COLPs and COFAs are under a duty to keep a record of all compliance failures and to report breaches to the SRA as required. In the case of “material” (i.e. serious) breaches, as a rule of thumb this needs to happen within 24 hours. Less serious breaches have to be recorded, with those records made available on request.
For ABSs, there is an additional requirement to report all non-material breaches annually.
To complicate things slightly, a pattern of minor breaches can become a material breach, which is clearly a matter for the Compliance Officer’s judgement. Let’s say the accounts cashier makes a minor bookkeeping error. On its own, there is probably no issue or detriment to clients. If it keeps on happening, however, we might be looking at competence issues, or even risks to the protection of client money, which is may tip over into “material” territory.
The real problem that COLPs and COFAs are wrestling with is recognising when a compliance failure is material, and therefore triggering the immediate reporting duty. The SRA has not offered a definition of “material”. Some would say this is unhelpful; others would argue this approach is entirely consistent with OFR and the regulator’s delegation of risk management to firms.
There is some very general guidance in the Authorisation Rules. When considering whether a breach is material, the COLP or COFA should take into account:
- the detriment or risk of detriment to clients
- the scale of the issue
- the overall impact on the firm, its clients and third parties
- the extent of any risk of loss of confidence in the firm or provision of legal services generally
Our view is that compliance failures will fall into one of three categories:
Clearly material (e.g. loss of a laptop containing confidential client information; repeated failure to notify clients of a referral fee or commission; knowingly acting in an own conflict situation.
Clearly not material (e.g. a one-off failure to send a terms of business letter; an accidental bookkeeping error which is rectified)
Borderline, or everything in between (e.g. a negligence claim; an email incorrectly sent to a third party)
In these borderline cases, the decision will ultimately lie with the COLP/COFA as to whether or not the failure is material, which is where professional judgement and experience comes into play. There are unlikely to be any easy answers, and clearly every breach will turn on its own facts. Two occurrences of the same breach might have different consequences for clients, making one material and the other not.
The SRA encourages firms to interact with them so that these issues can be thrashed out, but COLPs and COFAs are understandably concerned that unnecessarily alerting the regulator could put the firm on their radar. On the other hand, the Compliance Officer that under-reports could face some rather uncomfortable conversations with the SRA.
Our view is that you should take internal and/or external advice and support wherever you can, and at the same time resist internal pressure to hold back on your reporting duty. On balance it will generally be safer to err on the side of caution and make a report to the SRA in most borderline cases. You cannot be criticised for over-reporting. If a report is made, the COLP or COFA should ensure that steps are taken to (a) remedy the breach as much as possible, and (b) ensure that the situation is unlikely to happen again e.g. through policies, supervision, training and monitoring.