Risky business - Risk and Compliance Article

The SRA’s latest consumer protection consultation continues to emphasise safeguarding client money. While no immediate changes are planned, potential adjustments under review include accountants reports, eligibility criteria for COLP and COFA roles, and increased SRA oversight when firms significantly alter their risk profile. Feedback is welcome until 20 February 2026; details are available on the SRA website. 

It is clear that the SRA is keeping an eye on things, taking on board fresh ideas and feedback. By doing this, it’s showing it is open to changing the way things are done and ready to deal with new risks as they emerge. Making sure client money is safe is – and will remain – a top priority.

The SRA’s consultations have highlighted inherent risks that have long existed in the management of client money, with the notable catalyst of the Axiom Ince case prompting the SRA to re-evaluate the logic behind money not being held directly by firms, as well as the use of third-party managed accounts.

The SRA now also has a proactive capability and no doubt it will be checking the sanctity of client accounts at those firms deemed to be of highest risk.

Role of the COFA

In light of the risks to client money highlighted by the SRA, the spotlight is now on the role of the compliance officer for finance and administration (COFA), emphasising greater accountability and the need for more comprehensive training. There’s now a stronger focus on ensuring that those in COFA roles possess sufficient awareness of the SRA Accounts Rules and can identify and mitigate potential risks, rather than being driven by purely commercial factors. 

Recent events have shown how important it is for everyone in a firm to be on their guard, especially in areas that are more likely to cause problems. Law firms need to make sure that careful handling of client money becomes part of their everyday routine – not just ticking boxes but genuinely looking after clients’ interests. As expectations grow, it’s important for anyone dealing with the firm’s finances to keep an eye out for new risks and tackle any problems as soon as they arise. This way, looking after clients’ money isn’t just about following the rules, but about building a culture in which everyone takes responsibility and always acts in the clients’ best interests.

Establishing such a culture typically starts with the firm’s COFA, a role that has notably changed over time. At first, the COFA mostly made sure law firms adhered to the SRA Accounts Rules, keeping the records straight and flagging up any problems as they happened. But things have evolved since then – especially with more attention on protecting client money. 

These days, the COFA’s job is much more wide ranging. They’re expected to take real responsibility for spotting and managing any risks linked to handling client funds. This means not just knowing the rules inside and out, but also being able to question advice, encourage everyone to follow the rules and make sure honesty and integrity run through the whole firm. Essentially, the modern COFA needs to be switched on, ready to spot warning signs and willing to dig into anything suspicious. It’s about creating a workplace where everyone pitches in to keep an eye on things, making sure the firm always puts clients first.

The SRA’s approach to the COFA role has also expanded. Now, during Accounts Rules investigations, interviewing the COFA is a routine step to evaluate the firm’s risk management, assess competence and the firm’s compliance culture. Investigators will closely examine training records, appraisal and supervision reports, written guidance and internal file reviews, and if these are found insufficient, the COFA may face consequences. 

This can seem unfair when a fraudster is responsible for client account theft, yet one common question remains: could the firm have done anything to prevent this situation? Law firms that handle client money are always at risk of fraud, so if you’re asked this question today, what is your answer?  

Reporting accountants

A lot of COFAs see the reporting accountant as the main person keeping an eye on things, often relying on them to say everything’s in order. But there are a few problems with putting all your eggs in this basket. The accountant only checks the books every so often and might miss anything that happens in between these reviews, so issues can slip through the cracks and remain for longer than they should. Plus, it’s still down to the COFA to make sure the firm stays compliant all year round – not just when the accountant comes in for a look.

If the COFA relies too much on the reporting accountant, there’s a risk they might not fulfil their own obligations to retain overall control of compliance issues, which could land the firm in hot water with the regulators. Instead, the COFA should see what the accountants do as just one part of a bigger plan to stay compliant, making sure they have strong internal controls in place that can then be put to the test by their reporting accountant.

Skill base

So, are most COFAs ready to spot problems? In truth, even though there’s more training these days, there’s still a big gap when it comes to real-world experience and picking up on the warning signs that matter. Lots of COFAs – especially those who know the law or accounts but haven’t worked much with the SRA Accounts Rules – might miss the subtle issues that can turn into big headaches later. And there are clients to service. There is often an over-reliance and too much trust placed in the firm’s finance team, and sometimes it’s not until too late that this trust is questioned.

In real terms, this means putting some solid checks in place and implementing robust control systems – not just waiting for the regular reports. The COFA should have robust systems that flag up anything odd, like unusual payments or money that’s been sitting in the account for too long. If these checks become a normal part of everyday work, law firms will be much quicker to spot problems and sort them out, keeping everything above board and making sure clients’ money is always properly safeguarded. 

Key considerations when reviewing the accounts

What are the main warning signs and common trouble spots where things tend to go wrong, and what can the COFA actually do day to day to spot these problems early?

Verify client account reconciliation details

Begin with a thorough check of the reconciliation’s extraction date. Confirm that all supporting documentation matches the period in question and supports each of the figures on the face of the reconciliation. It should be the COFA who signs and dates this document, but only when they’re fully satisfied that all is in order.

The client account reconciliation needs to be completed at least every five weeks. In practice, this is normally done at month end, so most firms will have at least 12 signed reconciliations over their financial year. Timeliness is not just a procedural requirement; it’s indicative of good housekeeping and regulatory compliance.

Check the reconciliation details

Looking at the type and layout of the reconciliation is key. Check if it’s a proper three-way reconciliation – that is, does it match up with the cashbook, client matter listing and bank statements? The way this is all put together really shows how clear the firm’s processes are and how strong its checks are. Also, if the firm uses any designated deposit accounts, make sure these are included too, so you see the full picture of all client money the firm holds.

Outstanding and unpresented items

Take a close look at any money that’s meant to have been paid in but hasn’t shown up in the bank yet – each amount should be checked and should ideally clear early the following month. Go through the list of payments that haven’t gone through, and don’t be afraid to ask questions: why are these payments still hanging around, and how long have they been sitting there? 

These details can reveal if there are problems with how transactions are being handled or if something is slipping through the cracks. In particular, pay attention to late receipts that are still lurking as these can indicate more serious issues. Is there an extensive list of these items? Should some entries be cancelled (contra’d) off as they match and relate to the same transaction on the same matter?

Sorting out adjustments and oddities

Gather up any other adjusting items and take a proper look at them. If something needs explaining, go and find the explanation – every number in the accounts should be there for a good reason. What is the impact of the adjustment? Is it there to mask something more sinister? 

Keep an eye out for anything that doesn’t quite match up in the reconciliation, and dig into what’s causing it, how long it’s been hanging around, and when it’s likely to be sorted. If you find differences that aren’t being resolved, it could be a sign there’s a bigger issue with the way records are kept or how the banking is being handled.

Shortages, breaches and patterns

Are there any shortages in the client account? If so, consult the breaches register and assess the materiality of these occurrences. Identifying patterns, whether in breaches or shortages, can help in uncovering systemic weaknesses or recurring compliance failures. Be alert to timing – it’s critical that any shortages are corrected immediately upon discovery. Mistakes happen and the purpose of the reconciliation process is to identify them and take appropriate action. The same issue identified month after month screams poor compliance.

Review of client balances

The client matter listing should be an integral part of the reconciliation bundle. Confirm that the extraction date used matches that in the reconciliation and ensure the total agrees with the figure reported. The listing must be complete, with attention paid to client debit or office credit balances that will need to be addressed.

Conduct a review of residual balances. Consider the cut-off point, the number and total of balances, and their distribution across departments, partners or fee earners. Such analysis can highlight inefficiencies or potential risks hiding in specific segments of the firm.

Risks in ledgers and suspense ledgers

Pay special attention to miscellaneous, suspense, general or sundry ledgers. These accounts can harbour risks if not properly monitored and explained. They can effectively be client accounts within a client account. Likewise, examine whether there are any ledgers in the managers’ own names or in companies they control, as these could indicate conflicts of interest or opportunities for inappropriate transfers.

Client’s own accounts

While these accounts are not client money, they are a potentially high-risk area. As a minimum, ensure there is a (complete) central record of all such matters and check that any transactions initiated by someone at the firm are bona fide. There should be bank statements available for review for each of these accounts. 

Reporting to the SRA

Deciding whether to report something to the SRA can be stressful – especially if there’s pressure inside the firm to delay or not report at all. But ultimately it’s the COFA’s decision, and they’re the one who is accountable. It’s almost always better to self-report than to risk the SRA finding out through a client complaint or a qualified accountant’s report.

When deciding if an issue is serious enough to report, think about:

• what the allegation is about
• whether it was intentional
• the sums involved
• how quickly the matter was identified / rectified
• the harm that has or could have been caused, especially to vulnerable people, and
• any past issues or patterns of behaviour.

If you decide an issue should be reported, include as much detail as possible and copy any relevant documents that will assist others in their understanding. If you’re unsure, seek professional compliance advice or call the SRA’s Ethics Helpline.