How To: be a COFA

A year ago the Gazette reported that 600 firms had failed to nominate compliance officers as part of the Solicitors Regulation Authority’s new regime of risk-based regulation. By Christmas the regulator expressed its disappointment that around 250 firms had failed to complete the process – or even start it. This was on top of a ‘sizeable number of firms’ whose nominated individuals would not be approved. Two rebukes, 26 warnings and 618 letters of advice later, latest figures show that only 46 firms do not have a compliance officer in place. Not bad, considering this figure includes those firms in the process of changing the person in the role.

Along with COLPs (compliance officers for legal practice), the COFA (compliance officer for finance and administration) role was introduced by the SRA as part of its move to outcomes-focused regulation, with compliance officers taking up the positions on 1 January 2013. Creating the compliance officer regime, the SRA said, allows the regulator to ‘create a culture where the primary responsibility for managing compliance risk lies with the firms, and which encourages firms to have a clear focus for delivery of the regulatory outcomes’.

That leaves the SRA to focus on ‘those who cannot and/or will not deliver competent and ethical legal services, and on those who are capable and willing, but need support to manage particular compliance issues.’

The role

COFAs are responsible for ensuring systems and processes are in place to enable the firm, its managers and employees, and anyone who has an interest in the firm, to comply with the SRA Handbook requirements.

The types of systems needed, the SRA says, are not prescribed, as these depend on what is appropriate for the profile and size of the firm, its areas of risk, and the nature of its work and client base.

Ultimately, compliance is the responsibility of the firm, but COFAs must report material issues to the SRA.

The COFAs who are now in place are required to take all reasonable steps to:

• ensure that the authorised body, its employees and managers, comply with any obligations imposed under the SRA Accounts Rules.
• keep a record of any failure to comply and make this record available to the SRA.

Any material failure (either taken on its own or as a pattern of failures) must be reported to the SRA as soon as reasonably practicable, and recorded in the annual information report completed in accordance with rule 8.7(a) of the SRA Authorisation Rules.

Firms have to decide how the COFA will operate within the business structure. All firms are required to report back to the SRA with information on compliance issues, and the COFA is responsible for compiling this information. The information that needs to be reported back is laid down in Authorisation Rule 8.7. As well as the annual information report, firms must update the SRA, giving details of general changes that occur in respect of the firm.

The impact

Unlike the role of COLP, the role of COFA does not appear to have caused too many issues for the legal profession. As Virginia Farquharson, COFA at Payne Hicks Beach, explains opposite, the rules with which one has to ensure compliance are largely familiar and have varied little over the years.

Sole practitioner Sushma Awtani, of Awtani Immigration Solicitors, who is both COLP and COFA for her firm, concurs. ‘Ensuring that correct procedures are in place has always been a priority for me.’ she says. ‘As a COLP and COFA, I reviewed my current systems and procedures that were in place and refined them to comply with the SRA requirements.’

Indeed, of the 250 queries the Law Society’s Risk and Compliance Service has received in total about compliance officers, only around 40 have been about COFAs, the remainder being COLP-related.

James Penn, compliance consultant at global legal and compliance recruitment agency Taylor Root, says the advent of the COFA has had relatively little impact on recruitment (‘often existing partners or the finance director will be appointed from within the firm’), but looking more widely at the day-to-day responsibilities inherent in the introduction of the officer roles, ‘the changes have virtually created a new market’.

He says: ‘There has been a huge amount of hiring within risk and compliance teams in the past few years, and coupled with other regulatory changes and changing attitudes to risk (such as anti-bribery and a focus on data protection) firms have been very actively trying to hire staff.’ He says the market has ballooned. ‘Given there is a shortage of skills in these key risk and compliance areas, salaries have risen accordingly, and risk and compliance within firms is now starting to be seen as a genuine alternative career path with the legal sector,’ he adds.

Who can be a COFA?

Firms are afforded a degree of flexibility in who they can appoint as the COFA. Unlike the COLP, the COFA does not need to be a lawyer.

The COFA must:

• be an individual;
• be a manager or an employee of the authorised body (or be an approved COLP and/or COFA (as appropriate) in a related authorised body);
• consent to their designation as the COLP and/or COFA;
• be of sufficient seniority and responsibility to fulfil the role;
• not be disqualified from being a head of legal practice (HOLP) or head of finance and administration (HOFA) – as appropriate.

When approving nominations, the SRA looks at two issues in particular:

• Are the nominated individuals qualified and/or suitable for the role?
• Have senior managers in firms and their nominees actively engaged in the nomination process and properly understood their regulatory obligations and/or have the capability to deliver them?

‘I noticed some delegates on my training courses who had been nominated as COFAs who would quite often be junior people,’ says Peter Warner, managing director of Warner Consulting, who provides advice and training on risk and compliance issues. ‘One or two did not feel confident that they had access to all the relevant financial information and financial accounts at their firms.’

What the COFA should be asking, Warner argues, is: ‘Have I got sufficient power within the firm to make a report and to get a senior member of the firm to agree to take a particular course of action?’

The SRA reinforces that cautionary message, saying senior managers should be confident that the individuals have sufficient seniority and responsibility in the firm to fulfil the COFA role.

All COFA nominations go through an automated verification process that involves checking the information submitted in the nomination forms against information already held about the individual. Problems encountered during the nomination process have included failure to declare criminal convictions (‘the nature of the convictions is irrelevant, not declaring them – even offences considered minor – is the big issue,’ an SRA spokesperson notes), or people being nominated when they already have regulatory issues against their name and, therefore, cannot operate to the level of seniority required of a compliance officer.

The SRA has had to take action against firms that have continually failed to engage with the SRA, either by refusing to respond to correspondence or to re-nominate a suitable candidate. Rebukes and warnings count as official sanctions on a firm’s record and carry a £600 costs charge.

Personal liability

The COFA is the focal point, the SRA says, of identifying risk within a firm. ‘What the regime does not do, however, is remove any responsibility for the compliance away from others in the firm,’ the regulator adds. ‘The aim is to build a firm-wide culture of compliance, shared by everyone we regulate. Neither COLPs nor COFAs will be sacrificial lambs if regulatory action needs to be taken against others in the firm.’

However, ‘COFAs should seek indemnity from the firm,’ Warner warns. ‘Insurance can cover them to a degree, in terms of SRA fines and defence costs should a matter escalate to the Solicitors Disciplinary Tribunal. But what insurance cover does not protect is reputational damage if the matter is publicised, or if a COFA is prevented from holding a compliance role in the future, or is suspended from their role.’

‘The emergence of the COLP and the COFA brought with it a wave of concern from those being nominated for the role regarding their personal obligations,’ says Calum MacLean, UK risk manager at insurance broker Lockton. ‘This was particularly marked in the early period when there was a lot of uncertainty about the requirements and how they would be implemented and enforced.’

He adds that, at a time when firms are facing increased financial difficulty, ‘fear of management being held accountable for decisions made in the run-up to a collapse has also caused firms to seek adequate protection from liability’.

All of which means, the SRA says, that developing the role of the COFA is ‘a vast learning curve both for compliance officers themselves and the SRA.’

Warner concludes: ‘Firms need to be much more aware at a senior level of the importance of the role of the COFA and their responsibilities, together with the potential liability that attaches to the role.’

• More than 360 people have signed up to attend the first COLPs and COFAs Conference in Birmingham on 16 October. The first plenary session, ‘How I see the role of a compliance officer’, will be addressed by SRA executive director Samantha Barrass. The second plenary will be on ‘being aware of the hazards’ with SRA executive director Richard Collins. A series of workshops will also take place throughout the day. For more information see the SRA website.

Monidipa Fouzder is a Gazette sub-editor