Two acronyms, appointed on the same form, often held by the same person, and constantly mixed up. Ask a room of fee-earners what the difference is between a COLP and a COFA and you'll get confident answers that contradict each other. That's a problem, because the two roles carry different obligations, and when something goes wrong the SRA looks at whether the right officer was accountable for it.
The distinction isn't academic. In a small firm where one partner holds both hats, the roles blur in practice and nobody notices the seams — until an Accounts Rules breach lands and it turns out everyone assumed the "compliance person" had it covered under the wrong heading.
This is the clean version: what each role owns, where they overlap, and how to run both without dropping the thing that falls between them.
The one-line difference
A COLP — Compliance Officer for Legal Practice — is accountable for the firm's compliance with the SRA's regulatory arrangements as a whole: the Codes of Conduct, the Principles, the terms of the firm's authorisation.
A COFA — Compliance Officer for Finance and Administration — is accountable for one specific, high-stakes slice of that: compliance with the SRA Accounts Rules, which govern how the firm handles client money.
Think of it this way. The COLP is responsible for the firm doing law properly. The COFA is responsible for the firm not losing, misusing, or mishandling money that isn't its own. The second is a subset of "compliance" serious enough that the SRA carved it out and gave it its own named officer.
Both are mandatory, and both are approved individuals
Neither role is a nice-to-have. Under the SRA's Authorisation of Firms Rules, an authorised body must at all times have both an individual designated as its COLP and an individual designated as its COFA, and the SRA must have approved both designations.
That means three things firms routinely forget:
- You can't run without one. A firm that loses its COFA and doesn't have an approved replacement is in breach until it does.
- The SRA approves the person, not the post. Swapping who holds the role is a regulatory notification, not an internal reshuffle.
- Consent and eligibility are required. The individual must be a manager or employee, must consent, and must not be disqualified.
What each role actually has to do
The duties sit side by side in the SRA Code of Conduct for Firms, paragraphs 9.1 (COLP) and 9.2 (COFA). Here's the division in practice:
| COLP | COFA | |
|---|---|---|
| Owns | Compliance with the SRA's regulatory arrangements and the firm's authorisation terms | Compliance with the SRA Accounts Rules |
| Core focus | Conduct, competence, confidentiality, supervision, reporting | Client money, the client account, billing, financial systems |
| Key duty | Ensure effective systems and controls, and report serious breaches | Ensure Accounts Rules compliance, and report serious financial breaches |
| Typical failure | Unreported conduct breaches, weak supervision of AI or juniors | Client-account shortfalls, mixed monies, delayed transfers |
| Reports to the SRA when | A serious breach of the regulatory arrangements occurs | A serious breach of the Accounts Rules occurs |
Both officers carry a reporting duty, and both are expected to ensure rather than merely hope. The SRA's language is deliberate: the officers take reasonable steps to make compliance happen, and they're accountable for whether the firm's systems actually work.
Where the overlap gets dangerous
The two roles are cleanest on paper and messiest at the boundary. A few examples of things that sit in both inboxes at once:
- A bill raised on money that shouldn't have moved yet. Is that a conduct issue (COLP) or an Accounts Rules issue (COFA)? It's both, and if each assumes the other has it, nobody does.
- An AI tool that drafts client-account correspondence or reconciles ledgers. Its governance is the COLP's remit as new technology; its accuracy on client money is the COFA's.
- A breach that's individually minor but part of a pattern. Deciding whether it's "serious" enough to report is a judgement neither officer wants to own alone.
The failure mode isn't disagreement. It's the silent assumption — each officer believing the other is watching a shared blind spot.
Practical rule: In any firm where one person holds both roles, write down which hat you're wearing for each recurring risk. The concentration of accountability is legal; the confusion about which duty is engaged is what actually causes misses.
The under-reporting problem that hits both
The SRA's December 2025 thematic review of compliance officers found that across thirty-six officers, only nine of 1,377 internal reports over three years were escalated to the SRA — and that just one officer could describe all the material requirements of their role.
That gap lands on both officers equally. The COLP's reporting duty covers conduct; the COFA's covers the Accounts Rules. If your firm's culture is to resolve things quietly and escalate nothing, both roles are exposed, and "we handled it internally" is not the reassurance to a regulator that firms think it is.
The blunt question for a dual-role holder: when you decided not to report the last three incidents, did you record which compliance duty you were exercising judgement under — and why? If the reasoning only exists in your head, it doesn't exist for the SRA.
Should one person hold both roles?
For many small firms, combining COLP and COFA in one person is the only realistic option, and it's expressly permitted. The question is whether that person has the bandwidth and authority the double role demands.
- If you're a sole practitioner or two-partner firm: combining is fine and normal. Focus your effort on a single, well-kept breach log covering both conduct and accounts, rather than two elaborate but neglected systems.
- If you're a growing firm approaching a dozen fee-earners: this is the point to consider splitting the roles. The Accounts Rules work grows with client-money volume, and a dedicated COFA reduces the chance that financial compliance gets crowded out by conduct firefighting.
- If you're deploying AI into either legal or finance workflows: whoever holds the relevant hat needs a per-matter record of what the tool did and who checked it. Governance of AI touches conduct and client money, so a combined officer carries both exposures at once — the case for evidence, not just policy, gets stronger.
FAQ
What's the difference between a COLP and a COFA? The COLP is accountable for the firm's compliance with the SRA's regulatory arrangements generally; the COFA is accountable specifically for compliance with the SRA Accounts Rules governing client money. The COFA's remit is a defined financial subset of overall compliance.
Can the same person be both COLP and COFA? Yes. It's common in smaller firms and expressly allowed by the SRA. It concentrates accountability, so the dual-role holder should be clear about which duty applies to which risk.
Does every firm need both a COLP and a COFA? Yes. Every SRA-authorised body must have an approved individual in each role at all times. Operating without either is a breach.
Who reports client-account breaches to the SRA — the COLP or the COFA? Serious breaches of the Accounts Rules fall under the COFA's reporting duty; serious breaches of the wider regulatory arrangements fall under the COLP's. Where a matter engages both, both duties are live.
What happens if our COFA leaves? The firm must have an approved replacement designated. Continuing to hold client money without an approved COFA puts the firm in breach, so plan the succession before the departure, not after.
Whether your compliance and finance roles sit with one person or two, LegalAI Space gives both a defensible, matter-level record of how AI-assisted work was governed. Book a 30-minute call with Daman to see the audit trail.
Related reading
- What is a COLP? Role, duties and the 2025 SRA warning — the full picture of the compliance role and where it exposes you.
- The COFA role explained — client money, the Accounts Rules, and the breach-reporting duty in detail.
- The COLP AI governance checklist — what to capture when AI touches legal or financial work.