The SRA’s recent thematic review of compliance officers is one of those documents that looks modest on the page but has significant importance in practice. If your firm has ever treated COLP/COFA as a title only, rather than a fundamental governance capability to be you built and maintained, this is aimed squarely at you.
A quick caveat before we get into the detail: the evidence base is smaller than you might expect for something this significant. The SRA visited 25 firms and spoke to 36 individuals. A modest review can still produce valuable insights (especially when the themes are consistent), but it is a surprisingly small sample for a piece of work that effectively sets expectations for thousands of firms and tens of thousands of regulated individuals. It’s certainly not a statistically robust indictment of the whole market, but it should perhaps prompt the SRA to look into the common themes in more depth.
Here are twelve findings I thought were interesting:
- Appointments are often “default” – The review reinforces what many people recognise privately: in lots of firms, the role lands with whoever is most senior, most available, or least able to refuse. Why is this bad? Well, because a reluctant, accidental compliance officer rarely has the mandate, bandwidth or energy to do the job justice or drive improvements. Sometimes the best compliance officer candidate is not the most obvious.
- The role is undervalued – Only 44% of compliance officers felt the role was acknowledged and/or valued by their firm. If you want someone to carry personal responsibility, but you treat their work as invisible, you create a predictable situation where compliance becomes purely reactive, rather than a proper function of governance and risk management.
- Low turnover isn’t always good – Many compliance officers have been in post for a long time (a large group since the roles were introduced). Yes, stability can be positive. But it can also mask a succession risk: when a long-standing COLP or COFA steps down, firms can quickly discover there is a massive knowledge gap. That’s why we always encourage firms to think about appointing deputies.
- Bandwidth is a problem – Firms often appoint senior people the roles, but then expect the work involved to fit around everything else. Many compliance officers reported lack of time and resources as the main challenge, and on average they spent only around a quarter of their time on compliance tasks. For a compliance officer to be effective, the firm has to understand the role is more than a title. You actually have to do stuff.
- COFAs generally have a clearer grip on their role than COLPs – One of the most eye-catching findings was that COFAs could usually outline their requirements, but only one COLP interviewed could describe the material requirements of the COLP role. That should make firms pause.
- Reporting and record-keeping is a weakness – A fifth of compliance officers could not explain their record-keeping obligations. Only around half had read the SRA’s reporting and notification guidance, and only one person could explain the difference between a “notification” (must notify) and a “report” (exercise judgement). This is the fundamental mechanics of your relationship with the regulator.
- Too many firms don’t have a defined escalation process – Only around a quarter could describe a defined process for reporting. Many relied on informal routes: a chat, a gut check, an external adviser, a call to Professional Ethics. Those can all be sensible inputs. But reading between the lines, the review expected to see a proper breach log, an escalation route, and a decision record. These are sensible risk controls.
- Training is lacking – The SRA expects continuing competence to be demonstrable. Yet a meaningful minority had no learning and development records, and fewer than half could show role-related training in the past year. (Yes, we’ve got some training resources for that).
- People aren’t using free support and information – A striking theme: a lot of compliance officers weren’t engaging with the SRA’s free resources (conference, webinars/YouTube, Professional Ethics). Whatever you think of the SRA’s materials, there’s a straightforward point here: if your compliance officer isn’t routinely consuming regulatory updates, how are they keeping themselves current?
- External advisers are not a substitute for personal judgement – Many compliance officers seek help from external compliance providers (hi!). That can be entirely sensible. But the review implicitly pushes back on “outsourcing judgement”. You can buy support; you can’t outsource accountability.
- The COLP/COFA relationship can be a genuine strength – Where COLP and COFA are separate individuals and actually work in tandem, firms are better placed to spot risks that sit in the overlap between conduct, client money, and operational control.
- This review is part of a bigger project – The SRA explicitly frames this work as feeding into its broader consumer protection agenda. Read that as an ongoing interest in governance and risk controls. If your approach to COLP/COFA is informal or under-resourced, you’re going to feel increasing friction.
We’re running a free live webinar on this topic on 25 February at 12pm. Register here to take part.
One final thought. The review isn’t saying that compliance officers are routinely failing. It’s highlighting that some firms are still treating the compliance officer role as a badge or a title rather than a fundamental part of the risk and compliance machine. That’s not to say that your COLP and COFA are the firm’s one-person compliance department – they absolutely are not. Compliance officers are the people who should be able to design the whole machine, spot where things aren’t working, and pull the right levers early. That only works if the firm gives them time, authority, resources, and a culture where embracing risk and compliance is seen as more than just “fee burning”.
