Introduction to legal services and regulation - Principles o...

Learning Outcomes

This article explains how risk-based regulation directs regulatory attention to the greatest threats to the public interest, the rule of law, and consumer protection. It describes the SRA’s risk framework and the tools it uses to identify, assess and mitigate risks, including thematic reviews, supervisory engagement, and enforcement. It outlines the statutory and regulatory requirements that require firms to adopt risk-based systems and controls, with particular emphasis on AML obligations under the Money Laundering Regulations 2017, reporting obligations under POCA 2002, and the governance roles of COLP and COFA. It applies these principles to typical practice scenarios (e.g. conveyancing identity risk, sanctions screening, PEP due diligence), distinguishing pre-control risk from control effectiveness. It relates the SRA Principles and Codes of Conduct to risk management, including cooperation duties, record keeping, training, and reporting serious breaches to the SRA.

SQE1 Syllabus

For SQE1, you are required to understand risk-based regulation in legal services, with a focus on the following syllabus points:

• the meaning and purpose of risk-based regulation in legal services
• how the SRA identifies, assesses, and manages regulatory risks
• the regulatory objectives set out in the Legal Services Act 2007
• the role of compliance officers and firm-wide risk management
• the requirements for anti-money laundering risk assessments and controls
• the practical implications of risk-based regulation for firms of different sizes
• how the SRA Standards and Regulations (Codes for Solicitors and Firms) embed risk-based duties (e.g. cooperation, client money safeguards, reporting serious breaches)
• interaction with POCA 2002 (reporting and tipping off) and the UK financial sanctions regime
• SRA Enforcement Strategy and supervisory/enforcement responses proportionate to risk

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

1. What is the main purpose of risk-based regulation in the context of legal services?
2. Name two regulatory objectives that guide the SRA’s risk-based approach.
3. What is required of a firm under Regulation 18 of the Money Laundering Regulations 2017?
4. Who is responsible for overseeing risk management and compliance in an SRA-authorised firm?

Introduction

Risk-based regulation is the approach used by legal regulators, especially the SRA, to focus regulatory resources and actions on the areas of greatest risk to the public, clients, and the integrity of legal services. This ensures that compliance efforts are proportionate and effective, and that firms address the most significant threats to consumer protection and professional standards. It involves identifying where harm is most likely and most severe, assessing controls and residual risk, and responding with targeted supervision and, where necessary, enforcement.

Key Term: risk-based regulation
A regulatory approach that allocates resources and attention according to the likelihood and impact of risks to regulatory objectives, focusing on the most serious threats.

Key Term: regulatory objectives
Statutory goals set out in the Legal Services Act 2007 that guide regulators, including protecting the public interest, supporting the rule of law, and promoting consumer protection.

Key Term: compliance officer
A senior individual in a law firm (COLP or COFA) responsible for ensuring compliance with regulatory requirements and reporting breaches to the SRA.

Key Term: COLP
The Compliance Officer for Legal Practice. Ensures the firm’s systems meet the SRA Standards and Regulations, records and reports material breaches, and embeds risk-based compliance across practice areas.

Key Term: COFA
The Compliance Officer for Finance and Administration. Ensures safeguards for client money and assets, oversees compliance with the SRA Accounts Rules, and records and reports material breaches of financial controls.

Principles of Risk-Based Regulation

Risk-based regulation is built on the idea that not all risks are equal. Regulators must identify, assess, and manage risks in a way that protects the public and upholds the rule of law, while allowing legal services to operate efficiently. The approach is proportionate (responses match the risk), targeted (focus on highest harm), transparent (clear criteria), and accountable (decisions grounded in evidence and open to scrutiny).

Under the LSA 2007, the SRA must regulate in a way compatible with the regulatory objectives. The SRA Principles support these aims: acting to uphold the rule of law and proper administration of justice, maintain public trust and confidence, act with independence, honesty and integrity, encourage equality, diversity and inclusion, and act in each client’s best interests. Failures that undermine these fundamental obligations (e.g. misuse of client money, dishonesty, enabling financial crime) are treated as high impact risks.

Risk Identification

The SRA gathers information from multiple sources to identify risks, including:

• complaints and disciplinary data (from the Legal Ombudsman and direct reports)
• supervisory returns, authorisation information, and information from COLP/COFA reporting
• s 44B Solicitors Act 1974 requests and document reviews during investigations
• market trends and emerging threats (e.g., cybercrime, sanctions evasion, money laundering, misuse of client account)
• feedback from firms, clients, and stakeholders, including whistleblowing disclosures

Risks can relate to client money, confidentiality, anti-money laundering, sanctions compliance, conflicts of interest, misleading the court, or the quality and competence of legal services. Practice areas with elevated exposure (e.g. residential conveyancing, trust and company services, cross-border transactions) attract particular attention because they have historically been exploited by criminals or carry higher overall harm if controls fail.

Risk Assessment

Once identified, risks are assessed based on:

• Impact: The severity of consequences if the risk materialises, including harm to clients, financial loss, damage to the rule of law, and erosion of public trust. Misuse of client money, widespread AML failures, or dishonesty typically score high impact because they undermine core SRA Principles.
• Likelihood: The probability the risk will occur, informed by past incidents, control weaknesses, sector exposure, and external intelligence. High-frequency issues (e.g. identity fraud in conveyancing) are assessed with care.

The SRA considers pre-control risk (before controls) and residual risk (after controls). Where controls are weak or ineffective, residual risk remains unacceptably high, prompting regulatory engagement. Firms should mirror this approach in their own risk registers, distinguishing matter-level risk (e.g. client onboarding anomalies) from business-level risk (e.g. sanctions screening gaps).

Risk Mitigation and Controls

Regulators and firms must take steps to reduce identified risks. This may include:

• issuing guidance or new rules and updating the SRA Risk Outlook to highlight priority risks
• conducting thematic reviews (e.g. AML and sanctions compliance in conveyancing), desk-based audits, or targeted onsite inspections
• requiring firms to improve systems and controls, record keeping, and governance arrangements
• applying proportionate enforcement where required (e.g. letters of advice or warning, conditions on practising certificates, rebukes, fines, referrals to the SDT for serious misconduct)

Firms must have proportionate policies and procedures tailored to their risk profile. Effective mitigation features:

• clear governance with COLP/COFA oversight and MLRO accountability for reporting under POCA
• robust client due diligence, including enhanced measures where risks are higher
• segregation of duties and reconciliations in client money handling, combined with independent file reviews
• conflicts checks, confidentiality safeguards (ethical walls where appropriate), and secure IT/cybersecurity controls
• documented matter risk assessments with escalation triggers (e.g. unusual payment patterns from third parties)
• training targeted to roles and risks, and a culture that encourages reporting concerns early

Ongoing Monitoring

Risk-based regulation is a continuous process. The SRA and firms must:

• monitor for new or changing risks and respond to external alerts (e.g. sanctions list updates)
• review and update risk assessments regularly (at firm and matter level)
• maintain AML ongoing monitoring to ensure transactions are consistent with knowledge of the client and the business relationship
• ensure training, supervision, and controls remain effective as practices and delivery channels change (including remote working)

The SRA publishes an annual Risk Outlook highlighting key risks for the profession. Firms should use it to benchmark their risk registers and test the adequacy of their controls against trends such as identity fraud in property transactions, cyber threats, financial crime typologies, and competence issues.

Legal Frameworks and Regulatory Requirements

Risk-based regulation is underpinned by statutory and regulatory requirements that all solicitors’ firms must follow. These frameworks require firms to adopt systems and controls commensurate with their risks.

Legal Services Act 2007

The Legal Services Act 2007 sets out the regulatory objectives and the framework for legal services regulation in England and Wales. It requires regulators to act compatibly with those objectives and, in practice, to adopt a risk-based approach. It defines reserved legal activities (e.g. rights of audience, conduct of litigation, reserved instrument activities, probate, notarial activities, administration of oaths) because those areas historically and by analysis present higher risks to the public, the courts, and the legal system. Only authorised or exempt persons may carry out reserved activities; unauthorised conduct may be a criminal offence and, in the litigation context, a contempt of court.

SRA Standards and Regulations

The SRA Standards and Regulations set out the core principles and codes of conduct for solicitors and firms. They require firms to:

• act with integrity and in the public interest, and uphold the proper administration of justice
• implement and maintain effective systems for risk management and compliance, proportionate to the firm’s size and risks
• appoint a Compliance Officer for Legal Practice (COLP) and a Compliance Officer for Finance and Administration (COFA), with sufficient seniority and authority
• safeguard client money and assets under the SRA Accounts Rules, and account properly for financial benefits
• cooperate with the SRA, respond promptly to information requests, and report serious breaches

The SRA Enforcement Strategy (updated 2022) aligns interventions with risk. Persistent or serious non-compliance—especially dishonesty, misuse of client money, or enabling financial crime—can lead to significant sanctions, including SDT referral.

Anti-Money Laundering Regulations

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 impose specific risk-based requirements on law firms, including:

• conducting a written firm-wide risk assessment (Regulation 18), covering products/services, delivery channels, clients/geographies, transaction types, and the nature/size of the firm
• establishing and maintaining policies, controls, and procedures to manage identified risks (Regulation 19), including CDD, reporting, record keeping, risk assessment updates, internal controls, and screening/training of staff
• ensuring that beneficial owners, officers, and managers (BOOMs) are approved by the SRA (Regulation 26)
• carrying out ongoing monitoring of business relationships to ensure transactions are consistent with knowledge of the client (Regulation 28)
• reporting discrepancies in beneficial ownership information to Companies House where applicable (Regulation 30A)
• applying simplified due diligence where a low risk is evidenced (Regulation 37), and enhanced due diligence where risk is higher (Regulation 33), including for politically exposed persons (PEPs), high-risk third countries, complex/unusually large transactions, or unusual patterns without apparent economic purpose
• providing regular AML training and maintaining records of training (Regulation 24)
• keeping CDD and transaction records for at least five years from the end of the relationship or transaction (Regulation 40)

Key Term: MLRO
The Money Laundering Reporting Officer (nominated officer). Receives internal reports, evaluates suspicions, and makes Suspicious Activity Reports to the NCA as appropriate.

Key Term: politically exposed person (PEP)
Individuals entrusted with prominent public functions (e.g., heads of state, ministers, legislators, senior judges). PEPs, their family members, and close associates attract enhanced due diligence, senior management approval, source of funds/wealth inquiries, and enhanced ongoing monitoring.

The Proceeds of Crime Act 2002 complements the Regulations by creating offences such as concealing criminal property (s 327), arranging (s 328), acquisition/use/possession (s 329), failure to disclose in the regulated sector (s 330), tipping off (s 333A), and prejudicing an investigation. Where a suspicion arises in relevant business, staff must promptly make internal disclosures to the MLRO, who considers whether to submit a SAR to the NCA; once a SAR is made, the firm must not carry out a prohibited act pending consent or expiry of the moratorium periods.

Criminal Finances Act 2017 and UK Financial Sanctions

The Criminal Finances Act 2017 introduced corporate offences of failure to prevent the criminal facilitation of tax evasion. A firm is strictly liable unless it can prove reasonable prevention procedures. Firms should integrate tax evasion risk into their AML risk assessments, policies and controls, including due diligence on associated persons (e.g. agents, counsel, foreign law firms) and training.

Under the UK financial sanctions regime, firms must screen clients and transactions against the sanctions list and, where they reasonably suspect a designated person or breach, they must report to the Office of Financial Sanctions Implementation (OFSI). Acting for a designated person may require a licence to receive fees for legal advice. Public sanctions lists and OFSI guidance assist risk-based screening without breaching tipping off rules.

Practical Implications for Legal Service Providers

Risk-based regulation affects all firms, but approaches differ depending on size, services, and resources. Proportionate systems and controls reduce residual risk and demonstrate compliance.

Small Firms and Sole Practitioners

• focus on key risks relevant to their work (e.g. client money controls, AML compliance in conveyancing or probate)
• keep governance simple but effective: a documented risk assessment, clear policies, training records, and monitoring steps
• use SRA guidance and risk alerts to prioritise improvements
• record material and non-material breaches, assess root causes, and remediate promptly

Medium and Large Firms

• implement comprehensive risk management systems and second-line compliance oversight
• appoint dedicated compliance staff and MLRO deputies, with defined escalation pathways
• use technology for identity verification, sanctions screening, transaction monitoring, and management reporting
• conduct periodic internal audits, thematic reviews, and board-level risk reporting aligned to the SRA Risk Outlook

Key Areas of Risk Management

• Client onboarding: Conduct risk-based CDD. Verify identity, beneficial ownership, source of funds/wealth where appropriate, and screen for sanctions/PEPs. Document risk ratings and rationale.
• Financial controls: Safeguard client money under the SRA Accounts Rules. Maintain segregation, timely bank reconciliations, investigation of differences, and approval protocols for transfers.
• Matter management: Perform matter-specific risk assessments; use ethical walls where confidentiality and conflicts risks coexist. Record decisions and escalations.
• Training and competence: Deliver role-specific training (e.g. AML, sanctions, client money, data security) and maintain training logs. Supervise staff proportionate to risk and complexity.
• Cybersecurity: Protect client data with secure IT systems, access controls, incident response plans, and phishing awareness. Test controls regularly.
• Reporting and cooperation: Report serious breaches and cooperate with the SRA promptly. Maintain records to demonstrate compliance decisions and remedial actions.

Worked Example 1.1

A small firm specialising in residential conveyancing identifies that property transactions are at high risk for money laundering. What steps should the firm take to comply with risk-based regulation?

Answer:
The firm should conduct a written risk assessment focusing on conveyancing, implement robust AML policies, train staff to spot suspicious activity, and monitor transactions for unusual patterns. Enhanced due diligence should be applied to high-risk clients or transactions.

Worked Example 1.2

A medium-sized firm receives a warning from the SRA about increased cybercrime targeting law firms. What should the firm do as part of its risk-based approach?

Answer:
The firm should review its IT security, update its risk assessment to include cyber threats, provide staff training on phishing and data protection, and ensure incident response plans are in place.

Worked Example 1.3

Your COLP identifies recurring late bank reconciliations and two instances where client residual balances were not returned promptly. How should the firm respond?

Answer:
Treat the issue as a control weakness affecting client money risk. Record the breaches, complete a root cause analysis, improve reconciliation procedures (e.g. clearer timetables, oversight by COFA), train relevant staff, and check for any client harm to remediate. If breaches are material, report to the SRA, explaining remediation and monitoring to prevent recurrence.

Worked Example 1.4

A junior fee earner raises a concern: an instruction to receive funds from a third party with no apparent link to the client, followed by an immediate onward transfer. What is the risk-based response?

Answer:
Escalate promptly to the MLRO and supervisor. Reassess CDD, establish the rationale for the third-party payment, apply enhanced due diligence if warranted, and consider making an internal report. If suspicion remains, the MLRO should submit a SAR to the NCA and the firm must avoid any prohibited act until consent or moratorium expiry.

Worked Example 1.5

You are instructed by a newly formed company whose director is a senior foreign politician. What additional steps are required?

Answer:
Recognise the PEP risk and apply enhanced due diligence: obtain senior management approval to proceed, establish and evidence source of funds and source of wealth, consider beneficial ownership, and conduct enhanced ongoing monitoring of the relationship. Record all decisions and rationale.

Exam Warning

For SQE1, be prepared to apply risk-based regulation principles to practical scenarios, such as AML compliance or handling client money. Read questions carefully to identify the specific risks and required controls.

Key Point Checklist

This article has covered the following key knowledge points:

• Risk-based regulation focuses regulatory attention on the most serious risks to the public, clients, and the legal system, and aligns responses with impact and likelihood.
• The SRA identifies and assesses risks using complaints data, supervisory information, market intelligence, and firm reports, and responds with proportionate supervision and enforcement.
• Regulatory objectives in the Legal Services Act 2007 guide the SRA’s risk-based approach; reserved legal activities reflect higher-risk legal work that requires authorisation.
• The SRA Standards and Regulations require effective governance, COLP/COFA oversight, client money safeguards, cooperation with the SRA, and reporting serious breaches.
• AML regulations require a written firm-wide risk assessment (Reg 18), policies/controls/procedures (Reg 19), BOOM approvals (Reg 26), ongoing monitoring (Reg 28), EDD/SDD (Regs 33 and 37), training (Reg 24), and record keeping (Reg 40).
• POCA 2002 imposes reporting duties and offences that firms must manage through internal reporting and SARs, avoiding tipping off and prohibited acts.
• The Criminal Finances Act 2017 and the UK sanctions regime require risk-based tax evasion prevention procedures and sanctions screening/reporting.
• Practical risk management varies by firm size but always features documented risk assessments, proportionate controls, training, monitoring, and prompt remediation of breaches.

Key Terms and Concepts

• risk-based regulation
• regulatory objectives
• compliance officer
• COLP
• COFA
• MLRO
• politically exposed person (PEP)