The requirement for all law firms to have compliance officers responsible for Legal Practice (COLP) and Finance and Administration (COFA) has been in place for almost seven years.
The COLP and COFA should be champions of risk management and compliance within a firm and will have ultimate responsibility for the firm’s systems and controls. The role of both is not just a title and being declared as ‘fit and proper’ by the Solicitors’ Regulatory Authority – it is a responsibility that should not be taken lightly.
The interaction, clarity on shared responsibilities and communications with the wider firm are all critical in ensuring these roles are effective and live up to what they are designed to be and achieve.
In this series of insights, Helen Clayton outlines the key responsibilities of COFAs to help firms focus on their strategy of ensuring full compliance.
The COFA is the focal point of identifying risk within a firm. Solicitors must acknowledge, however, that this does not remove any responsibility for compliance away from others in the firm. The SRA’s aim of creating the role of the COFA was to build a firm-wide culture of compliance and to build on the theme of an outcome-focused regulation.
Should the COFA of a firm be an employee, it is still recommended that the individual should seek an indemnity from the firm. Further, the reporting lines should be clear and the COFA should have a second reporting line should the main one not be appropriate.
We have seen and indeed continue to see increasing levels of compliance by law firms registered in England and Wales.
In my view, the role of the COFA is to ensure that their firm is compliant whilst balancing practical matters with risk. Systems and processes to mitigate risks must be relevant, work and be understood otherwise human behaviour will negate their impact.
Firms and individuals will have differing attitudes to risk. Firmwide risk will vary from firm to firm dependent on various factors including services provided, client base, internal attitudes to quality, transparency, client service and people development.
Risks may change in severity depending on variables, some of which may be out of the firm’s control. Risks should be revisited on a regular basis and be incorporated into strategic and operational business plans.
Automation is on the increase in many finance teams, resulting in efficiencies such as time and cost savings with the aim of enhanced financial reporting.
With automation and increased use of IT comes different risks. Cyber-attacks are rife and continue to grow in complexity. Attention to detail, systems and controls, roles and responsibilities and security is therefore vital to ensure that these types of risks are minimised.
All firms should have a cyber security policy in place, which is tested on a regular basis. All firms should also have appropriate insurance in place. The number of successful cyber-attacks on client bank accounts is shocking.
There are several responsibilities linked to SRA Accounts Rules including file reviews, review and sign off on bank reconciliations and maintaining a breach register. All material breaches must be reported to the SRA.
I wonder whether these responsibilities are still carried out by all COFAs with as much vigour as when the role was first developed.
Reviews of files can give rise to several areas for improvement in a firm. These may be process, team training and development, client service and communication – not all linked to the Accounts Rules, many linked to brand and reputation and claims records.
Review of bank reconciliations (provided the reconciliations are understood and reviewed in detail) could give rise to the identification of previous breaches of the rules, areas for process improvement and potential areas for cashier and finance team training and development.
In my opinion, neither of these areas should be overlooked. It’s not just about box ticking to evidence the exercise having been completed; this is about ensuring the firm is more than compliant.
In my experience, breaches registers are maintained in various ways.
Given the period since these were first formally introduced, I strongly recommend that these be revisited, ensuring that they:
– capture all the necessary and relevant information
– are understood by cashiers and finance teams as to their use and benefit
– can be used to further benefit the firm and mitigate risk.
If a breaches register is used purely as data capture, it is doubtful the necessary attention is paid to it and further, that it is not used to make improvements.
If a breaches register is designed to name and shame, it is doubtful that breaches will be recorded in a timely manner, accurately or indeed at all. Material breaches or systematic breaches will not be identified and could lead to a serious issue, perhaps a loss of client money.
At the heart of minimising risk to a firm is the training and education of all employees within a law firm.
I have talked before about this being all employees, irrelevant of whether they are a fee earner, responsible for the post or client facing on reception. Everyone could be client facing, deal with client matters direct or indirectly and the opportunity to influence a financial transaction.
Is annual training enough? Does it cover the same as last year?
Training must be relevant, interactive and give people the opportunity to identify risks, gaps in controls and recommend practical improvements. Educating everyone as to the nature of the business, the relevance of their role and their part they must play in all of this is critical.
Client complaints are also a great source of ensuring improvements in service, quality and ability to revisit risks and controls in place to mitigate those risks.
To summarise
No one should underestimate the role and responsibility of the COFA.
Solicitors should never have the belief that compliance is the sole responsibility of the COFA.
Balancing risk with compliance and practicalities will be key.
Ensuring file reviews and reviews of bank reconciliations are effective and understood is vital.
Maintaining a breaches register can prove to be a successful developmental tool in quality, mitigating risk and people engagement.
Regular training and education are vital.
