Understanding Breaches and Serious Breaches: Actions to Take
A breach is when it has been identified that the SRA’s regulatory arrangements have not been followed.
The definition of what constitutes a serious breach is rather non-prescriptive from the SRA which aligns with the more judgemental approach to breaches focusing on an ‘outcomes focused based approach’. For practices, when considering the seriousness of a breach, the key points to consider is the detriment/loss (or potential detriment) to the client, how quickly it was discovered and rectified, the extent of any loss of confidence, scale of the issue and the overall impact on your firm, your clients and third parties. If there is a systematic failure in controls in the practice, or whether the breach forms part of a wider pattern should be considered. This therefore needs some judgement to be made by the COLP or COFA.
Abi White – Audit Manager
The following link is some guidance for the reporting accountants, which COLP/COFA may find useful as this highlights areas which a reporting accountant may find to be a serious breach, in respect of client monies:
It is important to note however that these breaches are not just in respect of the accounts rules and would include the following other areas included in the code of conduct (the following is not exhaustive):
- Violence
- Abuse of trust
- Covering up a less serious breach
- Confidentiality breach
As per the SRA code of conduct for firms, Rule 9.1(d), ensure that a prompt report is made to the SRA of any facts or matters that you reasonably believe are capable of amounting to a serious breach of the terms and conditions of your firm’s authorisation, or the SRA‘s regulatory arrangements which apply to your firm, managers or employees. The responsibility for this falls on the compliance officer (COLP) and therefore all COLP should be aware of this requirement. There is also similar regulation for the COFA under Rule 9.2(b), ensure that a prompt report is made to the SRA of any facts or matters that you reasonably believe are capable of amounting to a serious breach of the SRA Accounts Rules which apply to them; and therefore both the COLP and COFA should be aware of their reporting requirements.
You can report to the SRA at report@sra.org.uk or the SRA online reporting form.
What to do with breaches that are occurring?
The best approach to breaches is to have strong controls in place, and a strong culture within the firm to act in accordance with the SRA regulation, to prevent breaches from occurring. However, this is not always practical as mistakes do happen, and therefore it is key that there is an appropriate system in place to identify, review and safeguard the breaches incurred and their wider risk to the firm, as well as to your clients.
In order to be aware of breaches and to be able to report serious breaches there has to be a system of identifying and assessing the nature, extent and impact of the breaches. It is recommended that a breach capturing register is kept by all firms which should include the following key details:
- Fee earner
- Matter Impacted
- Date breach occurred
- Date breach identified
- Date breach corrected
- Details of the breach, including the impact to the client, any loss to the client and whether this breach is isolated
- A consideration of whether serious and if further reporting to the SRA Is required and the reasons why.
We have created our own template which can be downloaded here:
which can be used as a good starting place.
The breaches register then needs to be reviewed regularly by the COFA and/or COLP and this will require judgement, to determine the significance of any breaches recorded.
A traffic light, as we know, is a system of using signals to indicate how drivers should approach a Junction, showing red, amber and green lights. We all know what these are – but for the avoidance of doubt, green is go, amber is prepare to move and red is stop.
COFA can use this as an analogy for reviewing their breaches recorded – with a breaches register being in effect the ‘Traffic Light’, acting as a key control.
The breaches register should be reviewed on a regular basis by the COFA which can be explained with the ‘traffic light’ approach below:
For example
if identified quickly, the impact to the client was minimal and it was rectified immediately – then likely will be ‘green’ for go, so can continue as long as rectified and sufficiently documented.
If the identification was slower, the impact to the client was minimal, this is not the first time this type of breach has been logged and it was rectified immediately – then we would consider this amber the ‘prepare to move’. The COFA should ‘prepare to move’ by considering if the wider impact of the breach (or the amalgamation of the breaches) and should consider if needs to be reported to the SRA. The other element of ‘preparing to move’ is an internal movement, whereby you can identify additional training needs or problem areas which need to be addressed internally to prevent more serious breaches, especially if there is a trend developing.
If there is a breach which was not identified quicky, was of significant detriment to the client and was not rectified immediately – then this would be a red light. This ‘stop’ should then trigger the COFA to report the SRA immediately.
The breaches register should be updated by the entire firm, including fee earners and support staff. There is no triviality when it comes to breaches, and therefore ALL breaches should be recorded regardless of their size. The culture of honesty within a firm is key to ensure that any breaches or issues are promptly reported and resolved, without fear of retribution. This more transparent and open culture should lead to more honest reporting – which will allow appropriate actions to be taken to ensure that compliance remains the upmost priority. The accounts and compliance team will not be able to ‘catch’ everything and the fee earners are much more likely to identify breaches to the rules in their files.
Additional benefits of fee earners continuously reporting, means that there is a more complete data which can be used to identify patterns and areas where potentially additional CPD and training is needed for the fee earners, which is why the breaches register should actually be considered a good thing and risk-mitigate for the firm, rather than something to be feared.
Contact Our Experts
