If you joined our free AML workshop in November, you will already know Amelia Price.
If not, here is the short version. Harbour Gate Legal LLP is a fictional regional firm we use as a case study. It is a typical mixed practice regional firm: residential conveyancing, wills and probate, family, commercial property, corporate and some litigation.
Amelia is an equity partner in private client. She is already MLRO/MLCO. And, as of our latest webinar this week, she has just agreed to become COLP and COFA as well.
In other words, Amelia is now the person who will be asked to carry the can if something goes wrong.
This article is a write-up of this week’s free session. It is aimed at the real-world Amelias: partners, finance leads and compliance officers who have found themselves wearing several regulatory hats, often on top of a full fee-earning role.
If you would like to receive invitations to future sessions like this, please join our mailing list at jonathonbray.com
Why the COLP/COFA role feels different now
The starting point in the webinar was a simple question: if Amelia were a real partner in a real firm in 2025, what would we tell her to do in her first year?
The answer today is different to what it would have been five or ten years ago.
Once upon a time, COLPs and COFAs were often described as merely conduits between the firm and the SRA. Their job was to ensure compliance and pass information on; they were not supposed to be the lightning rod for personal blame. The SRA used to reassure us that compliance officers are not “sacrificial lambs“.
That story has always never given any legal protection. Recent enforcement has brought this into sharp focus. In a case involving Kennedys, a COLP faced personal proceedings in relation to property matters in which he had never had conduct. His alleged failing was that he did not do enough when concerns were escalated to him.
The case was ultimately dismissed. The tribunal accepted that he had made reasonable enquiries, spoken to the partner with conduct and relied appropriately on his compliance team. There was an audible sigh of relief from compliance officers across the profession. A different outcome would have made the role almost unworkable.
The lesson for Amelia is two-fold. Firstly, personal liability is real. If something significant goes wrong, the COLP and COFA will be scrutinised. Their own reputation is on the line, not just the firm’s.
But secondly, they are entitled to rely on others, provided that reliance is itself sensible, documented and, frankly, defensible.
So before Amelia dives into policies and audits, she needs to get clear on her mandate.
Step 1: get clear on your mandate and protection
The first piece of advice to our fictional friend Amelia, and to any new COLP/COFA, is to look after yourself.
That means sitting down with the board and answering some basic but important questions.
Who do you report to, really?
On paper the COLP and COFA are appointed by the firm and approved by the SRA. In practice, they sit somewhere between the board (or partnership) and the SRA. Amelia needs clarity on who she is accountable to day-to-day; how she accesses the board when she needs decisions; whether she has “access all areas” and the authority to say no when something is too risky.
What exactly is the job?
Many firms hand over the COLP/COFA titles as a rite of passage into partnership, without a serious discussion about scope.
Amelia should insist on a written role description that covers:
- Mandate and scope i.e. what sits clearly within COLP/COFA/MLRO/MLCO, and what does not
- Authority i.e. what she can stop, change or require without having to fight for it every time
- Budget and support, including deputies and access to external advice
How are you personally protected?
If Amelia is being asked to take personal responsibility, it is entirely reasonable for her to ask how she is personally protected. That conversation should include an indemnity from the firm if she is drawn into proceedings purely because of her role; clarity on how far the firm’s insurance would respond to regulatory action involving her personally; and an agreed right to independent legal advice if she is directly in the firing line.
This is part and parcel of the board taking the COLP and COFA roles seriously.
The first 90 days: build an honest risk picture
Once Amelia knows what her role is and how she is protected, the next step is to work out where the firm really is.
The webinar panel was unanimous that it was unrealistic to try fixing everything in month one. Start with a structured fact-find. The aim is to get a truthful picture of Harbour Gate’s risk landscape, controls already in place and whether they actually work.
A sensible first 90 days might include a gap analysis, mapping firm-level risks to policies and procedures. This goes beyond the firm-wide risk assessment (FWRA) she would have completed as MLRO – a gap analysis shines a light on all other areas of the firm’s risk picture including financial, data protection, ethics, SRA rules, marketing and so on.
She should be asking whether the firm’s current policies and procedures genuinely reflect Harbour Gate’s as a holistic practice. Are they up to date with current SRA expectations, guidance and practice notes? Are they accessible and practical, or buried in a 200-page manual no one reads? Are there obvious workarounds in departments that contradict the written templates, workflows and policies?
The question is not “is the policy perfect?” but “does it describe what actually happens on the ground – and if not, why not?”
SRA Accounts Rules: reconciliations and payment controls
For the COFA side of Amelia’s role, client money is the obvious starting point.
Key questions include whether reconciliations are done on time and properly reviewed; whether the same issues crop up month after month without being resolved; and what checks are in place to authorise payments.
A breaches register is only useful if it is used to fix problems. Seeing the same reconciliation exception every month is more than a technical frustration; it is a red flag about the control environment.
Complaints, claims and near misses
Complaints and insurance claims tell their own story. Patterns here often point to more fundamental issues such as poor scope setting, weak supervision, lack of capacity or unmanaged conflicts.
In her first 90 days, Amelia should look at what clients have complained about; check how quickly complaints are acknowledged and resolved; and see whether lessons are captured and shared, or simply filed and forgotten.
Relationships and single points of failure
Amelia also needs to understand who actually makes the firm work.
In many firms there is a single head cashier who “just sorts it”. That person is worth their weight in gold, but also a single point of failure. Amelia should ask: if that individual were off long-term, could we still run the finance function safely?
The same applies to her own role. With COLP, COFA, MLRO and MLCO all on her business card, Amelia herself is a single point of failure. Identifying and training deputies is an early, practical step that makes the whole framework more resilient.
On the horizon: client money and consumer protection
Client money was one of the deepest technical sections of the webinar, and it is where much of the SRA and Legal Services Board activity has been concentrated in the wake of Axiom Ince.
There is a live policy debate about whether firms should hold client money at all, whether third-party managed accounts should become the default, and how the Compensation Fund should be structured.
That debate could potentially run for years – it is not part of the SRA’s latest consumer protection consultation. The near-term changes coming out of the consultation are likely to be around tightening up the reporting accountant regime, and removing compliance officer roles from people who otherwise “unilaterally” control firms.
In the meantime, nothing changes the basic duties of firms that do hold client funds.
For Amelia as COFA, four themes stand out.
1. Payment authorisation
Higher-value payments should always be subject to dual authorisation. The payee’s details must be checked against the file, rather than simply copied from an email. Where funds are going to third parties, such as family members or corporate recipients, they should be identified and properly onboarded well before completion, not discovered at the last minute.
2. Reconciliations
Reconciliations must be completed on time and properly reviewed. In order to do that, Amelia needs to know how to interpret and interrogate reconciliation statements. Any shortages should be made good promptly from office money while the underlying cause is investigated. Where reconciliation issues keep recurring, they should be escalated and treated as a systemic risk, not tolerated as background noise.
3. Residual balances
Residual balances are a particular focus for the SRA and a classic symptom of poor file closure hygiene. Harbour Gate should be aiming for a “no file closed with a residual balance” rule, save for genuinely exceptional cases. There should be regular aged ledger reports, with clear responsibility allocated for chasing and clearing old balances. Where clients cannot be traced and only small dormant amounts remain, the firm should make sensible use of the SRA’s guidance on dealing with these sums.
4. Interest and incentives
Finally, Amelia should look at the firm’s interest policy and practice. Clients should be treated fairly; the firm should not be seen to gain by holding onto funds unnecessarily.
AML and sanctions: what has not changed
Whatever happens with the proposal to move AML supervision to the FCA, the core expectations will not change. Firms still need a firm-wide risk assessment that genuinely reflects what they do and who they act for. Their policies, controls and procedures should flow logically from that FWRA and be implemented in day-to-day practice. Source of funds and source of wealth checks must go beyond simply asking the client and writing down their answer. And firms need a clear sanctions risk assessment with workable screening processes, extending to counterparties where the risk justifies it.
One nuance we highlighted in the webinar was sanctions via counterparties. Harbour Gate can choose its own clients; it cannot choose who sits on the other side of the deal. Conveyancing, commercial property and corporate work will often bring exposure to counterparties and ultimate owners the firm never meets.
Amelia does not need to build an entire parallel KYC process for every counterparty. But she does need to think carefully about where the firm has heightened exposure, and what reasonable, proportionate checks look like in those cases.
Complaints, competence and culture
The SRA’s work on first-tier complaints and competence is another important strand in Amelia’s regulatory horizon.
A tighter definition of “complaint”, more prominent signposting at the end of matters and a greater focus on firm-level handling are all likely to drive recorded complaint numbers up, particularly in high-volume areas such as conveyancing and family.
For Amelia, the key message is that closure letters, website wording and internal checklists need to be updated so that complaints information is given consistently. The firm should set and monitor clear service standards for handling complaints, covering acknowledgement, response and follow-up, and treat complaints and near misses as risk intelligence, feeding what is learned back into training, supervision and process improvement.
Most complaints are symptoms, not causes. They tend to point back to poor scoping, weak supervision, inconsistent communication or mismanaged expectations. That is where the COLP’s attention should be.
Business models, Axiom Ince, SSB and M&A
The webinar panel also touched on the wider question of business models.
Axiom Ince and SSB are extreme examples of what can happen when aggressive growth, high-volume work and complex funding structures are not matched with robust governance and risk management.
Many firms, like Harbour Gate, are more traditional regional practices. But even there, questions about mergers, acquisitions and new service lines crop up regularly.
Amelia’s unique value to Harbour Gate’s board is the question she brings into those conversations:
“What does this do to our risk profile?”
That question needs to be asked at the outset of any strategic change, not after the deal is done.
Horizon scanning: FCA, AI and changes at the SRA
Towards the end of the webinar we looked at what Amelia might legitimately list as “emerging issues” in her annual COLP/COFA report.
Three stood out.
FCA as AML supervisor
The possible move of AML supervision to the FCA will not be immediate. It is one to watch rather than panic about. The practical response for firms is to double down on the basics: a risk-based AML framework that is properly documented and implemented.
AI in legal practice
If Harbour Gate is experimenting with AI tools, those tools need to be part of the compliance conversation. Amelia’s job is not to ban technology, but to ask some basic questions: where are we already using AI, what client or firm data is being fed into these systems, what controls exist around confidentiality, security and quality assurance, and how AI-assisted work is supervised and sense-checked.
SRA leadership and enforcement tone
Changes at the top of the SRA, combined with political and media pressure following high-profile failures, may well lead to shifts in priorities and enforcement tone.
Amelia cannot control this. What she can do is keep an eye on consultations, thematic reviews and enforcement cases, and use them as signals of what “really matters” to the regulator at any given time.
Classic COFA pitfalls: banking facility and lender/borrower examples
The Q&A session homed in on some classic COFA issues that are worth repeating.
Client account as a banking facility
The rule here remains simple in theory: payments through client account must be directly linked to the legal service you are providing.
Using client account as a convenient way to move money for the client (school fees, buying a car, personal transfers) is strictly off-limits. The funds should go back to the client; they can then make their own payments.
It can of course get trickier when talking about corporate and commercial work – this is an area Amelia might need to flag as being one for future external support.
Acting for borrower and non-institutional lender
Another scenario raised was acting where both the borrower and a non-institutional lender are involved, where the terms are not really negotiated. The panel’s view was that it may be possible to act for both, but only on a very tightly controlled, execution-only basis. The scope wording needs to be crystal clear about what you are, and are not, doing for each party. As soon as any negotiation begins, or it becomes apparent that one party is at a disadvantage, independent advice will usually be required. This is not just a conflicts issue; it also carries significant reputational and complaints risk for the firm.
Final thoughts
Harbour Gate and Amelia are fictional, but the pressures they highlight are very real.
The wider regulatory environment has become more demanding. The personal expectations on COLPs and COFAs have increased. Enforcement is more willing than ever to look at individuals, not just firms.
The good news is that the fundamentals are still manageable. With a clear mandate, a structured plan and proper support, you can move your firm steadily from red to amber to green.
If you would like to explore any of these themes in more detail, or sense-check your own first-year plan as COLP or COFA, we are always happy to have a conversation.
