is critical, because misunderstanding reporting duties is one of the fastest routes to regulatory trouble.

If COLPs don’t know what must be documented, or what must be reported, they simply can’t protect clients or the firm.

Perhaps the most worrying part of the SRA’s findings is the lack of understanding around reporting processes:

• Only 25% could describe a defined reporting process
• 44% rely on “professional experience” instead of reading guidance
• Of those relying on experience, none had read the reporting guidance
• Over a 3‑year period, 1,377 internal issues were flagged… but only 9 were reported to the SRA
• 86% of COLPs had not reported anything to the SRA in three years

Does that mean no breaches occurred?
Highly unlikely.

So what’s really happening?

Two possibilities:

1. Firms are keeping their heads down - worried about triggering investigations or sanctions.
2. Compliance officers don’t know what should be reported - because they haven’t read the rules or guidance.

In reality, it’s probably a combination of both.

Under‑reporting breaches has serious implications:

• Vulnerable clients could be harmed without the regulator knowing
• Patterns of misconduct go unnoticed
• Client money risks are hidden
• Firms lose the chance to fix systemic issues early
• The SRA’s trust in the profession erodes

For example, something as simple as residual balances can be a reportable trend.
£20 left on a file may mean nothing to one client, but it could be life‑changing for someone struggling to pay their next energy bill.

When compliance officers don’t recognise these nuances, risk escalates.

Brian closes the episode with a stark summary:

When your frontline compliance officers don’t know what they’re meant to do, you don’t have compliance.
You have hope, dressed up as policy.

Policies mean nothing unless they are understood, actioned, and evidenced.

The knowledge crisis exposes a fundamental truth:
many firms are running on assumptions, not compliance.

In the next episode, we explore another major risk factor:

The 26% Problem - Time Poverty in Compliance

Most COLPs spend only 26% of their time on compliance.
The rest disappears into client work, firefighting, and administration.

What does this mean for oversight and regulatory risk?
We’ll break it down in Episode 3.