SRA's Wake-Up Call on AML Compliance: Is Your Law Firm's Function Up to Scratch?

In the SRA December 2025 thematic review on compliance officers (COLPs and COFAs), a strong message:

• Compliance roles are often undervalued and under-resourced, leading to stress and over-reliance on single individuals.
• Many compliance officers lack full awareness of their regulatory obligations, including record-keeping and reporting.
• Firms need better support for ongoing competence, with dedicated time, training, and resources.
• Systems shouldn't be reactive or fragmented; relying on memory, partial logs, or inaccessible tech setups increases risks.

The review emphasises the need for:

• Robust oversight and succession planning
• Structured processes with clear policies and internal controls
• Centralised, accessible records for breaches and decisions
• Regular reporting, audits, and spot checks to leadership
• Specialist software to manage technological risks and simplify tasks

In essence, compliance must be embedded as a shared responsibility, supported by tools that fit seamlessly into daily operations without adding to the burden.

This is precisely where ITRACK shines.

• https://itrackaml.com/
• https://www.linkedin.com/company/itrackaml/posts/?feedView=all

If you haven't checked out the SRA's thematic review yet, it's essential reading 👇

• https://www.sra.org.uk/sra/research-publications/compliance-officers-thematic-review/

Or read here

THE SRA and its expectations of Compliance officers:  

On 11 DECEMBER 2025, THE SRA ISSUE THE FOLLOWING

Our aims and approach

All SRA-regulated firms and individuals must comply with our Standards and Regulations, including requirements for law firms to operate with compliance officers for legal practice (COLPs) and compliance officers for finance and administration (COFAs). These roles are important to maintain and promote compliance within firms. They help firms to operate within our required framework and to uphold professional standards.

Through the thematic review we wanted to explore:

• How, and when, law firms choose their compliance officers.
• Whether compliance officers understand and are meeting their regulatory obligations, including ensuring their ongoing competency.
• Compliance systems, controls, and processes in law firms, and how compliance officers oversee and manage them.
• Risks and challenges for compliance officers.

We visited 25 law firms and spoke with 36 individuals. During our visits we reviewed compliance policies, internal breach logs, and learning and development records. 

Choosing compliance officers

We require compliance officers to be a manager or an employee of the firm and consent to the appointment, and to have sufficient seniority and responsibility to fulfil the role duties.

COLPs must also be authorised to carry out reserved legal activities by an approved regulator – in our review 84% of COLPs were solicitors but we also interviewed others, including a barrister and a chartered legal executive.

In 63% of the firms we visited the COLP and COFA roles were held by two separate individuals, although 91% of these individuals reported daily interaction between the two role holders. 

Turnover in any ongoing role is inevitable. However, we found a low turnover rate of compliance officers in the firms we visited. Around 42% of individuals had held their compliance officer role since its initial introduction in 2012, and a further 28% had held their role for more than 5 years. We found little evidence of compliance officers moving between firms. 

The firms we visited typically appoint individuals of sufficient seniority; around 72% of the compliance officers we interviewed had been legally qualified for over 15 years. Around 75% of the compliance officers were also owners of the firm. 

No compliance officer told us that there was competition for their role, and firms did not appear to encourage individuals to internally apply for the role.

While around 84% of compliance officers felt that they were the right person to be holding the role, only 44% of the compliance officers we spoke with felt that the role was acknowledged and / or valued by firms.

We found most compliance officers received no acknowledgment or financial incentive for holding the roles, and attempts to backfill roles had proved difficult.

Some compliance officers did see the role as a useful career step, with 33% confirming it helped them gain more knowledge and experience, and 33% also feeling they were viewed as more senior.

However, around 39% felt that it had no career benefit. 

Awareness of regulatory responsibilities

Our Standards and Regulations set five specific requirements for COLPs and three for COFAs.

While most COFAs could outline all the COFA's requirements, only one COLP could describe the material requirements of their role to us. Some firms were also overlooking the roles and their basic requirements, including one example where a firm had failed to appoint a COFA following the retirement of the previous role holder. 

Firms must maintain records to demonstrate compliance with their regulatory obligations. This includes compliance officers who are to record all breaches that occur and make appropriate notifications to the SRA, in line with our reporting and notification obligations.

We found that a fifth of the compliance officers we spoke to could not explain their record-keeping obligations, while only half had read our reporting and notification guidance.

Only one individual was able to describe the difference between a notification (which must be reported to us) and a report (circumstances that may have to be reported but allow the COLP or COFA discretion).

We reviewed whether compliance officers had established a systematic approach to reporting.

Only a quarter were able to describe a defined process, but compliance officers did outline various tools and strategies that they use, including:

• 50% had discussed matters with the SRA's Professional Ethics team
• 19% were unsure because they'd never had to do it
• 17% had used an external compliance company
• 6% had discussed with a second member of staff.
• 44% also said they used their own professional experience to determine whether a report needed to be made. However, none of those individuals had read our reporting and notification guidance.

Compliance officer competence

Solicitors must maintain their competence, knowledge and skills to carry out their role, including situations where they hold a COLP and / or a COFA role.

We asked compliance officers about preparatory steps they had taken before undertaking their role, and we heard that:

• 97% reviewed SRA literature
• 86% did personal research/wider reading
• 80% went on an external course
• 14% had a handover meeting with the previous role holder
• 11% reviewed their firm's historic data.

Around 66% of the compliance officers we spoke to believed that financial acumen was necessary to undertake the COFA role.

We heard that:

• 63% had carried out personal research to understand financial topics
• 22% had an academic, financial qualification
• 22% had previously held a job in the financial sector
• 17% had a professional financial qualification
• 19% had done none of the above.

However, we found 19% of the compliance officers we met did not have a learning and development record, and only a minority were able to show training that related to their role in the past year.

Some compliance officers demonstrated how they accessed support and advice to undertake their roles – for example, 63% sought advice and guidance from commercial compliance advisors - but we noted a lack of knowledge and use of SRA resources, and we heard perceptions from some that there was a lack of specialist SRA resources available for compliance officers.

Systems, controls and processes

Our Code of Conduct for Firms requires all firms to have effective systems and controls in place to comply with our regulatory arrangements. These include policies, frameworks and processes that aim to manage risk and monitor compliance.

All the firms we visited had some form of internal compliance controls and processes in place to manage risk, and we asked compliance officers to share how they manage compliance within their firms. We found that:

• 94% of the firms we visited had a formal office manual and internal compliance policy – with key reference points for staff including steps to take if a potential breach occurs
• 53% of compliance officers we spoke with lead training exercises in their firms, focusing on core areas like anti-money laundering and conflict of interest management
• 83% of the firms we visited undertake file reviews, to help detect issues early on and correct any recurring mistakes that fee earners make – with results recorded and shared with the relevant compliance officer
• 69% of firms arranged for external third-party audit of their compliance arrangements, and 36% of firms conduct their own annual audit of policies and procedures
• 55% of firms confirmed their compliance officers or other employees undertake ad hoc spot checks of client files to help identify specific risk areas that require any corrective action.

However, we also identified risks that could limit how well some of these controls and processes work. They included:

• 11% of compliance officers explained that there was no formalised process to verify that staff were complying with the compliance officer's instructions, or what is set out in the firm's office manual/compliance policy
• 41% of firms were only maintaining partial records of decision-making by their compliance officers - in practice meaning that the logs didn't contain information on the circumstances of the breach or the rationale for any remedial action
• 44% of firms did not have a deputy compliance officer – potentially instead over-relying on a single individual
• Technological risks which could lead to key compliance documents and information being inaccessible, but that can often be managed through specialist compliance software designed to simplify and assist with compliance tasks.

Most firms had established useful controls for recording regulatory breaches, and 83% of compliance officers were able to provide us with an internal reporting policy, while 69% could provide a record of their internal reports. Compliance officers were storing and collecting reports in multiple ways, including using specific software, paper copies, e-mail folders and specific areas of their firm's case management system.

Perceived risks and challenges

We asked compliance officers about the biggest challenges and risks they face. Their responses shed light on the pressures they deal with and highlight where support is most needed.

All compliance officers we spoke to held at least one other role within their firm, which included also being fee-earners, supervisors, or Money Laundering Compliance Officers.

Nearly half identified a lack of time as their primary challenge, and this was particularly true for compliance officers who were undertaking multiple roles. Almost a quarter of compliance officers told us that they struggle to dedicate enough time to compliance tasks alongside their fee-earning work, and compliance officers we spoke to spend, on average, only 26% of their time on compliance-related tasks. 27% confirmed that they find it hard keeping up with regulatory updates.

We found that adding another role, such as a fee-earner or director, can lead to competing priorities, increased stress, and a greater risk of errors or oversight. For some firms this is not a choice, but the risks involved should still be acknowledged and considered.

Many compliance officers told us that they lack the support needed to embed compliance as a shared responsibility across the firm. This included sharing anecdotal accounts that indicated regulatory compliance is sometimes seen by people in law firms as the sole responsibility of the compliance officer. Around 20% of compliance officers also told us that they felt they didn't have the resources that they needed to carry out their role effectively and found the workload overwhelming. Around 19% told us that they wanted an internal compliance team, while others wished they could have more time or additional training and external expertise.

Around 52% of compliance officers told us that they felt stressed because of their role. This was driven by the high level of personal responsibility they felt for making sure that systems were in place to prevent regulatory breaches. Further stressors included the lack of time, support and internal resourcing for compliance officers. Almost half (47%) felt that their role was not acknowledged or valued by their firm.

Conclusions and next steps

We identified a range of different approaches being taken by compliance officers, and by law firms, to discharge the required duties of the COLP and COFA roles.

We saw evidence of good practice and law firm environments where the roles were operating effectively, and where compliance culture is being taken credibly by employees in their different roles. All the firms we visited had compliance controls and processes in place, and external compliance support is often being made available to compliance officers to support them in undertaking their duties.

However, we also identified causes for concern, and specific risks that may impact the effectiveness of the COLP and COFA roles and weaken a firm's compliance response. This included risks that:

• Compliance roles, and the succession plan for those roles, is not always considered or prioritised, and in some cases single individuals currently within the roles are over-relied on despite reporting that they have a lack of sufficient time and support
• Some compliance officers are lacking full understanding of their regulatory obligations, and in some cases have limited awareness of relevant SRA resources
• Ongoing competence of compliance role holders is not always given sufficient priority
• The compliance officer roles are often undervalued within firms.

The COLP and COFA roles should provide real-time checks and assurances about a law firm's daily approach to regulatory compliance. The findings from our review indicate that the roles are not always operating effectively in achieving this, or in meeting the overarching duties that are associated with both roles. The risks outlined above are drivers for this, and we are using our findings to inform a number of our key workstreams, and to evidence proposals for change.

In particular, this includes the progression of our review of our Consumer Protection Review and meeting the directions that our oversight regulator, the Legal Services Board (LSB), imposed on us in May 2025 and subsequent changes that we may take forward in the future. Strengthening the checks and balances that are provided by compliance officers are an important component of our review, and we are committed to develop our support package for compliance officers and firms, taking into account the findings from this thematic work. In the longer term we will undertake a more fundamental review of the effectiveness of the compliance officer regime. 

We are also taking account of the findings in other important workstreams. This includes our consideration of potential changes to our continuing competency requirements and framework, and the ongoing development of our communications and engagement approach with compliance officers and the firms they work for. 

SOURCE

https://www.sra.org.uk/sra/research-publications/compliance-officers-thematic-review/