When a law firm is facing an SRA inspection, the first thing to establish is what the SRA wants to inspect, which is likely to relate to what caused the inspection. This will be the area on which the SRA will focus. Then the firm needs to consider the context, such as its practice areas, whether it operates a client account or just business accounts, anything unusual that it does, any relevant or potentially relevant past history of the firm or any of its employees. If the SRA comes across something else, outside of the reason for the inspection, while doing their work, this may also fall within the inspection. So, it is worth looking out for other potential problems (see box "Case study"). However, the cause of the inspection will be the SRA's main area of interest. Examples of why the SRA might inspect include to investigate a reported breach of the SRA's Accounts Rules, a client complaint or to check the firm’s anti-money laundering (AML) policy and practice (www.sra.org.uk/solicitors/guidance/investigations-on-site/).
Law firms may also be interested in preparing in case they face an SRA inspection at some point in the future. In some respects, this is more difficult to do, as the preparation will be unfocused as it involves checking everything. For this reason, Hunnings Consultancy has developed a compliance stress test that endeavours to cover every possible area of inspection, including the SRA Code of Conduct (the Code), SRA Accounts Rules, SRA Transparency Rules, AML policy and practice, General Data Protection Regulation (2016/679/EU) (GDPR) and information security. The next step is a gap analysis, which involves comparing the firm's actual performance with its desired performance, followed by a report on what needs to be done, with prioritisation.
Responsibility for compliance
The principal responsibility for regulatory requirements in a law firm falls on the shoulders of its compliance officers: the compliance officer for legal practice (COLP), compliance officer for finance and administration (COFA), money laundering compliance officer (MLCO), money laundering reporting officer (MLRO) and the data protection officer (DPO). This responsibility is personal to them. Compliance officers have specific responsibility for ensuring that the firm, its partners and employees comply with the SRA's regulatory requirements. They are also responsible for recording any breaches and reporting these to the SRA, where necessary (paragraphs 9.1 and 9.2, the Code).
However, the owners have ultimate responsibility for how the firm is run and its legal services are delivered. In particular, they must make sure that it complies with all legislative and regulatory requirements (paragraph 8.1, the Code). This means making sure that the firm has all the necessary systems in place in order to achieve that objective.
The owners of a law firm can also exert significant influence over the business of the firm. However, they should not do anything which causes the firm, or anyone in it, to breach their own regulatory obligations (paragraph 2.1(c), the Code).
The SRA holds responsibility for ensuring that law firms comply with AML. The SRA has recently indicated that it expects firms to conduct independent AML reviews in order to independently assess this. Indeed, checking on a firm’s AML policy, controls and procedures is one of the main reasons for an SRA inspection. Breach of the AML regulationscould be especially onerous for the MLRO and MLCO as breach of the AML regulations could ultimately lead to imprisonment.
Therefore, the MLRO and MLCO should carry out regular reviews of the firm's AML policies and procedures to ensure that they are up to date. Regular file reviews should also be done to ensure that risk assessments are being implemented.
In addition, firms should not overlook the need for staff training. The MLRO and MLCO need to keep up to date with training so they can carry out their responsibilities. Then they need to train staff on what they expect them to do. This can seem like a huge inconvenience when trying to service client needs and meet targets. However, the firm cannot avoid it and the other partners of the firm need to allow the MLCO the ability and resource to be able to do this properly. They are doing this on behalf of the business and the consequences if not done properly can be serious. Training will, of course, count towards continuing professional development (CPD) (see Know how "The CPD hour is dead: what next?", www.practicallaw.com/1-634-8536). It is best if the MLCO trains the staff, as this will embed their own learning and also deliver the message that management regards this as serious. They will also understand the nuances of the business and the policies, controls and procedures that they have written better than an external trainer.
Other compliance roles
The COFA has principal responsibility for the firm’s compliance with the SRA Accounts Rules. The COLP must be a manager, owner or employee of the firm, and they supervise the COFA and are responsible for the rest of the firm’s compliance with the Code.
Firms may also have a DPO who is responsible for ensuring compliance with the GDPR and Data Protection Act 1998 and is the principal point of contact with the Information Commissioners Office. It is strange that so many law firms do not currently have a DPO, considering that solicitors handle and process substantial amounts of sensitive client data. There are news articles about data breaches or cyber attacks every week; it is clear why the SRA is looking to ensure that protection against the effects of cyber attack and data breach becomes a mandatory part of the professional indemnity insurance cover. It is possible to outsource the DPO role, so that a law firm can buy in just the hours that they need. Indeed, there is an argument to say that an external DPO is better as they can be more impartial and perhaps, therefore, more rigorous.
The COLP, COFA and DPO must keep up to date with their training, which qualifies as CPD. Training of staff and checking implementation through file reviews is important. Law firms should keep records and ensure that they have systems that easily allow staff to record their compliance. There may be things that the firm can do make it easier for staff to perform and record their compliance, such as establishing clear policies and procedures on conflict checking, AML, identity checks and risk assessments. If compliance is hard to do, then it is less likely that it will be done.
Policies and procedures
The office procedure manual (OPM) is normally where the firm will have all of its policies and procedures, as required by the Code and SRA Accounts Rules. It is usually huge and there is a tendency for it to be a dead document, gathering dust on the shelf. However, it is there for a reason. It needs to reflect what goes on in the business. It needs to be kept up to date and should be a really helpful resource for all staff for when they want to know how the firm does something. It will be helpful for firms to provide a staff manual or handbook that is more focused at the staff level. Obviously, it is based on the OPM, but the OPM has the firm-wide policies, whereas a staff handbook can make this more relevant to the employee and therefore more likely to be followed. The OPM is likely to be one of the first things that the SRA will want to inspect.
The SRA is much more concerned about how a law firm manages its client account than its office or business account. It is problems relating to protecting client money that lead to most SRA interventions. If a firm keeps on top of this, it is likely to avoid the SRA’s most punitive measures. Firms need to carry out regular monthly reconciliations of both client and office accounts, and run reports on residual client account balances, aged WIP, aged debt, inactivity, cashflow and reserves. If the firm does not have the resource internally to oversee this adequately then this can be outsourced to a specialist, who can be the additional eyes and ears for the compliance officers.
Recently, a law firm contacted Hunnings Consultancy, just a week before it was due to undergo an inspection by the Solicitors Regulation Authority (SRA). Obviously, there was great urgency. The firm was unprepared and indeed, as it turned out, it was quite appropriate for the SRA to want to take a closer look at it. Within the week, Hunnings Consultancy:
* Carried out a compliance review.
* Sorted out any breaches of the SRA Transparency Rules on the firm's website.
* Completed a risk assessment across the entire firm.
* Produced breaches registers, and completed these.
* Delivered a customised, up-to-date office procedures manual.
* Organised anti-money laundering training.
* Checked the firm's accounts and brought the client accounts up to date.
* Briefed the firm's partners and employees ahead of the meeting with the SRA.
“This article first appeared in the December 2021 issue of PLC Magazine”
Here is a link: http://uk.practicallaw.com/resources/uk-publications/plc-magazine.
Should you want more information or need help, please fill in the contact form below
or contact our lead consultant: Ingemar Hunnings: 07887 524507 or [email protected]