This post was originally written in 2017 and has been updated in light of the newer SRA Standards and Regulations and guidance.
Every firm will have a minor SRA breach every now and then, be it correspondence sent to the wrong address, payments allocated to the wrong accounts, or failing to notify clients of the name and status of supervisor in a client care letter.
Some of these breaches will be trivial, others immediately rectified. Breaches that are not serious can remain in-house. Although no longer a strict requirement, the COLP should keep a record of these minor compliance failures.
The reporting trigger
However, if a breach of the SRA Standards and Regulations, either taken on its own or as part of a pattern, is “serious”, then it must be reported to the SRA “promptly”.
It does of course make sense for the COLP and COFA to be the ultimate decision makers on whether a breach is reportable. And this is reflected in the Codes of Conduct, which place the reporting duty on all regulated people, with the carve out that a report to the COLP or COFA will discharge that responsibility if there is a belief that the Compliance Officer will subsequently make the necessary report.
Ultimately, the decision whether to report is a matter of professional judgement.
This doesn’t come without its issues. There is a natural temptation to avoid the regulator (and the wrath of business partners), and therefore err on the side of “not reportable”. This tends to result in only the very serious issues being reported, whilst everything else is rationalised away as being not serious.
That could be a costly mistake. The SRA will come down much harder on firms and individuals if they feel that information has been withheld. In fact, the SRA says solicitors should err on the side of reporting.
So, when is a breach a “serious” and reportable breach?
This is a common dilemma for COLPs and COFAs. It’s one of the most frequent questions we get asked. You would hope that the SRA would give some clear guidance.
Unfortunately, they have so far refused to set out any clear parameters. The Guidance on ‘Reporting and notification obligations’ refuses to be drawn on the question of “seriousness”. (Although it is a good resource for listing all of the reporting and notification criteria contained in the SRA rulebook.)
The separate Enforcement Strategy, which sits outside of the rulebook, gives a few hints about aggravating factors in cases that come to their attention. Of note:
- The nature of the allegation – for example, allegations of dishonesty will always be more serious than technical breaches. Convictions will always be investigated, so need to be reported.
- Intent/motivation – “We will distinguish between people who are trying to do the right thing and those who are not”.
- Harm and impact – the SRA will look at the extent and level of harm, as well as the “harm that could reasonably have been anticipated”.
- Vulnerability – breaches leading to the harm of a vulnerable person are likely to be viewed as more serious.
- Role, experience and seniority – a newly-qualified solicitor, for example, is likely to be given slightly more leeway than more experienced people.
- Regulatory history and patterns of behaviour – “previous” with the regulator is likely to aggravate the level of seriousness.
Buried in the guidance notes of the old 2011 Authorisation Rules, there was this useful steer:
“In considering whether a failure is “material”, the COLP or COFA, as appropriate, will need to take account of various factors, such as:
(a) the detriment, or risk of detriment, to clients;
(b) the extent of any risk of loss of confidence in the firm or in the provision of legal services;
(c) the scale of the issue;
(d) the overall impact on the firm, its clients and third parties.”
We still consider this to be one of the most useful ways to approach decision making and have incorporated into our decision matrix template (below).
Don’t forget the expanded SRA breach reporting obligation (since 2019)
In 2019 the SRA added a very significant new reporting duty:
“you inform the SRA promptly of any facts or matters that you reasonably believe should be brought to its attention in order that it may investigate whether a serious breach of its regulatory arrangements has occurred or otherwise exercise its regulatory powers.”
The word “should” creates yet another level of subjectivity. It is saying that even if you are not entirely sure that a breach has occurred, you must report to the SRA if it has the potential to be a big issue.
This significantly lowers the bar for reporting to the SRA and has the potential to catch COLPs and COFAs out. It means that in some cases, the trigger for reporting occurs before your investigations are complete.
“But that still doesn’t give me a straight answer!”
Yes, and that’s kind of the point. They want you to use professional judgement. Which, depending on your point of view, is either a regulatory fudge or an essential feature of principles-based regulation.
Ask yourself, “if I don’t report this, would it keep me awake at night? Can I defend my decision?”.
The answer to those questions are more often than not a pretty good measure of seriousness.
If you are still umming and ahhing over your decision, that is also a telling indication. It suggests that the breach is at least close to the reporting threshold and you might be trying to convince yourself otherwise.
Still not sure? Ask an objective outsider. We are often used as a sounding board through our compliance helpdesk.
Your local Law Society may have a compliance networking group (if not, set one up!). Run it past your Lexcel consultant, or just a friendly face.
Although the Professional Ethics department of the SRA has a habit of giving wishy washy answers to compliance queries (not their fault, this is the nature of the system of regulation), it is worth asking the question. It also has the added benefit that if the SRA ever question why you considered a breach to be serious or not, you can point them towards their own advice.
But ultimately, whether a breach is reportable or not is a personal responsibility. Every situation is dependent upon its facts. If you decide not to report, don’t forget to record your reasoning. Part of your regulatory duties under the SRA Standards and Regulations is to be able to show your workings.
A framework for making an SRA breach reporting decision
With that in mind, we have put together a simple decision matrix to help you decide whether a breach is reportable or simply one to record in your breach register.