The AML Clinic Podcast

Episode 13: Is This Breach Serious? How the SRA Actually Makes That Call

Michelle Clement

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 15:21

 In this episode of the AML Clinic Podcast, Michelle Clement explores how the SRA determines whether a breach is “serious” in practice. 

Understanding how to evaluate the seriousness of breaches is essential for law firms. Many firms grasp the rules, but fewer truly understand how the SRA assesses seriousness. Knowing this can help you make defensible decisions and avoid unnecessary panic when issues arise. 

Understanding Seriousness in Regulatory Breaches

Factors Influencing Regulatory Decisions

Making the Judgement Call on Reporting

Practical Takeaways for Law Firms

SPEAKER_00

Hello and welcome to this episode of the AML Clinic Podcast. I'm your host, Michelle Clemens, a former SRA AML regulator and manager, now working with law firms to build defensible AML and compliance frameworks. Under the SRA's code of conduct, soliciters and firms must report serious breaches or potentially serious breaches, which they reasonably believe are capable of amounting to a serious breach of the SRA standards or requirements. Over the years I've noticed something important. Most firms understand the rules, but far fewer understand how the SRA actually decides what is serious. But determining seriousness requires judgment. And what to consider in making that judgment is what I'm going to share with you today. There is a moment that most firms would recognize, which is where someone spots a problem, maybe a file review reveals that something doesn't quite add up. Maybe documentation is missing, or perhaps a transaction wasn't properly risk-assessed. And the response is often the same. So one of concern and sometimes even panic. Is this actually serious? Or is this just a technical breach? Is this something we need to report to the SRA? And in practice, I find that firms are less worried about the rules themselves and more concerned about how serious the SRA would consider this to be. But the challenge is, there are no simpler checklists. There's no definition of serious. It's not set out in a way that gives you a clear yes or no answer, which is why these judgment calls can often feel uncertain. So today I want to walk you through how that decision-making framework actually works in practice. What the SRA is really looking for when it assesses seriousness. This episode is the first in a three-part series looking at how the SRA supervises and enforces regulation in practice based on patterns I've seen both working inside the regulator and across firms since leaving. So in today's episode, I'm going to take you behind the scenes of the SRA's enforcement strategy, and that's the framework the regulator uses to assess seriousness. It weighs aggravating and mitigating factors and decides when enforcement action is necessary. Is every breach reportable? What actually makes something serious? And why do some issues lead to enforcement action whilst others don't? It's important to understand this because how the regulator thinks about breaches or potential breaches is just as important as you understand the rules that govern them. So one of the misunderstandings that firms probably have is that any breach can lead to regulatory action, and that simply isn't how it works. The SRA regulates thousands of firms and tens of thousands of solicitors, and mistakes happen, both human and substance, and the regulator recognises that. Not every report to the SRA will trigger an open investigation. So to put this into perspective, the CEO of the SRA, Sarah Repson, mentioned in an interview in February 2026 that in December 2025 alone, the SRA received 1,800 complaints. That's 1,800 separate issues in just one month. Clearly, it's impossible for all of those to be serious enough to warrant enforcement. So the SRA has to filter through the complaints to focus on what it considers to be serious enough. And that either means it presents a risk to the public or a risk to confidence in the profession. A technical breach that is quickly identified, addressed, and remedied will often be viewed very differently from a systemic failure, repeated issues, or conduct that demonstrates poor judgment. In other words, context matters. So the key takeaway from listening to this, I hope, is understanding what the SRA actually prioritizes, and that should help you make defensible decisions and respond proportionately rather than panicking every time a file isn't perfect. So, what does the SRA actually mean by serious? The SRA's enforcement strategy sets out a number of factors that SRA considers when assessing seriousness. So let me walk you through some of the most important ones. The first is the nature of the conduct. Some types of behaviours will always attract closer scrutiny. Things like dishonesty, misuse of client money, criminal activity, or behaviour that undermines public trust in a profession. The second thing the SRA considers is intent. The SRA will look carefully at whether something was deliberate, reckless, or a genuine mistake. And there's a very significant difference between a deliberate attempt to circumvent controls and an isolated error that occurred despite reasonable safeguards being in place. The third is harm and impact. The SRO will consider whether any clients suffered any financial losses, were vulnerable individuals affected, that the conducts damage confidence in legal services, the greater the harm, the more serious the situation becomes. Now, with that said, there is a caveat. There are also some types of misconduct which are actionable without evidence of intent or harm. So, for example, the use of a client account as a banking facility or the involvement of a transaction that bears the hallmarks of fraud. Because there is a in those situations, there's a significant link between those behaviours and the risk of solicitors and law firms being used whether willingly or unwillingly to facilitate crime. So the fourth factor SRA considers is seniority and responsibility. So partners, cults, cofers, and any senior leaders are expected to exercise higher levels of judgment and oversight. The regulator expects those in leadership positions to set the tone and maintain effective governance. And finally, the SRA will look at patterns of behaviour. As I said, one isolated issue may be manageable, repeated issues suggest something deeper. And that might be that there are weak controls at your firm, there's poor supervision, or perhaps cultural problems within the firm. So let's move on to looking at what some aggravating factors might be. So when the SRA is a sustainable situation, it will look at aggravating factors. And these are things that make the conduct more serious. Examples include attempts to conceal misconduct, so covering it up, whether there was any personal financial gain, uh, if there's a lack of insight or there's a refusal to acknowledge what the problems were, if there's a failure to cooperate with the regulator, and if the firm has a history of repeated misconduct or regulatory breaches. These factors can significantly influence the outcome of a regulatory investigation. Now, moving on to the other side of the equation are mitigating factors, and these are the circumstances that can reduce the seriousness of a situation. So, for example, you've identified the issue early, you've promptly self-reported to the regulator, you've fully cooperated during the investigation, you've taken meaningful steps to remediate the problem. Note I said remediate the problem and not try and make it go away. Don't try and cover it up. Demonstrating genuine insight and learning. This is one of the most powerful mitigating factors, is you being able to evidence that your firm understands what went wrong and has taken credible steps to prevent it from happening again. And this is where governance and documentation becomes incredibly important. Okay, so let's move on to making that judgment call. If you need to make the judgment call on whether to report a breach or a potential breach to the SRA, you should ask if the issue in question does it breach any of the SRA standards and regulations? So be it be the code of conduct for firms or individuals, um the principles, accounts, rules, etc. Then consider these guiding questions. Does it create a risk of harm to clients? Does it undermine trust in the profession? Was this an isolated issue, or is there any evidence of a wider systemic problem? Would the regulator reasonably expect to know about this? And these are exactly the types of questions that cops and culfers and the MLCOs and MLROs grapple with in practice daily. If you are not sure about whether to make a report, the SRA encourages firms to err on the side of caution and still report. So I touched on this earlier, um, but that's the importance of remediation. So something that often surprises firms is how much weight regulators place on remediation. When something goes wrong, the key questions from the SRA will become: what did the firm do next? Did the firm investigate properly? Was the firm able to identify the root cause? Did you put any controls in place to strengthen the position? Um, and what have you done to ensure that this cannot happen again? So good remediation demonstrates that there's responsible governance and professional judgment. And again, that can significantly influence how the regulator views your situation. Ultimately, the enforcement strategy reflects a broader regulatory principle. The SRA is less interested in isolated technical breaches and more interested in patterns of behaviour, governance failures, and risks to the public. However, I want to be very clear in emphasising that a single incident can still lead to enforcement action if it is deemed as being sufficiently serious. So again, conduct involving dishonesty, misuse of client money, or behaviour that seriously undermines public trust and profession may lead to regulatory action even if it only happens once. So while patterns or behaviors often raise regulatory concern, serious misconduct doesn't need to be repeated to attract enforcement. For law firms, this means the objective should not simply be to be technically compliant. It should be building frameworks that are defensible under scrutiny. Where you understand the risks your firm is exposed to, how decisions are documented, and you appropriately address issues when they arise. What can you do to stay defensible? Number one, document everything. Professional judgment is easier to justify when it's clearly recorded. Your contemporaneous thoughts matter what you looked at, why you looked at it, and what it told you and your conclusions arising from that. You don't have to write war and peace. Bullet pointing your thoughts is better than nothing at all. Number two, respond quickly. Remediation shows the regulator you take issues seriously. Address the issue, don't cover it up. Again, not the same thing. Number three, understand the risk versus compliance. So what I mean is that knowing the rules isn't enough. Think of it like a test. How can you pass if you don't know what you are being tested on? You need to understand how the regulator interprets the rules, what they care about, and how they assess seriousness. Number four, look for internal patterns. One of the best ways to spot risk before it becomes a regulatory issue is to look for patterns internally. And when I say patterns, I mean more than a one-off mistake. So look for signals in your systems, your training, and all your governance that might need attention. How might you do that? You can look at file reviews. Do errors appear repeatedly on one person's work or in multiple's work? Um are there one-off mistakes? Because that could be a human error. But if the errors are repeated, that suggests there's a systemic or training issue. You could look at client complaints. Are complaints clustering around the same types of transaction, the same team, or the same service area? Patterns in complaints can highlight gaps in controls or processes. Look at any internal reporting or near misses. So look at logs from internal audits, incident reports, or if you've got a near-miss register. Look out for repeated minor issues that can signal a bigger problem lurking beneath the surface. If you've got multiple departments, you could do cross-team comparisons. Compare practices across teams handling similar matters. Are some teams consistently falling short where others aren't? Because that might indicate there's a difference in training, supervision, or even understanding the processes. Review your documentation and process checks. How consistently are they applied? Um, for example, are all AML checks completed and documented for each client type at the same time? Is it consistent? And it goes without saying, check against the SRO's codes, the standards, um, the principles, etc. And then consider the guiding questions that I mentioned. Potentially, if the answers are yes to the questions, then you might have to report. In closing, understanding the SRA's enforcement strategy will help you move beyond worrying about individual rules and instead focus on how regulatory judgment actually works. So when something goes wrong, and inevitably things do sometimes, what matters is how you respond. So ensure you have insight into what's happening, there's accountability, and remediation are the factors that will really, really make a difference. Thank you for listening to this episode. And if you found it useful, please consider sharing it with your colleagues who live in the world of nuance risk and raise of thin judgment calls. And if you have a topic you want me to consider, I would love to hear from you. And as always, stay informed and stay compliant.