The Law Society to UK government: Limit SRA fining powers

At its Risk and Compliance Annual Conference, Law Society president expresses concerns 

The Law Society’s Risk and Compliance Annual Conference 2024, started off with a bang. Nick Emmerson, president of The Law Society, noted that, along with increasing compliance obligations on law firms were increasing fining powers by the Solicitors Regulation Authority (SRA). Emmerson was clear on where he stood on that. He called on the UK government to put a stop to those increasing powers.  

As Emmerson noted, current SRA fining powers are now unlimited for economic fine offences. Other offences are capped at £25,000. While the SRA wants to extend this to all offences, the Law Society does not believe they have a credible case for this. 

More concerning is the potential negative impact of the SRA’s more powerful position. Emmerson believes it could undermine the role of the Solicitors Disciplinary Tribunal (SDT), with fewer prosecutions ending up in the independent tribunal, which metes out possibly less stringent but likely more suitable punishments.

Emmerson acknowledged that, with the changes in the current environment, the SRA could get stronger and law firms and the Law Society need to be aware and ready for that. 

Iain Miller, partner at Kingsley Napley LLP, agreed in his keynote speech. He added that the SRA might not only get unlimited powers but that it is also not reluctant to use those powers – and to publish its fines.
Miller also noted that the changing environment will impact risk and compliance. Once, he said, compliance officers could rely on training, policies and procedures to minimise breaches. All that no longer applies, he noted. We are in a different role. The job of those managing risks has evolved and become more complicated.

This means that onboarding a client is not just analysing anti-money laundering threats. It’s taking into account that a client could be a regulatory or reputational risk or could alienate other clients. It also means that litigation is becoming an area of regulatory interest. And that issues that were once just an HR issue are now also a regulatory issue and could require more investigation. 

Change is not stopping and law firms need to be aware that what they are doing now could be unacceptable in a number of years and could be judged then differently. How do you anticipate future trends and risks? It’s very complicated, Miller acknowledged.

It likely involves compliance officers beginning to consider a law firm’s culture and legal ethics.  A law firm with a positive culture has better outcomes for its clients and less risks, he notes. And SRA’s regulatory management team has started to take notice of larger law firm’s culture. 

Spotting future trends is difficult without understanding legal ethics. Miller believes a worrying trend is lawyers only serving certain or “good” clients. That has the potential to undermine the whole system of justice. Lawyers need to recognise that and so, notes Miller, does the SRA. He states that the SRA needs to be careful it doesn’t inhibit solicitors from bringing claims. We need to get that balance right, he notes. 

Miller pointed out that the Law Society has been quiet on this issue but he believes the organisation needs to get involved. We can’t have others shape what we do, he says. We need to navigate the new reality in which we work.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.