When the COLP and COFA regime was introduced in 2011, questions were raised about how much personal liability such individuals would bear.
The SRA at the time was quick to reassure the profession, stating that compliance officers would not be “sacrificial lambs”. Over the intervening years, it was popular to refer to compliance officers as the conduit between the firm and the SRA; of course, it is the COLP and COFA who are concerned with ensuring that the relevant SRA Standards and Regulations are embedded and practised throughout the firm and the staff.
Turning tides?
But has this changed? Compliance officers sat up straighter following the SRA conference in November 2023, when Paul Philip talked about the managers of firms needing to take responsibility for “self-regulation” when wrongdoing has been found. The implication was that, even if the wrongdoing is confined to an individual “bad actor”, the SRA will look carefully at the structures in place which allowed this to happen.
Now, COLPs and COFAs are not immune to regulatory action: they are not paragons of virtue simply by holding the office. But generally, where we have seen COLPs and COFAs personally prosecuted and sanctioned, they have been intrinsically involved in the wrongdoing. For example, Aman Mahroof was fined last year for multiple accounts rules failings. He was both COLP and COFA, as well as being a director of the firm. It was his actions (or rather inactions) that directly caused the breaches.
However, January saw the SDT considering the SRA’s referral of Andrew Coates, a COLP at a City firm. The charges against Mr Coates were linked to a prosecution against another fee-earner in the firm, who was fined for AML failings relating to a property investment scheme.
The SRA’s case was that the COLP failed to consider adequately the concerns about the matter. He had been made aware of certain, limited, red flags, but had relied on the conducting fee-earner (himself a senior member of staff) reassuring him that everything was satisfactory. The SRA felt, however, that the COLP should have looked at the matter more closely at this initial juncture and should have reviewed the file. That he did not meant that they felt he bore some complicity in the ultimate breaches.
But can this really be right? The fact that the SDT rejected the SRA’s case suggests not, in the circumstances, however it should give compliance officers pause.
It is the daily lot of a compliance officer to be presented with the merest glimmer of a concern or problem, upon which they dispense – initially – general advice. Most will then leave it to the referring fee earner to take the necessary action and come back if necessary or, if they follow it up and are assured everything is in hand, to rely on that. Was the SRA trying to say, with the Coates case, that every referral may need to be followed up in great detail, with files reviewed at the very least?
And what implication does this have for a COLP who is not a specialist in that area of law? Indeed, this particular COLP had a background in regulatory and professional indemnity work; he was not a property lawyer. Even if he had reviewed the file, it seems entirely reasonable that he would have relied on the expert assurances of his specialist colleague.
Practical Steps
Although the SDT threw out the case against Mr Coates, this case – as well as the overall shift in focus from the SRA – should make compliance officers think rather more carefully about the burden of the role they are taking on.
The long-established caveats apply: only take on a role if you fully understand it and are confident that you have the support of the firm’s management. This is fundamental for COLPs and COFAs, as they need to be sure they will have access to the necessary information to allow them to do their job (for example, personnel files or granular financial records). COLPs and COFAs should also be clear to other members of the senior management team that they are independent, notably in deciding whether or not something needs to be reported to the SRA.
Easy to say perhaps. Many people will have started a job to find that various assurances or promises given at interview don’t quite pan out in reality. Confidence will no doubt be easier to come by if you’re already an established member of the firm but even then it could be easy to feel shoehorned into the role: the stick to the carrot of promotion. Nevertheless, it is absolutely essential, both to fulfilling the role successfully and indeed protecting yourself and your reputation. If it feels like you are wading through treacle trying to get access to the information you need, this may not be the right environment for you.
Make it clear at interview and acceptance (perhaps including it in your contract or the job description) that you will require things like access to information, a seat at the table of management meetings (if you are not formally a member of the senior management team) and the independence to discharge your responsibilities. You could also specifically agree provision for training (for you, to understand your role) or for external consultancy support. These will ensure you have a framework to rely upon as needed.
Indemnity
There are also some more concrete things you can put in place when you agree to accept such responsibility. One is an indemnity agreement, which requires your firm to indemnify you against any action which could be taken against you in your role. Some agreements also provide for compliance officers to be able to take independent legal advice, which the firm will cover. As ever though, such indemnities may not be infallible. You should consider the position if you leave the firm or, even if the indemnity continues following your departure (sensible, given the glacial pace of SRA investigations), what would happen if, for example, your firm merges or closes. You can agree a provision to bind a successor practice within the indemnity, but if there is no successor practice, the indemnity is unlikely to be of much assistance.
Insurance
A second option is insurance specifically for compliance officers to cover matters arising in the course of their duties. Now, in 2013, the SRA took the decision to remove regulatory costs coverage (i.e costs in the event of an SRA investigation) from the Minimum Terms of the Professional Indemnity Insurance wording. One might question whether the SRA anticipated the impact of this – that, without costs being insurable, firms and individuals might be quicker to agree to regulatory settlements (but this is a musing for another day).
Marc Rowson, Partner at insurance broker Lockton Companies LLP, comments that there are two potential insurance products available, albeit one is not offered regularly and the other comes with an important warning.
According to Marc, the first and most popular route is via a management liability (D&O) policy. The policy will provide coverage for costs in the event of an investigation, however there is an important standard exclusion within these policies, the professional service exclusion. A standard typical professional service exclusion will typically exclude coverage for any claims “based upon, arising from, in consequence of, or in any way directly or indirectly related to the rendering or failure to render professional services”. There is, therefore, a potential for a coverage dispute if any investigation into a compliance officer aligns with any legal work they undertake. Firms who obtain such a product should specifically name the individuals to whom the insurance applies, again to avoid any dispute.
The second option is via a regulatory costs extension. However, such extensions are very limited, with only 5% of insurers offering them. These extensions provide a sub-limit (typically between £100k and £500k) that cover the entity and individual in the event of a regulatory investigation, so covering a compliance officer. However, the fact that these are not widely available means they are not really all that helpful, especially as firms may shop around for PI insurers year on year to get the best price overall.
Conclusion
Compliance officers are the lynchpin of a culture and practice of compliance within a firm; they are the practical embodiment of the SRA Standards and Regulations. Arguably, the regulator therefore should have a vested interest in making their jobs, if not easier, then at least not terrifying. However, as recent years have seen the SRA enact a more punitive regime in general, the weight on compliance officers is increasing. Whilst the Coates prosecution was dismissed by the SDT, it is uncomfortable to think that the SRA might try again to make a compliance officer personally responsible for a matter where the misconduct was squarely someone else’s.
And yet, compliance officers are a crucial part of the regulatory system. Firms – and the SRA – would be lost without them. This article is not to put people off from shouldering these roles but to ensure that, if you are one or considering becoming one, you have your eyes wide open to the potential ramifications, and – vitally – how you can protect yourself.
