SRA Code of Conduct for Firms
A firm's compliance is never abstract. When a conveyancing team misses a client account shortfall for six months, or a corporate department quietly breaches conflict rules across three connected matters, the question the SRA asks is not "did the firm fail?" but "which named individual failed to prevent it, and did anyone tell us?" The Code of Conduct for Firms exists to make sure those questions always have an answer, by fastening personal, named responsibility onto managers and onto two specific compliance roles the firm is required to appoint.
Start with the widest duty in the Code. Paragraph 8.1 of the SRA Code of Conduct for Firms makes every manager personally responsible for the firm's compliance with that Code — not just the manager who happens to run the risk committee, and not just the two people holding the compliance titles. If management responsibility is shared, paragraph 8.1 makes that responsibility joint and several: each manager can be pursued individually and in full for the firm's failure, not merely for their proportionate slice of it. This matters practically because it means a manager cannot defend an SRA investigation by pointing at a colleague or at the compliance officers and saying "that was their job." The duty attaches by virtue of being a manager, full stop, and it applies regardless of whether that manager also holds a compliance officer designation — a COLP who is also a manager can be pursued under paragraph 8.1 for the firm's broader non-compliance quite separately from any action taken against them in their COLP capacity, or against them as an individual solicitor under the separate Code of Conduct for Solicitors.
If paragraph 8.1 tells you who is on the hook, paragraph 2 tells you what the firm must actually build. Paragraph 2.1 requires a firm to have effective governance structures, arrangements, systems, and controls — and it specifies four things those systems must achieve:
Paragraph 2.1 — a firm's systems and controls must ensure that: (a) the firm complies with all SRA regulatory arrangements and any other applicable regulatory or legislative requirements; (b) its managers and employees comply with the SRA regulatory arrangements that apply to them; (c) managers, interest holders, and those employed or contracted by the firm do not cause or substantially contribute to a breach of the SRA's regulatory arrangements; (d) the firm's compliance officers are able to discharge their duties under paragraphs 9.1 and 9.2.
Notice the design logic here: (a) and (b) are the compliance floor — obey the rules, make sure staff obey the rules — while (c) closes a loophole that would otherwise let a firm's owners or contractors cause a breach at arm's length without technically breaching anything themselves. And (d) is the paragraph that ties the whole Code together: it is not enough to have a COLP and COFA in name; the firm's systems must actually give them the access, authority, and information they need to do the job.
Three further obligations flesh out the governance picture. Paragraph 2.2 requires the firm to keep and maintain records demonstrating compliance with its obligations under the SRA's regulatory arrangements — because an unrecorded compliance effort is, to a regulator, indistinguishable from no compliance effort at all. Paragraph 2.3 makes the firm accountable for compliance even where its work is carried out through managers or contractors, so outsourcing a task never outsources the liability. And paragraph 2.4 pulls in financial health: a firm must actively monitor its own financial stability and business viability, and if it becomes aware it will cease to operate, it must effect an orderly wind-down of its activities rather than simply stopping — client files, client money, and undertakings do not look after themselves. Paragraph 2.5 rounds this off by requiring the firm to identify, monitor, and manage all material risks to its business, expressly including risks arising from connected practices (associated businesses that might expose the firm to reputational or financial contagion).
A regulator that only finds out about problems when a client complains is a regulator working blind, so the Code builds in proactive notification duties. Paragraph 3.6 requires a firm to notify the SRA promptly of:
| Sub-paragraph | Trigger |
|---|---|
| 3.6(a) | Any indicators of serious financial difficulty relating to the firm |
| 3.6(b) | A relevant insolvency event occurring in relation to the firm |
| 3.6(c) | An intention to cease, or awareness that the firm will cease, operating as a legal business |
| 3.6(d) | Any change to information recorded in the SRA's register |
Paragraph 3.8 adds a parallel duty about the people rather than the firm's finances: the firm must notify the SRA promptly of (a) material changes to information previously provided about its managers, owners, or compliance officers, and (b) any previously provided information about those same people that is or may be false, misleading, incomplete, or inaccurate. Read 3.6 and 3.8 together and you get a firm that cannot let its regulatory record go stale — on solvency, on structure, or on the fitness of the people running it.
The most consequential proactive duty is the obligation to blow the whistle on serious wrongdoing, and the Code frames it in two layers. Paragraph 3.9 requires the firm to report promptly to the SRA any facts reasonably believed capable of amounting to a serious breach of regulatory arrangements by any regulated person — including the firm itself. Note the "reasonably believed" threshold: the firm does not need certainty, and it cannot wait for certainty, before reporting. Paragraph 3.10 then catches what 3.9 might miss: it requires the firm to inform the SRA promptly of facts that should be brought to its attention so the regulator can investigate a possible serious breach, even where the firm does not hold a reasonable belief that a breach actually occurred. In other words, 3.9 is "I think something serious happened," and 3.10 is "I'm not sure, but you should probably look at this."
None of that works if the people who make these reports fear retaliation, which is why paragraph 3.12 exists: it prohibits a firm from subjecting any person to detrimental treatment for making, or proposing to make, a report under paragraph 3.9, 3.10, 9.1(d), 9.1(e), 9.2(b), or 9.2(c). This is the Code's whistleblower shield, and it is deliberately drafted to cover every reporting duty in the document — the firm-level duties in section 3 and the compliance-officer-level duties in section 9 alike.
Every authorised body must designate two named individuals to carry compliance responsibility day to day: the COLP (Compliance Officer for Legal Practice) and the COFA (Compliance Officer for Finance and Administration). This requirement does not come from the Code of Conduct for Firms itself but from Rule 8 of the SRA Authorisation of Firms Rules, which requires an authorised body to have, at all times, an individual designated as its COLP and an individual designated as its COFA. Rule 8.2 sets the eligibility bar for both roles: the individual must be a manager or employee of the authorised body, must consent to the designation, must not be disqualified under section 99 of the Legal Services Act 2007, and — specifically for the COLP — must be authorised to carry on reserved legal activities. Nothing stops one person holding both hats: a firm may designate the same individual as both COLP and COFA, provided that individual separately satisfies the eligibility criteria for each role.
The two roles are not mirror images of each other in scope, and this asymmetry is a favourite exam trap. Paragraph 9.1 gives the COLP a sweeping brief — all reasonable steps to ensure compliance with the firm's authorisation terms, and with the SRA's regulatory arrangements generally. Paragraph 9.2 gives the COFA a narrower brief confined to the SRA Accounts Rules. So the COLP's duties reach across the whole of the SRA's regulatory arrangements applying to the firm, while the COFA's duties are limited to obligations arising under the Accounts Rules specifically.
COLP vs COFA — reasonable steps under paragraph 9
COLP (para 9.1) COFA (para 9.2) (a) Compliance with the firm's authorisation terms and conditions Compliance with SRA Accounts Rules obligations (b) Firm, managers, employees, interest holders comply with regulatory arrangements that apply to them — (c) Managers, interest holders, contractors do not cause or substantially contribute to a breach — (d) / (b) Prompt report of facts reasonably believed to amount to a serious breach Prompt report of facts reasonably believed to amount to a serious Accounts Rules breach (e) / (c) Inform SRA of facts warranting investigation, even absent reasonable belief — excluding matters that are the COFA's responsibility Inform SRA of facts warranting investigation of a possible serious breach relating to accounts
That carve-out in 9.1(e) is the mechanism that stops the two roles colliding: the COLP's residual "you should investigate this" duty stops at the boundary of the COFA's territory. So if a serious breach concerns client money or the firm's accounts, it falls within the COFA's reporting obligation under paragraph 9.2, not the COLP's residual obligation under 9.1(e) — even though the COLP's compliance duties otherwise sweep across the whole regulatory landscape.
Being named COLP or COFA is not automatic once a firm picks someone — the SRA has to agree. Rule 13.1 of the Authorisation of Firms Rules provides that the SRA approves a COLP or COFA designation only if satisfied the individual is fit and proper to undertake the role, and that approval is not permanent: Rule 13.9 lets the SRA withdraw approval of a person's designation at any time if it is no longer satisfied they are fit and proper. A compliance officer's authority to act, in other words, exists only for as long as the regulator's confidence in them does.
This machinery matters because compliance officers carry genuine personal exposure. A COLP or COFA can face SRA enforcement action personally, entirely distinct from any action taken against the firm, for failing to discharge their compliance officer duties. Layer that onto paragraph 8.1 and you get a firm's leadership exposed on two independent tracks: managers can be pursued individually for the firm's non-compliance under 8.1, and compliance officers can be pursued individually for failing their specific paragraph 9 duties — and neither liability displaces the other.
Step back and the architecture makes sense as a piece of design, not just a list of numbered paragraphs. The Code of Conduct for Firms sits within the SRA Standards and Regulations 2019 and applies to authorised bodies, their managers, and their employees as a class — everyone inside the firm is caught by something in it. Paragraph 8.1 makes sure no manager can hide behind the compliance officers. Paragraphs 2 and 3 make sure the firm builds the systems and tells the SRA what it needs to know, proactively rather than reactively. And Rule 8 of the Authorisation of Firms Rules makes sure there are always two specifically named, specifically qualified individuals whose job is to make paragraphs 2 and 3 actually happen — one watching the whole regulatory horizon, one watching the money. For SQE1 purposes, the exam will hand you a scenario — a firm in financial difficulty, a manager who "didn't know" about a conflict, a COLP who assumed accounts issues were someone else's problem — and ask you to identify which paragraph was breached and by whom. The answer almost always turns on this same distinction: is this a firm-wide obligation (section 2 or 3), a manager's personal exposure (8.1), or a compliance officer's specific brief (9.1 for the COLP's broad remit, 9.2 for the COFA's accounts-only remit)?