Compliance officers: A thematic review

What we did

Our thematic review looked at how firms and compliance officers approached their roles and responsibilities, including:

• how and when firms choose their compliance officers, including the criteria and qualifications that guide these decisions
• whether compliance officers understand and are meeting their regulatory obligations
• how compliance officers stay up-to-date and competent in their roles, including ongoing training and professional development
• the effectiveness of the systems, controls, and processes in place to support compliance and how compliance officers oversee and manage these structures
• the perceived risks and challenges identified by compliance officers.

We visited 25 firms and spoke with 36 individual compliance officers. These included compliance officers for legal practice (COLPs) and compliance officers for finance and administration (COFAs).

We also met individuals holding equivalent positions in licensed bodies, known as heads of legal practice (HOLPs) and heads of finance and administration (HOFAs). For the purposes of this report, we make no distinction and refer to them as compliance officers.

More information about our sample and methodology is available in Annex 1.

At each firm we spoke with the firm's compliance officer(s) and reviewed available:

• office manuals and internal compliance policies
• internal breach logs
• learning and development records.

This report supports firms and compliance officers to reflect on their systems, controls and practices and includes questions designed to encourage self-reflection and review. There are also links to additional resources provided at the end of this report.

Key findings

Choosing compliance officers

• There is little competition for compliance officer appointments. Individuals deemed their appointment to be inevitable or the default option. Their motivation to carry out the role was based on a regulatory necessity rather than an interest in the position.
• Turnover among compliance officers is notably low - 42% of those we spoke to had held a compliance officer role since it was introduced in 2012. Around 86% had only performed the role at their current firm.
• Firms should prioritise compliance officer succession - 16% expect to retire imminently and there was a lack of general consideration about succession.

Awareness of regulatory responsibilities

• Compliance officers typically lacked a full understanding of their regulatory obligations. Only one COLP could outline all their responsibilities, and most compliance officers couldn't describe more than half of the compliance requirements set out in our Code of Conduct for Firms.
• Compliance officers have a limited awareness of our key resources - only 50% have read the reporting and notification guidance, and just 19% have reviewed our enforcement strategy.
• Firms are reporting breaches internally but very few of these are escalated to us. The 36 compliance officers we visited received 1,377 internal reports over three years. Only nine of these reports was subsequently referred to us.

Systems, controls and processes

• All the firms had compliance controls and processes in place
• There is an over-reliance on compliance officers to manage all compliance responsibilities within a firm
• Many compliance officers reported a lack of sufficient support. Around 44% of firms do not have a deputy officer. This reliance puts pressure on specific individuals and poses a risk if compliance officers are unavailable. Firms also miss an opportunity to develop other individuals and deal with succession issues

Compliance officer competence

• We expect individuals to maintain records of their learning and development. However, 19% of compliance officers lacked such records. This raises concerns about how they and their firms can assess their ongoing competence. Only 44% could demonstrate training related to their compliance officer role in the past year.
• Compliance officers seldom make use of our guidance and resources. Instead, most appear to seek advice or guidance from a commercial compliance advisor.

Perceived risks and challenges

• Nearly half of compliance officers told us that they lack sufficient time and resources. Compliance officers dedicate, on average, only 26% of their time to compliance-related tasks. This might have an impact on their ability to fulfil their responsibilities.
• The compliance officer role tends to be undervalued within firms - less than half of officers said they felt appreciated.

Next steps

In response to the findings of this report we will:

• promote the learnings from this report among firms and compliance officers
• use the findings to support our ongoing consumer protection review.

We regulate compliance officers to make sure firms adhere to legal and regulatory standards. The term compliance officer refers to both COLPs and COFAs. These roles are important to maintain and promote compliance within firms. They help firms to operate within our required framework and help to uphold professional standards.

All firms and solicitors must comply with our Standards and Regulations and these obligations cannot be delegated to the compliance officers. There are also, additional specific requirements for compliance officers. These obligations are outlined below:

i. Codes of Conduct

The Codes of Conduct describe the standards of professionalism that we and the public expect of compliance officers, firms and solicitors.

The responsibilities of compliance officers are set out in paragraphs 9.1 and 9.2 of the Code of Conduct for Firms. If you are a COLP you must take all reasonable steps to ensure:

• compliance with the terms and conditions of your firm's authorisation
• compliance by your firm and its managers, employees or interest holders with our regulatory arrangements which apply to them (except any obligations imposed under the Accounts Rules)
• that your firm's managers and interest holders, and those they employ or contract with, do not cause or substantially contribute to a breach of our regulatory arrangements
• that a prompt report is made to us of any serious breach of the terms and conditions of your firm's authorisation, or the regulatory arrangements which apply to your firm, managers or employees
• that a prompt report is made to us of any facts or matters that you reasonably believe should be brought to our attention so that we may investigate whether a serious breach of our regulatory arrangements has occurred or otherwise exercise our regulatory powers.

If you are a COFA you must take all reasonable steps to ensure:

• that your firm, its managers and employees comply with any obligations imposed upon them under the Accounts Rules
• that a prompt report is made to us of any serious breach of the Accounts Rules which apply to them
• that a prompt report is made to us of any facts or matters that you reasonably believe should be brought to our attention in order that we may investigate whether a serious breach of our regulatory arrangements has occurred or otherwise exercise our regulatory powers.

Firms must decide how compliance officers operate within their business to meet these requirements. These arrangements must also comply with the provisions relating to compliance matters in our Code of Conduct for Firms. Firms must:

• have effective governance structures, arrangements, systems and controls in place to make sure that the firm and its staff comply with regulatory and legislative requirements (paragraph 2.1(a))
• make sure that the firm';s compliance officers can discharge their duties (paragraph 2.1(d))
• keep and maintain records to demonstrate the firm's compliance with its regulatory obligations (paragraph 2.2).

In addition, compliance officers who are solicitors must also comply with our Code of Conduct for Solicitors, RELs and RFLs. This includes:

• undertaking regular learning and development to keep their professional knowledge and skills up to date and to maintain their competence. This includes knowledge and skills relevant to the compliance officer role. They should also be able to demonstrate the steps they have taken to do this (paragraph 3.3)
• taking any remedial action requested by the SRA and, if required, investigate whether any serious breaches need to be reported (paragraph 7.10).

ii. Rules

Our Authorisation of Firms Rules set out the arrangements for the authorisation of firms. The rules also set out the ongoing requirements to be a compliance officer, who must:

• be a manager or employee of the authorised body (Rule 8.2 (a))
• consent to the designation as a compliance officer (Rule 8.2 (b))
• not be disqualified from being a compliance officer under section 99 of the Legal Services Act 2007 (Rule 8.2 (c))
• if a COLP, be authorised to carry out reserved legal activities by an approved regulator (Rule 8.2(d))
• pass the suitability test to make sure that they are fit and proper to hold these roles (Rule 13.1).

iii. Further requirements

Additionally, an effective internal compliance framework requires firms, solicitors and compliance officers to have read and understood their reporting and notification obligations and our enforcement strategy. These documents provide useful context to our expectations.

Compliance officers form a crucial link between us and each firm and are an integral part of the compliance regime. Compliance helps firms protect clients and build trust in the provision of legal services.

When recruiting to the role, firms should carefully consider whether the candidate has the appropriate skills, values and attributes. The right individual will help support an organisation’s culture, goals and dynamics. This assists better decision making and positive outcomes for clients and firms.

Who was selected as a compliance officer?

Compliance officers are required to be a manager or an employee of the organisation and consent to the appointment¹. In addition, COLPs must be authorised to carry out reserved legal activities by an approved regulator². We found the roles were held by a range of professionals:

• the COLP role was typically held by a solicitor (84%) but we also interviewed a barrister, a chartered legal executive and a dual qualified solicitor/licensed conveyancer
• 11 individuals carried out the role of COFA without also being the COLP. Three held a formal financial professional qualification. The remaining role holders comprised three solicitors, one barrister, one chartered legal executive and three individuals with no qualifications.

Joint or individual roles?

The compliance officer roles may be held separately by two individuals or jointly by a single person. Firms should carefully consider what is right for them.

Where the roles are performed by separate individuals, firms may benefit from a broader diversity of experiences and skills. When effective, these individuals provide oversight and cover if an individual is not available. It also fosters a joint sense of accountability for compliance. However, this arrangement requires co-ordination between both individuals and a clear explanation and understanding about their relevant responsibilities.

A single individual undertaking both roles may clarify the firm's approach to compliance and simplify others' understanding about the system and roles. It could expedite decision making, simplify interpretation and streamline reporting requirements.

We saw both arrangements used effectively. The compliance officer roles were typically held by two separate individuals (63%). Strikingly, 91% of these individuals reported interacting daily with their co-compliance officer. This highlights the need to ensure co-ordination between the roles and the support that these separate compliance officers felt they could provide each other.

What characteristics do firms require in a compliance officer?

We asked compliance officers what key qualities a successful candidate required. Their views varied and probably reflect the all-encompassing nature of the role:

COLP: What skills do you need?

Meanwhile, the required skillset of a COFA was more narrowly construed:

COFA: What skills do you need?

The responses highlight the varied skills and requirements that a good compliance officer requires.

Compliance officer turnover

Turnover in any ongoing role is inevitable, and firms should actively consider succession planning for compliance officers. New appointments can bring fresh perspectives, trigger cultural shifts and provide opportunities for others. Poorly managed change is often detrimental. Firms may lose organisational knowledge and capabilities. It can also negatively disrupt the dynamics and culture of an organisation. Several firms told us how expensive it is to recruit an appropriate individual and that it takes time and resources to help them settle.

We found a low turnover rate of compliance officers. Around 42% had held the role since its introduction in 2012, and a further 28% had done it for more than 5 years. There was also little evidence of compliance officer moving firms. Most (86%) of the compliance officers had only held the position at their current firm.

Our findings highlight that a compliance officer appointment is a long-term decision so firms should make sure they make the right choice. Succession is also a key risk, and firms should be actively considering their options. Around 16% of the compliance officers we interviewed were looking to retire imminently.

How senior are compliance officers?

We require compliance officers to hold 'sufficient seniority and [be] in a position of sufficient responsibility to fulfil the requirements of the role³.'

The responsibilities of the role require compliance officers to possess experience and expertise of not only the regulatory framework within which law firms operate but the many challenges that can arise. Responding to these challenges requires ethical and technical leadership, the ability to influence organisations and employees and the willingness to have difficult conversations.

We were satisfied that firms were typically appointing individuals of sufficient seniority. Around 72% of the compliance officers we interviewed had been legally qualified for over 15 years. This is likely to help them leverage their experience and position within the firm.

All but one compliance officer was a manager in their firm. While employees may hold the position, they should consider whether they have the relevant seniority and responsibility within the firm. An employee and their firm must consider whether they have access to the firm’s relevant information. This will inevitably include access to financial/commercially sensitive data.

Around 75% of the compliance officers were also owners of the firm. While this may currently be common practice, firms should consider how any tensions between the interests of the owner and the compliance officer(s) are managed.

In some cases, the size of a firm will limit choice, but the consequential risks should be identified, acknowledged and mitigated.

How do firms choose compliance officers?

A lack of choice might lead to firms appointing unsuitable individuals. This includes people who lack relevant skills and attributes or, alternatively, those that are hindered by circumstances e.g. a lack of time. These issues impact outcomes and erode people’s motivation and commitment to the role.

Significantly, no compliance officer told us that there was competition for their role. Firms did not appear to encourage individuals to internally apply for the role.

These findings suggest a lack of interest in the role. The appointments appear to be done as a regulatory necessity, rather an opportunity to appoint a key figure in an effective compliance environment.

We asked individuals if they believed they were the right person to hold the role. This is important because an individual's perception about their own suitability for a role is significant. This perception is likely to support performance by increasing motivation, interest and confidence. This informs learning, development and performance.

Around 84% of compliance officers believed they were the right person to do the role. Individuals however often told us that they lacked the necessary time and resources to perform the role adequately.

Do firms value the compliance officer position?

Effective authority requires a degree of acknowledgment and respect from others. We asked compliance officers if they felt that the role was acknowledged and/or valued by firms. Only 44% of the compliance officers we spoke with agreed.

Firms should acknowledge the value of these roles. This promotes the importance of the role, raises its profile and confirms its significance within the firm. In the short term, this may increase awareness and respect about compliance but also, in the long term, stimulate interest in the role and aid succession planning.

A lack of community respect for the position will undermine performance of the role. While this issue may be diluted where owners undertake the role, it is still likely to foster a degree of detachment and lack of interest/knowledge about the role within the firm. This inevitably leads to an isolated compliance officer and a general reliance by the firm on them for compliance matters. As mentioned above, everyone is personally accountable for compliance with our regulatory requirements and their obligations cannot be delegated to compliance officers.

How are compliance officers rewarded?

Rewarding individuals is important for various reasons. It incentivises individuals and motivates them to perform well and meet expectations. It also supports employee satisfaction, morale and can help attract and retain talent. This increases organisational knowledge and experience and reduces the likelihood of employee turnover and the associated costs.

Appointment as a compliance officer will typically lead to increased work and responsibility. We found most compliance officers received no acknowledgment or financial incentive for these roles. Only one compliance officer received a pay rise to undertake the role. The remaining compliance officers received nothing. Although some of these individuals were owners, this information is striking. Naturally, a lack of acknowledgment devalues the role and undermines people's interest in holding the position.

While compliance officers felt they were typically underappreciated while in post, attempts to backfill the role were difficult. The roles are a pivotal, mandatory part of any compliance regime and require a significant degree of expertise and responsibility. As one of our interviewees who was due to retire told us:

Fundamentally, organic growth will always be easier and cheaper for firms, and succession should be an ongoing consideration.

Is the compliance officer role a benefit to an individual's career?

Despite the lack of reward and recognition, some compliance officers deemed the role to be a useful career step:

• 33% told us it helped them gain more knowledge and experience
• 33% told us they were viewed as more senior.

Around 39% told us it had no career benefit. These findings suggest that firms and individuals could make more of the role and emphasise its importance in an individual’s career. This would promote interest and respect for the role.

Questions to help reflection

These questions are intended to prompt individuals and firms to consider the impact and usefulness of compliance officers. We also hope it will help support firms and individuals to consider the help and support the compliance officer role requires.

Questions for the firm:

• How do you support and acknowledge the role of compliance officers?
• What time, resources, training and access to senior management do you provide to compliance officers?
• Do you have a working culture in which compliance officers are recognised as having a high value role within the firm?
• What incentives, financial or otherwise, do you provide to compliance officers?
• Do you discuss the career aspirations and future of compliance officers?
• Have you reviewed the compliance officer roles and the strengths and weaknesses of the current arrangement/officers?
• What would be the outcome if you encourage a specific pre-defined length of service for compliance officers and could this be beneficial?

Questions for compliance officers:

• Why are you the right person to continue to carry out the role?
• Do you require more support from your organisation?
• What business benefits do you bring to your organisation and are they aware?

Compliance officers play a key role in understanding, maintaining and promoting regulatory compliance within firms. We were interested about the extent of the compliance officers' knowledge and how this might impact on their work.

How knowledgeable were compliance officers about the role?

Compliance officers in firms are expected to meet a total of eight requirements (COLPs have five requirements and COFAs have three). These are set out at the beginning of this report.

We asked compliance officers to describe the material requirements of their role:

• no individual was able to provide a comprehensive overview of all the compliance officer requirements (this includes 13 individuals who held both roles)
• only one COLP could outline each aspect of the COLP's requirements
• most COFAs (78%) could outline all the COFA's requirements.

It should be noted that COFAs have fewer requirements to remember compared with COLPs. But these findings nonetheless suggest compliance officers (and COLPs in particular) do not know or appreciate the requirements of each role. Naturally, this undermines their ability to execute the role. This poses a risk to firms and clients.

Firms also overlooked the roles and their basic requirements. For example, one firm we visited had failed to appoint a COFA following the retirement of the previous incumbent. In addition, the firm did not acknowledge the individual's retirement on mySRA. We referred this matter to our Authorisation team.

How knowledgeable were compliance officers about record keeping and reporting?

A firm must keep and maintain records to demonstrate compliance with its obligations⁴. We therefore expect compliance officers to keep a record of all breaches that occur. Breaches of regulatory requirements are inevitable, and these records allow firms to identify risks within their business. They also help compliance officers identify where thing have gone wrong and whether there are any systemic problems inherent in the firm’s processes. This is beneficial to safeguard clients and improve outcomes for businesses.

We tested compliance officers' knowledge of our reporting and recording requirements. The results were poor. A fifth of the compliance officers could not explain their record keeping obligations. A further 59% could only provide a partial explanation. This was compounded by further findings:

• only half of the compliance officers have read our reporting and notification guidance
• only 19% of the compliance officers had read our enforcement strategy.

Fundamentally, a compliance officer cannot successfully discharge their reporting and recording duties if they do not understand them or the relevant basic concepts. For example, we found only one individual was able to describe the difference between a notification (which describes something that must be reported to us, such as a solicitor bankruptcy) and a report (which refers to a set of facts or circumstances that may have to be reported but allows the COLP or COFA discretion).

Reporting issues to the SRA

Reporting issues to us when things go wrong is vital. It helps protect consumer protection and drives confidence and trust in legal services. Reporting behaviour that presents a risk to clients, the public or the wider public interest, goes to the core of the professional principles of trust and integrity. A fundamental part of the compliance officer role is to receive and record internal reports and deal with any subsequent referrals to us.

Our review did not retrospectively review the substantive actions of each compliance officer. Instead, we concentrated on each compliance officer's explanation and demonstration of their processes and systems.

We reviewed whether compliance officers had established a systematic approach to reporting. Only a quarter of the individuals were able to describe a defined process.

Compliance officers outlined various tools and strategies:

• 50% discussed matters with our Professional Ethics team
• 44% said they used their own professional experience
• 19% were unsure because they'd never had to do it
• 17% used an external compliance company
• 6% spoke with a second member of staff.

Relying on previous professional experience may be useful, but compliance officers must also read and understand our reporting and notification guidance. Of the 17 compliance officers who told us that they relied on their professional experience:

• none had read our reporting and notification guidance
• only four had read our enforcement strategy.

While we did not review the actions of compliance officers, we remain concerned about the low number of reports that had been made. Reports enable us to investigate matters and, where necessary, take action to protect clients. This is a mutually beneficial outcome for us and the profession, and firms should consider the role they have to play. We found:

• compliance officers we spoke to received 1,377 internal reports in total from around 2,600 members of staff over the three years
• three of the 25 firms we visited accounted for 82% of these internal reports
• across the total of 1,377 internal reports, only nine referrals were made to us
• 86% of the compliances officers had not made a report to us in three years.

Questions to promote reflection

Questions for firms:

• How often do you review the records of compliance officers?
• Have you developed a process, expectation and culture about recording and reporting requirements?

Questions for compliance officers:

• Can you explain the combined requirements of the COLP and COFA roles?
• Are the internal reports you have received stored in a comprehensive, clear and accessible format?
• Could you evidence and explain your decision-making process about internal reports if required?
• Have you read our reporting and notification guidance?

Solicitors must maintain their competence, knowledge and skills to carry out their role⁵. This includes any relevant legal, ethical and regulatory obligations relevant to their role⁶. We explored whether compliance officers achieved and demonstrated these obligations.

Initial training

Compliances officers widely acknowledged the extent and volume of information they are required to understand. We were interested about the preparatory steps compliance officers took before undertaking the role:

• 97% reviewed SRA literature
• 86% did personal research/wider reading
• 80% went on an external course
• 14% had a handover meeting with the previous role holder
• 11% reviewed their firm's historic data.

Only a minority of compliance officers accessed historic compliance records or spoke with the former role holder. In some cases, this was because the compliance officer had held the position since the outset. However, this was not always the case. Organisational knowledge is valuable, and firms should make sure that they continue to gather, record and develop it for future use.

Financial competence

COFAs are responsible for the firm's adherence to the SRA Accounts Rules. Around 66% of the compliance officers believed that financial acumen was necessary to undertake the COFA role. We explored the knowledge and experience of COFAs:

• 63% have carried out personal research to understand financial topics
• 22% have an academic, financial qualification
• 22% have previously held a job in the financial sector
• 17% have a professional financial qualification
• 19% had done none of the above.

COFAs naturally require a degree of financial knowledge and expertise. Firms and individuals should reflect on this when considering COFA appointments.

Training records

We expect individuals to record and evaluate their learning and development. We found 19% of the compliance officers did not have a learning and development record.

In addition, only a minority of compliance officers were able to show training that related to their role in the past year (44%). Individuals should continually and routinely look to develop their skillset and knowledge. Not only is this a regulatory requirement but it also helps individuals understand the role, develop and avoid mistakes/issues. This is particularly significant given that individuals routinely told us that the role was stressful and time consuming.

Supporting compliance officers

Compliance officers will inevitably benefit from assistance and advice from third parties. Our interviewees mentioned the following support:

• 63% sought advice and guidance from commercial compliance advisors
• 36% received help and guidance as part of their Lexcel accreditation
• 36% sought advice from the Law Society
• 27% received help from insurers and banks.

We also asked compliance officers about the support and guidance we provide.

We noted a lack of knowledge and use of the resources we provide:

• 75% did not attend the compliance officer conference
• 58% did not watch our webinars/YouTube
• 28% did not contact the Professional Ethics team.

We do not dictate which resources firms and individuals must use. However, we were surprised to see how little firms used our free guidance and support. Only three compliance officers utilised all the resources we provide while 11 compliance officers used none.

What do compliance officers think about our resources?

We asked interviewees about the resources we provide. Positive comments include that the resources are:

• well written (39%)
• easy to use (33%)
• diverse and covered various topics (19%).

Common complaints about our resources included:

• lacked clarity (30%)
• were difficult to find (28%)
• lacked detail (25%).

Some compliance officers also felt disappointed about a perceived lack of specialist resources for compliance officers (14%). These individuals were unaware of the specific resources we provide including our YouTube channel which features 76 webinars for compliance officers that have been recorded from our last eight compliance conferences. We signposted these individuals to these resources.

We will naturally reflect on this feedback to consider what further work we can do in this area to support compliance officers.

Questions to help reflection

Questions for firms:

• Does your compliance officer have all the knowledge and skills they need to perform their role well?
• How do you measure and monitor performance of the compliance officers?
• Have you reviewed your compliance officer's training records?
• How do you support the competence of your compliance officers?

Questions for compliance officers:

• Can you show how you meet the skills and knowledge requirements expected of a compliance officer?
• When did you last undertake training in connection with your compliance officer role?
• Have you reviewed our:
• continuing competency resources?
• reporting and notification guidance?
• enforcement strategy?
• YouTube channel and compliance officer videos?

Our Code of Conduct for Firms requires all firms to have effective systems and controls in place to comply with our regulatory arrangements. These include policies, frameworks and processes that aim to manage risk and monitor compliance.

Investing in these systems and controls isn't just about managing risk; it’s also good for business. Robust compliance improves efficiency, strengthens a firm's reputation, and reduces risks that could lead to financial or reputational harm. It also helps to make sure that consumers receive consistent and high-quality services.

We recognise that both human and system error can happen. Our approach to enforcement is guided by fairness and proportionality. We will make sure that we only take those steps that are required to protect and promote the public interest and consumers. Our focus is on encouraging compliance and reserving enforcement action for the most serious cases. Further information about our approach to compliance is available in our enforcement strategy.

Firm-wide systems, controls and processes help reduce the reliance on individual compliance officers. Dependency on sole individuals is unsustainable and creates risks for firms if the compliance officer is unavailable or leaves.

What did we find?

Our visits showed that effective compliance works best when responsibility is spread across the team, making compliance part of fee earners' daily work. This approach encourages fee earners to take a front-line role, making compliance a routine task. It also frees compliance officers to focus on bigger-picture improvements.

Common controls and processes in place

All the firms we visited had some form of internal compliance controls and processes in place to manage risk. The number and types of controls varied, but those with well-established processes were able to evidence a more structured approach to compliance.

As one COFA told us:

We asked compliance officers to share how they manage compliance within their firms. We invited them to discuss the controls and processes they find most effective and to explain what works well and why.

The most common controls and processes that were mentioned are set out below.

• Office manuals and internal compliance policies: 94% of the firms we visited showed us they had a formal office manual and internal compliance policy. These documents serve as key references for staff, outlining the firm’s compliance approach, areas of responsibility, and steps to take if a potential breach occurs
• Training: 86% identified training as a crucial control to help staff understand their compliance responsibilities. Over half (53%) of compliance officers led this training themselves, often focusing on core areas like anti-money laundering and conflict of interest management. In larger firms, training is typically delivered by members of the internal compliance or learning and development teams, with firms also keeping records of staff attendance in training sessions
• File reviews: 83% of the firms undertook a file review. These help to detect issues early on and correct any recurring mistakes that fee earners make. These reviews were carried out by a member of staff who is more senior than the fee earner dealing with the file. The results were recorded and shared with the relevant compliance officer
• Supervision: All firms had appropriate supervision arrangements in place. Compliance officers explained that this ensures fee earners remain compliant. It also offers a way for staff to escalate individual cases or to ask questions of a more senior colleague where needed
• External audits: 69% of firms arranged for an external third-party auditor to assess their compliance arrangements. This provides the firm with an extra layer of oversight and helps to identify areas that may require improvement
• Spot checks by compliance officers: 55% of firms reported conducting ad-hoc spot checks of client files to help identify specific risk areas that require any corrective action. These spot checks were carried out by the compliance officer themselves or by a member of the firm’s internal compliance team
• Internal audits of policies and procedures: 36% of firms conduct their own annual audit of policies and procedures, typically led by the compliance officer or a member of the compliance team. Half of the firms review their policies once a year, while 39% do so ahead of a Lexcel or Legal Aid audit. For any policy to be useful, it should meaningfully address the issues it’s designed to tackle. Without regular review, they risk becoming misaligned with expectations and promote misguided and unhelpful outcomes.

Our visits showed that firms use different methods to monitor and manage compliance risks. All compliance officers agreed that a clear compliance framework with key checks and balances, with input from multiple people, is key to managing risks and maintaining high standards.

Firms with structured processes that were well-understood by everyone across the business appeared to be more effective in identifying and addressing compliance issues early, helping to safeguard client interests and firm reputation.

The insights shared by the compliance officers also highlighted the importance of practical measures - from regular training and supervision to ad-hoc spot checks and external audits. These approaches not only strengthen compliance but also encourage staff across the firm to take an active role in maintaining these standards. This helps ensure policies are reflected in daily practice rather than just documented.

Risks identified in compliance controls and processes

We identified some risks that could limit how well some of these controls and processes worked.

A key issue is the reliance firms place on compliance officers. These individuals often don't have the support, budget and resources they need from the wider business. Without firm-wide commitment, compliance may end up depending too much on certain people, instead of being embedded as a shared, ongoing responsibility. This creates the risk that compliance won’t be consistent or sustainable across a firm’s work.

We identified the following risks:

• Lack of formalised processes: 11% of compliance officers explained that there was no formalised process to verify that staff were complying with the compliance officer's instructions or what is set out in the firm's office manual/compliance policy. A lack of formal checking process increases the risk that key issues may be overlooked or inconsistently managed, leading to potentially serious breaches. It also places a further burden on compliance officers to manually check adherence to the firm's system
• Inconsistent record-keeping: Poor record-keeping can lead to problems about showing and explaining decision making. This may include whether a report was made to us. We examined the internal breach records of firms and found that 41% only maintained partial records of decision-making by a compliance officer. In practice this meant that the logs didn't contain information on the circumstances of the breach or the rationale for any remedial action
• Compliance officers failing to undertake learning and development activity for the role: While most firms reported having training processes, 25% of compliance officers had not undertaken any training related to their compliance role within the previous 12 months
• A lack of support and succession planning: 44% of firms did not have a deputy compliance officer. Over-reliance on a single individual leaves firms vulnerable if a COLP or COFA is absent or cannot carry out their responsibilities and may also lead to bottlenecks in decision making
• Technological risks: Each firm's approach to technology can bring specific risks. While some firms had specialist compliance software designed to simplify and assist with compliance tasks, others relied on tools like Microsoft Word or Excel for compliance management. Specialist software can help automate and structure an approach to compliance. It is also purpose-built for regulatory needs, while general tools like Microsoft Word or Excel need to be customised to meet requirements.  A centralised system, whether with specialist software or not, helps succession planning, as it means key documents and information are easily accessible.

Having clear and streamlined processes and controls is an important part of achieving regulatory obligations. While firms don't need to implement every control listed above, we expect that they will appropriately manage risk in a way that best suits their specific needs and practice areas.

What reporting systems do compliance officers have in place?

Processes, systems and records outline expectations and are a crucial part of any firm. They aid reflection and provide a baseline to promote continuous improvement. Information that is recorded helps develop a uniform approach which can be shared with third parties and reviewed/performed by future compliance officers.

We do not prescribe a method of recording breaches. Instead, firms should consider how to develop and establish this key risk management tool. Most firms had established useful controls:

• 83% of compliance officers could provide an internal reporting policy
• 69% could provide a record of their internal reports (this included records which showed there had been no internal reports).

Compliance officers stored and collected reports in multiple ways:

• 39% had specific software to record the reports
• 36% stored paper copies in a folder
• 17% stored the reports in an e-mail folder
• 6% stored the reports in a specific area of their case management system.

Around 11% of compliance officers had no formal system or process in place. This is likely to undermine the quantity and nature of the reports.

Questions to help reflection

Questions for firms:

• What formal processes do you have for regularly assessing and improving your compliance controls and systems?
• How do you encourage a culture of compliance among all staff, and what resources are available to support this?
• What measures have you put in place to ensure compliance documentation is kept accurate and accessible to those who need it?
• How do you promote collaboration between compliance officers and other departments to strengthen overall compliance efforts?
• What steps do you take to identify and mitigate risks associated with relying on technology for compliance management?

Questions for compliance officers:

• How and when do you communicate compliance standards to staff? What steps do you take to make sure that everyone understands and follows them?
• What ongoing training programs do you have for yourself and your colleagues to keep up with regulatory changes and compliance best practices?
• How do you evaluate the effectiveness of your current compliance controls, and how do you plan to address any areas that need improvement?
• How do you make everyone responsible for compliance?
• How do you make the most of technology in your compliance processes?

Compliance officers play an important part in making sure that firms and fee earners meet regulatory requirements and uphold professional standards. However, the role comes with significant risks and challenges.

We asked compliance officers about the biggest challenges and risks they face. Their responses shed light on the pressures they deal with and highlight where support is most needed.

Time pressures

Nearly half of the compliance officers identified a lack of time as their primary challenge. This was particularly true for compliance officers who try to balance multiple roles within a firm. Almost a quarter of compliance officers told us that they struggle to dedicate enough time to compliance tasks alongside their fee-earning work.

One compliance officer described the difficulties of balancing their role as the firm's COLP and Managing Director: 'it feels like I'm trying to drive a speedboat while also throwing anchors out the back.' Another told us: 'It's difficult to balance compliance with profitability'.

Other compliance officers reported that much of their time went toward routine administrative tasks or handling routine issues, rather than higher-level, risk-focused work. This can cause frustration among compliance officers. As one COLP explained: ‘I want to be a strategic compliance quarterback, I don't want to be bogged down in endless detail.'

Our review also found that compliance officers dedicate, on average, only 26% of their time to compliance-related tasks. We also heard that they find it hard keeping up with regulatory updates (27%). When compliance officers are stretched too thin, they risk overlooking important details, which increases the likelihood of errors.

An overreliance on compliance officers may also lead to a misconception that they alone are responsible for making sure that everyone within a firm is complying with their regulatory obligations. This may lead to a lack of interest in compliance throughout a firm.

Firms can help reduce the time pressures on compliance officers by giving them the right resources, support, and tools to work more efficiently. Using software to automate the collection of compliance data, delegating routine tasks around the firm, and appointing a deputy compliance officer can all make a big difference.

When compliance officers have the time and support they need, they can concentrate on more proactive and strategic tasks, which ultimately strengthens compliance and better protects both the firm and its clients.

Importantly, a lack of time is not a reasonable explanation for a lack of systems, controls and procedures. As one compliance officer told us:

‘The rules are there to be followed and I've no sympathy for people who can't find the time. If you can't do it, you shouldn't be running a business. The legal framework is a vital part of protecting the client and a sensible commercial requirement. If I have to spend time on understanding compliance, why shouldn't others?'

A lack of broader support

Many compliance officers told us that they lack the support needed to embed compliance as a shared responsibility across the firm.

Compliance officers shared anecdotal accounts with us about how some firms viewed compliance as the sole responsibility of the compliance officer. This created an expectation that it was their job to ensure everyone in the firm was complying. This was a source of frustration for several compliance officers who felt firms underestimated the amount of information they are required to know.

When compliance is viewed as a shared responsibility, compliance officers have more time and space to focus on strategic areas, such as assessing the effectiveness of the firms systems and controls.

Resourcing and workload management

Making sure that compliance officers have the resources that they need to manage compliance in a firm is key to them carrying out their role well. Without support, compliance officers are at risk of becoming overwhelmed. This increases the risk of compliance failures that could lead to poor outcomes for clients and regulatory action against firms.

Around 20% of compliance officers told us that they felt they didn't have the resources that they needed to carry out their role effectively and found the workload overwhelming. Around 19% told us that they wanted an internal compliance team, while others wished they could have more time (16%) or additional training and external expertise (19%).

All compliance officers we spoke to held at least one other role within their firm:

This dual responsibility makes it harder for individuals to effectively manage their time, and to balance the demands of each role. Compliance work demands the focused attention of a compliance officer. Adding another role, such as a fee-earner or director, can lead to competing priorities, increased stress, and a greater risk of errors or oversight. We acknowledge that for some firms this is not a choice, but firms should still consider the risks involved.

Firms should assess whether their compliance officers have the capacity to juggle multiple responsibilities or if they would benefit from added support, such as task delegation or appointing deputies. Without a well-prepared pathway for others to step into the role, continuity can suffer, creating additional strain when new officers take over or where the compliance officer is absent or unavailable. Equipping compliance officers well helps them focus on risk management, creating a proactive compliance framework that safeguards the firm's reputation and operations.

Compliance officer wellbeing

Compliance officers' wellbeing is directly impacted by how effectively they perform their role. Their work includes understanding what laws, regulations and ethical standards a firm must follow. This includes communicating those requirements to staff and putting systems in place to monitor and minimise the risk of any breaches.

Mistakes can lead to serious financial and reputational damage, or even personal liability. If compliance officers are overworked or stressed, they are more likely to make errors, or to overlook key details, that put the firm at risk of a compliance breach.

Supporting compliance officers' wellbeing not only boosts their performance but also strengthens the firm's compliance. When officers are in good health, they are better able to manage the complexities of their role, take sound decisions, and effectively control risks.

Further information on how to provide a support system for individuals is available in our 'Workplace environment: risks of failing to protect and support colleagues' guidance.

Around 52% of compliance officers told us that they felt stressed because of their role. This was driven by the high level of personal responsibility they felt for making sure that systems were in place to prevent regulatory breaches. All the compliance officers we spoke with also faced the added pressure of balancing multiple roles within the firm. Further stressors included the lack of time, support and internal resourcing for compliance officers, as outlined above. Many reported that these pressures lead them to work longer hours or to take compliance tasks home.

Anecdotally, some compliance officers told us that their role can leave them feeling isolated, especially where compliance issues conflict with business priorities. Almost half (47%) felt that their role was not acknowledged or valued by their firm.

As mentioned previously, 75% of the compliance officers were also owners in the firm. This dual role not only amplifies their responsibilities but also deepens their personal investment in the firm's success. When an owner faces stress or burnout, the impact is far more significant if that owner is also a compliance officer.

Wellbeing and mental health were not hypothetical concerns. We heard about an owner/COLP who suffered a mental breakdown that almost led to the firm's collapse. This incident highlights the serious repercussions that can arise when the wellbeing of an individual within the firm's management structure is compromised. It also highlights the benefits of defined systems and controls which are not dependent on a single individual.

Firms can help compliance officers' wellbeing by creating a culture of support where compliance is viewed as a shared responsibility. Firms resourcing compliance officers properly, is key to reducing workload pressures. Regular check-ins and open communication can also help create a supportive environment, allowing officers to voice concerns and to feel more closely connected to the teams that they work alongside.

Providing access to mental health resources and wellness programs can also help officers manage the demands of their role more effectively. Further information about where legal professionals can turn to if they come across personal wellbeing matters is also available on our website.

Questions to help reflection

Questions for firms:

• How do you support compliance officers to balance their compliance duties with any other roles?
• What time and resources do you provide to compliance officers to help them carry out their role effectively?
• What tools or processes do you use to streamline routine compliance work so your officers can focus on more strategic tasks?
• How involved are your staff in the role of compliance?
• Have you considered succession planning and deputy compliance officers?
• How do you support the wellbeing of your compliance officers?

Questions for compliance officers:

• Do you have enough time and support to effectively manage your compliance responsibilities alongside any other roles?
• Are there routine or lower-priority tasks you could delegate or automate?
• How do you share responsibility with others?
• Do you need additional support or a deputy?
• What resources do you need?

Our Professional Ethics team provide help and guidance on all topics. They can be contacted by email, letter or telephone.

Information and resources about a range of topics are available on our website and our YouTube channel. This includes information about what we expect and resources to help those we regulate comply.

Our visits focused on key areas which affect all compliance officers and firms. Links to further guidance and resources are provided below:

Compliance officer responsibilities

• Responsibilities of COLPs and COFAs

Enforcement strategy and financial penalties

• Enforcement strategy
• Our approach to financial penalties

Reporting and notifications

• Reporting and notifications guidance

Training resources

• Statement of solicitor competence

Conflicts of interest

• Conflicts of interest guidance

Wellbeing in the workplace

• Workplace environment guidance

Information and cybersecurity

• Information and cybersecurity

Continuing competence

• Continuing competence resources

Overview

Our thematic review features views and experiences from firms and compliance officers across the profession.

We recognise the limitations of the information we have collected and the risk of response bias because:

• our sample was relatively small
• we are each firm's regulator
• firm participation was mandatory.

We attempted to address these issues by testing the underlying knowledge and actions of compliance officers. We also used multiple interviewers and a structured set of questions to help mitigate personal bias.

Visit – sample

We visited 25 firms and spoke with 36 individuals. This included:

• 9 COLPs
• 8 COFAs
• 12 individuals carrying out both the COLP and COFA roles
• 3 HOLPs
• 3 HOFAs
• 1 individual carrying out both the HOLP and HOFA roles.

Our report does not distinguish between COLPs/COFAs and HOLPs/HOFAs.

We used a stratified sample to broadly reflect the size of firms across the profession according to the number of staff in each firm. This included:

• Sole practitioners
• Small firms – defined as having between two to five solicitors
• Medium firms – defined as having between six to nine solicitors
• Large firms – defined as having between ten to 50 solicitors
• Very large firms – defined as having more than 50 solicitors.

Visit – approach

Each firm was given an opportunity to choose a convenient date for our mandatory visit.